How to Stop Your Fitness Band from Being Hacked

In today's issue of "If It Has An Operating System, It Can Be Hacked," consider the lowly fitness band. These popular little wearable devices help keep people active and reaching new goals in their never-ending quest to stave off the big dirt nap for a few more years.

As it turns out, fitness bands may also be not very secure. One researcher discovered how trivially simple it was for him to connect to strangers' wristbands, and how a malefactor could use those methods for evil purposes. Fortunately, there are some easy ways to prevent this from happening to you.

MORE: Best Fitness Trackers

Roman Unuchek, writing on the Securelist blog of Moscow-based information-security company Kaspersky Lab, said it began when he tried to connect the Android Wear app on his smartphone to his brand-new fitness band, but accidentally linked to a coworker's Nike+ Fuel Band SE instead. From there, Unuchek discovered that most fitness bands connect to smartphones using the Bluetooth LE protocol, which does not require a password to pair two devices.

By using the standard Android software development kit (he did not have to program anything new), Unuchek found that he could scan for any Bluetooth LE fitness band in the vicinity and attempt to connect to it. So he created a simple app which automatically starting scanning for Bluetooth LE devices that were ready to talk.

Unuchek performed field tests in the Moscow subway system, at a gym in the tech hub of Bellevue, Washington, and at Kaspersky's own security conference last month in Cancun, Mexico. Over six cumulative hours of scanning, he encountered connectible bands sold by Fitbit, Nike, Jawbone, Microsoft, Polar and Quans, and successfully connected to 54 separate devices. (He found that he had to be within 20 feet of a device to get a connection.)

He also discovered one important thing: It's theoretically impossible to connect to a fitness band if a user's phone is already linked with it. This should keep active users safe, but Unuchek found that he could disrupt the connection between a paired phone and band, giving himself an opportunity to connect with the band instead.

"It could be that the devices I found had never connected to a phone before, or that the wristband was not connected to a smartphone while I was scanning (perhaps the Bluetooth on the phone was disabled)," Unuchek wrote. "However, it could also be that a pre-connected device was still available for connection despite the supposed restriction."

Unuchek added that he disclosed his findings to the maker of his own fitness band, the brand of which he did not identify. The company responded by saying that it considered the flaws he encountered as a user-experience problem, not a security issue.

As for what kind of mischief an attacker could accomplish with this knowledge, it's minimal, for the moment. Since fitness bands generally just track a user's vital signs and habits, it wouldn't do a malefactor much good to know how many calories you've burned or how many hours you've slept.

However, fitness trackers are adding new functions all the time, and bands with built-in GPS tracking systems could reveal where a user works or lives. Unuchek theorizes that tricksters could also make ransomware that causes bands to vibrate until you pay them to stop.

Since Bluetooth LE is not password-enabled, the best thing you can do to protect your fitness band is to make sure it's always linked to your phone when you're out and about. Failing that, you could just work out, eat well, and hope for the best.

Marshall Honorof is a senior writer for Tom's Guide. Contact him at mhonorof@tomsguide.com. Follow him @marshallhonorof. Follow us @tomsguide, on Facebook and on Google+.

Marshall Honorof

Marshall Honorof is a senior editor for Tom's Guide, overseeing the site's coverage of gaming hardware and software. He comes from a science writing background, having studied paleomammalogy, biological anthropology, and the history of science and technology. After hours, you can find him practicing taekwondo or doing deep dives on classic sci-fi. 

  • safcmanfr
    If you know how long a person sleeps, and eventually (with certain fitness bands) what their average sleep cycle is + know where they live, then you could plan a nighttime break in to coincide with when their sleep is deepest and reduce the risk of the house/apartment owner waking up....
    Reply
  • giantbucket
    i store ALL of my banking information and my social security and driver's licence numbers on my fitness band. don't you?
    Reply
  • YellowBee
    i store ALL of my banking information and my social security and driver's licence numbers on my fitness band. don't you?
    That’s not the point... It’s like saying your only care about “security” on the checkout page on a website when you buy stuff as that’s where the "sensitive" data is located. You are 4getting that wherever you are visiting (like when you read this post) you do a footprint that some can use to identify you and then do some serious profiling.
    So being able to track your movement (even you don’t have your CC on your fit band) is great help as it would tell you when you are example out of your house just like safcmanfr is saying.
    Let’s say you have a Nike fuel band, it can store up to 7 days of data. If someone is able to get that data themselves, they know where you move. They would also know where you sleep and for how long and when the easiest time would be for a break-in. Once at your home there probably are pictures, perhaps a home laptop(or some other device) and some bills with more information about you. Once that person get your computer(or other device) booted up, there is a s-itload of information about you.
    All this happen because of one mistake, you didn’t secure your fitband. Still don’t think it’s important? ;)
    Reply
  • giantbucket
    this would require all of these bands to have a GPS with a breadcrumb trail. do they? i suppose if people are dumb enough to always have everything on and always paired and always connected to their facebook and twitter with hourly updates, then yeah some info could be gleaned from that. and maybe people who are THAT open need to be violated a bit :p

    and i don't need to analyze reams of data from a fitness tracker to figure out that at 3am, if the lights are off at a random house, people are likely sleeping. and at 10am on a Tuesday, most homes are empty since people are at work.
    Reply
  • cats_Paw
    The good days when you didnt need a iphone on your wrist to do fitness...
    Reply
  • ELMO_2006
    this would require all of these bands to have a GPS with a breadcrumb trail. do they? i suppose if people are dumb enough to always have everything on and always paired and always connected to their facebook and twitter with hourly updates, then yeah some info could be gleaned from that. and maybe people who are THAT open need to be violated a bit :p

    and i don't need to analyze reams of data from a fitness tracker to figure out that at 3am, if the lights are off at a random house, people are likely sleeping. and at 10am on a Tuesday, most homes are empty since people are at work.

    +1

    A bunch of Alfred Hitchcock movie lovers here!
    Really, planning a late night break-in or a home break and enter is kind of pushing the limits here. My fitband shows 5 miles walked however I could have walked 5 miles within my home alone - these things are not that smart to begin with. And as for security lock it or disable it. Next up would be somehow or other a bluetooth soundbar was used to gain entry into an online account!!! Come on people, lets think before we say or type something.
    Reply
  • drb1981
    I'm not sure the devices will ever develop to the point of really allowing others to gain access to useful personal information. Maybe something could happen in competitive athletics. I can play lots of maybe games. Regardless, what concerns me is the cavalier attitude the companies showed with regard to possible security issues. We've seen plenty of examples in other technologies where this attitude has lead to unforeseen consequences.
    Reply