Over the weekend, a story broke that military personnel may have unwittingly revealed sensitive geographical information through using the Strava fitness tracker. This particular device allows users to record activity statistics for walking, running, and biking through either their smartphone or a wearable. The information can then be uploaded to the Internet and displayed as a map showing their workout route. Not only did this information expose the global location of bases and spy posts, but also the layout of these sites based on the movement patterns.
Location isn’t all that we have to worry about. There are a wide variety of brands and types of fitness trackers available on the market, and most capture much more than just steps. Many trackers record sleep patterns, heart rate, and other personal health information. The profiles users create for these apps include data such as age, gender, height, etc. In the wrong hands, this information could be used to derive the type of troops in a particular area, what type of training and military exercises they are conducting, and when they are doing it. Changes in these patterns could tip off an adversary to an impending attack. Suddenly, information that seems personal and benign isn’t so innocent.
There has been an explosion in the popularity of fitness trackers. Wareable.com estimates that the tracker market will reach $2 billion by the year 2019 and the evolution of the trend is no surprise. As smart technology becomes more and more ingrained into our everyday lives, those small moments of satisfaction become addictive. We continuously check our phones to see who “liked” our Facebook posts or who retweeted us. Fitness trackers provide a feeling of accomplishment for completing daily goals and to an extent, a confirmation of one’s health. The app can become a lifestyle.
To meet this demand, it seems like every tech brand, every fitness brand, and every GPS brand has a tracker. Fitbit is the giant, but there are also: Nike, Polar, Jawbone, Moov, Garmin, BodyMedia, SYNC, LifeTrak, Sigma, Under Armour, Adidas, Scosche, Striiv, Samsung, TomTom, and Huawei. Plus, many of these brands offer multiple models. The point is, they all competing and to remain competitive in such an aggressive market they have to stand out. There is a race to capture additional health information more accurately and to provide that product at an affordable price point. Unfortunately, that reduction in cost can come at the price of security.
So just how secure is this information? Sadly, not very. There are a ton of potential breach points at the individual user level alone. Trackers such as FitBit have a website where you can sync and record your data, smart scales integrate with these apps and devices, phone apps can potentially be hacked, and anyone who gains access to your email can simply view the daily progress reports sent to your inbox. For example, blogger Roman Unuchek outlined how he was able to hack the Android sync app that came with his device and connect his phone with strangers wearing several different brands, without their knowledge.
And that’s just for end users. What are companies doing to secure our fitness information? Where is it being stored? Who has access? For how long is it archived? Without regulation, there really is no way of knowing and it seems like it’s only a matter of time before we hear about a breach of this information.
In the wake of the Strava/military scare, the US Central Command said it’s in the process of refining privacy policies and reviewing potential for security risks associated with fitness trackers and apps. Pentagon spokesman Col. Rob Manning stated, “We take these matters seriously and we are reviewing the situation to determine if any additional training or guidance is required, and if any additional policy must be developed to ensure the continued safety of Department of Defense personnel at home and abroad.”
One thing is for sure, technology evolves and becomes adopted at a faster rate than we protect it. Fitness trackers aren’t going away anytime soon and the companies that rise above the competition will be those who ensure the security of their users’ personal data, before their customers even know that they have to think about it. Since this data is likely stored in “the cloud” somewhere, the best way to provide the level of security needed is with a fully integrated, cloud-based suite of products designed to protect personal data from every angle. Oracle Dyn Web Application Security does just that. It includes solutions for WAF, DDoS protection, API security, bot management, and malware protection. Advanced machine learning and AI keep your solutions ahead of the curve and empower your security with the ability to evolve as quickly as the technology that they protect.