Make Sure You Are Safe If You Got a Fitness Tracker for Christmas

Why do we buy fitness trackers and apps? It's obvious: because they're supposed to help us get in better physical shape. How often, however, do you think about how they do it? You probably know the answer, but you rarely give it any serious thought.

They use GPS signals and sensors to record where we're going, how much distance we've covered, how quickly our hearts are beating, and they try to tell us if there's anything we might want to improve. All that data is collected, organized in our personal accounts, and it's stored in that mysterious place everyone calls "the cloud." It's only a matter of time before some of it gets compromised. In fact, we've already seen it.

Fitness trackers’ security is not always great

Last year, fitness app MyFitnessPal suffered a major data breach that resulted in 150 million stolen records. Among other things, the incident revealed that fitness apps, like all other types of online services, don't always protect our data properly.

When Under Armour, MyFitnessPal's owner, announced what had happened, it said that the majority of the stolen passwords had been hashed with bcrypt – an algorithm that, if implemented correctly, is practically impossible to crack. Sadly, it later turned out that the rest of the credentials had been hashed with SHA-1 – an algorithm that, regardless of implementation, is not hard to crack at all. As a result, all MyFitnessPal users had to go through a password reset.

Should we ditch fitness trackers?

If you're going to stop using fitness technology just because one app developer didn't get it exactly right, you might as well stop using all your internet-connected devices. The fact is, security incidents are a part of the online world, and that's unlikely to change any time soon.

That being said, a couple of months after the MyFitnessPal data breach, German security testing laboratory AV-TEST examined the most popular fitness tracking equipment and determined that most of what was on the market at the time did come with solid enough mechanisms to keep users' data secure. It's safe to assume that things have improved further since then, but that doesn't mean that you should let your guard down.

Don't forget that this is your data we're talking about. If you're going to use one of these devices, you'd better be aware of how it handles your information and what the vendor is doing to ensure that it doesn't end up exposed.

It pays to know what you’re using and how to use it

The MyFitnessPal data breach wasn't the only security incident related to fitness devices in 2018. Strava is a fitness band that lets users automatically upload their training routine to a publicly accessible platform that produces a heatmap of the places most frequented by the people wearing it. This functionality can be very useful for people who are looking for new routes for their morning jogs. Other individuals and organizations can also use it for more nefarious purposes, though.

In January 2018, security specialists found out that quite a few soldiers were using Strava at the time, and the heatmaps that their devices produced revealed some interesting data about military bases around the world.

Strictly speaking, this was not a fault with the fitness band. The problem came from the fact that soldiers forgot (or didn't know how) to adjust their privacy settings. In the end, however, data was put at risk, and this is what you must avoid if you're going to use a fitness tracker.

If you got a fitness tracker as a present or if you're thinking of buying one, do some research and try to find out what sort of information the device will share with the rest of the world. When you get it, go over its settings and disable any options that might make you feel uncomfortable.

Go to Google and check if security professionals (e.g., AV-TEST) have been looking at the band and find out what they think of it. Security-focused reviews are bound to tell you if your personal information will be shared with third parties, and if they don't, you could do worse than going through the vendor's privacy policy and finding out for yourself.

Properly setting up a fitness tracker is a lot of work, unfortunately. The creators of these devices and the technology behind them have put a lot of work on collecting data, and not that much into giving users an easy way to protect it. Even so, you have to do it. Negligence will do nothing more than put you (and possibly others) at risk.