5 things to know about fitness trackers and security in 2018

Exactly how much of a security risk do activity trackers pose for enterprise IT? More than you might think: Hackers target fitness trackers and smart watches because they are often poorly secured and can expose passwords, reveal work habits of high-value employees, or serve as entry points to other systems.

At one end of the spectrum, there’s the AV-TEST Institute. The Germany-based research organization recently tested 12 fitness trackers and the Apple Watch Series 3 to see how secure (or not) they were. Eight of the 13 devices received the highest possible rating of three stars. However, AV-TEST evaluated the devices for personal security, not the risk to the enterprise.

Activity trackers—like all other devices that connect to the internet, an app, or some other technology—can’t be 100 percent secure, 100 percent of the time. The Strava incident from earlier this year illustrates how the data activity trackers generate and share could potentially be used for nefarious purposes.

Here are five things enterprise IT should know about activity trackers and security in 2018.

1. Fitness trackers are getting more secure, but some still risky

“Compared to earlier tests (that AV-TEST conducted), the manufacturers have taken the security of fitness data and the data protection of their customers significantly more seriously, which appears to make sense in light of the current data scandals.”

Thus concluded AV-TEST researchers from the organization’s most recent activity tracker security tests, announced in May 2018. In 2016, by comparison, AV-Test researchers concluded that tracker manufacturers “often don’t pay sufficient attention to the aspect of security.”

For AV-Test’s 2018 study, each tracker was tested for the security of its external communications, local communications, connected app, and data protection. Based on the results of each test, devices received an overall score of one, two or three stars.  

Apple Watch Series 3 earned three stars, with good marks in each of the four test areas. This is noteworthy because Apple is currently the biggest wearable seller, according to Q1 2018 market data from IDC. As a result, enterprise IT folks will likely encounter a growing number of users in their organization wearing an Apple Watch.

Fitbit, which IDC says is now in third place worldwide among wearable device makers, received a similarly stellar score from AV-TEST for its Charge 2. Fitbit’s score is also worth noting because many workers wear Fitbits acquired through employer fitness programs, which are typically managed via the Fitbit Health Solutions platform.

Six other device makers, including Huawei and Garmin, earned three stars from AV-Test. Huawei ranked fourth on IDC’s list and Garmin was fifth.

Lenovo’s HW01 tracker received only one star from AV-Test; devices from Xiaomi, Polar and Moov earned two stars. However, North America enterprise IT teams may be less likely to encounter users wearing these devices. Though Xiaomi ranked second on IDC’s list, the company’s market is largely based in China. Polar and Moov didn’t land on IDC’s list.

The AV-TEST Institute

2. Hackers target tracker metadata

Hackers aren’t interested in how many steps you take or what your average resting heart rate is. They might be interested in the bigger picture that a tracker’s metadata can paint of your activities, especially if you’re someone they want to target, notes Ramon T. Llamas, an IDC research director focused on mobile devices and augmented/virtual reality. “Triangulating how long you exercise and what distances you normally exercise and what time of day you exercise can show a hacker when you are or aren’t at work, and that could make you an optimal target”—a point he says the recent Strava incident illustrates.

The media reported in January 2018 that U.S. soldiers who paired their activity trackers to fitness network Strava were unwittingly revealing their GPS coordinates via Strava’s global heat map—which is easily accessible to anyone with an internet connection. The Pentagon was not amused. Strava CEO James Quaries responded that the company was “working with military and government officials to address potentially sensitive data,” among other corrective steps.

3. Your low security priority could be a high priority for hackers

“Activity trackers are lower on the list of IT security concerns, especially compared to risks like password database breaches,” says Merritt Maxim, a Forrester principal analyst focused on security and risks. “But while trackers may be low on your list, the reverse might be true for hackers. They sometimes focus on things that enterprise IT isn’t too concerned about, because they’re looking for easy targets.”

For example, a few years ago, corporate call centers weren’t especially a top security concern, Maxim notes. Criminals then started using low-tech phone calls, as well as social engineering and other tactics, to obtain personal information about a company’s customers from its call center operators, especially those outside the U.S. As a result, call centers have become a higher priority for enterprise IT security, he says.

4. A smartwatch stolen by a hacker is likely your biggest concern

Dedicated fitness trackers are losing ground to more capable smartwatches. During Q1 2018, smartwatch sales from Apple, Fitbit and others grew 28.4 percent while basic wearable sales declined 9.2 percent, IDC reports.

Whereas earlier smartwatches were mostly limited to connectivity via Bluetooth, many of today’s models connect via Wi-Fi to smartphone apps. Wi-Fi connectivity gives hackers greater flexibility in tapping into, say, a user’s email, which can be accessed from a smartwatch. With Wi-Fi or a smartwatch’s cellular connection, the thief no longer has to be within Bluetooth range of the victim to get an online connection and thus gain access to information, says Chet Wisniewski, principal research scientist for Sophos.

For the majority of people, though, such a cloak-and-dagger scenario is unlikely. “But if you have high-risk employees with access to sensitive information, you should make them aware that their smartwatch, if lost or stolen, could potentially give a hacker access to that information, too,” Wisniewski says. “If they lose the watch, they should let you know right away,” he adds, so IT or the user can disable the watch remotely. For example, Apple offers an Activation Lock feature, which is active by default, on its Wi-Fi-enabled Apple Watch.

Also, in the event of a lost or stolen Wi-Fi-enabled smartwatch, leverage your organization’s Mobile Device Management (MDM) system “to ensure safe transmissions of data back and forth between the smartwatch and the company, similar to what they already use for smartphones and tablets,” Llamas says. “Of course, MDM should be kept current, too.”

5. Smartwatches don’t introduce additional risks

Even if users don’t wear smartwatches, the odds are strong they’re carrying smartphones with them nearly everywhere, Wisniewski adds. Smartphones constantly track location and share that data with the four major U.S. wireless carriers as well as device makers and software companies. In June 2018, U.S. wireless carriers were found to be sharing customers’ location data with third parties.

“We’re already voluntarily paying $1,000 or more to carry around a tracker—our smartphone—that gives our location information to all sorts of companies,” Wisniewski says. “If you think about it, a smartwatch isn’t introducing any additional risk.”

Ultimately, enterprise IT’s job is to educate users about the potential risks and identify clear steps and procedures they should take to mitigate those risks, Wisniewski says. Identify users who may be most at risk of being targeted by hackers and help them find ways to be more vigilant about security.

You could tell your organization’s users not to wear activity trackers or smartwatches, of course, but good luck with that. “You can’t tell people what they can or can’t wear,” especially if, like a smartwatch, the device is often used for personal reasons, Wisniewski says. “Just accept there’s not much you can do about that.”