Your fitness tracker may have a serious security flaw

Fraud and data theft are possible in many major trackers, new study finds

About 20 million fitness trackers of various sorts were sold in the first quarter of 2016. That's a lot of people out there who are worried about their fitness levels.

But according to a new study, those people should be more worried about the security of the data that their trackers are collecting. Researchers from the Technische Universität Darmstadt and the University of Padua looked at 17 models of fitness tracker currently on the market and found big holes in their security.

While almost all cloud-based tracking systems use an encrypted protocol like HTTPS to transfer their data, the researchers were able to falsify data in almost all cases. In one example, they successfully persuaded the tracker to tell its server that the user had walked 80 million steps in a day.

While four of the manufacturers tested took some measures to protect the integrity of the data, the researchers found that these were not sufficient. "These hurdles cannot stop a motivated attacker," said Ahmad-Reza Sadeghi, who led the team. "Scammers can manipulate the data even with very little IT knowledge."

Stolen or Infected

That's a problem, because data from security trackers is increasingly being used in court and some health insurance providers offer discounts to those who share their fitness data. A determined individual could easily gain financial advantage or influence a criminal trial.

Not only that, but the researchers also found that several manufacturers store their fitness data in plain text. That introduces a risk of the data being accessed by others if a device is stolen or infected with malware.

"Health insurers and all other companies who want to use fitness trackers for their services should seek advice from security experts before doing so," said Sadeghi, adding that the technology to prevent this from happening exists, but "it's just that the manufacturers have to put some more effort in employing these technologies in their products".

The study follows an earlier similar report from the Binghamton University and Stevens Institute of Technology, which found fitness tracker data leaks could reveal a user's bank pin number.

  • Duncan Geere is TechRadar's science writer. Every day he finds the most interesting science news and explains why you should care. You can read more of his stories here, and you can find him on Twitter under the handle @duncangeere.