Skip to main content

Is security and data privacy important on tracker devices like Fitbit?

A few days ago, I read about how insecure Fitbit devices are. There was a lot of noise created around it, explaining different ways how you can hack Fitbit device to gain access to personal data. My first reaction when I saw the title of article was “So what!?” and let me explain why I don’t see this a life treating or something that will stop me to use my Fitbit.

Personal data
It is true that a tracker contains personal data, but let us be realistic and look on what data it has. Most of the trackers contains information related to your past activity, heartbeat, number of steps and in some cases GPS information.

Except GPS information, the rest of the data are not so sensitive. What do you think that a hacker can do if he knows that you done 10k steps this morning. Yes, he might know your habits and broke into your house when you are jogging or walk the dog. This scenario can be real, but the true is that there are so many ways to find out what are your habits that you would be impressed.
Just imagine that every like or activity on Facebook can be seen by your Facebook friends. This mean that I know when you rest after a training session or when you are busy with your dog. If I combine this with social activity networks like Strava, than I really do not need to get your Fitbit information. I already know when you go at the gym or to a jog.


For most of the people GPS information is a concern, but we are living a time when we are surrounded of devices that can track us in a way or another. It is enough to connect to multiple wireless networks in the same day for somebody to be able to know where we were and create a virtual activity route. If you are using a cellular, than you already know that your location can be tracked more or less, but you need to become a ‘VIP’ person for this.
If you are a normal personal nowadays, that is using social networks, has a phone and enjoy the benefits of digitalization than you can be tracked easily. I don’t think that this should concern us as long as we don’t have something to hide and we are just a row in some statistics (Yes, we are more than that, but from statistics perspective, we are just a number).

Computation power
The CPU power of a tracker device is higher than most of computer that exists 50 years ago, but still is limited. There is not too much computation power available to run complex algorithms. On top of this I don’t think that you want an activity tracker on your wrist that reach 40 decrease because it starting to encrypt data before sending it.
Integration of dedicated hardware chip for this would increase the price and would make the device more expensive.

Encryption mechanism
In the last years, I saw a lot of new mechanism that improve security. From better algorithms to more complex security mechanism that do not use so many resources as classical solutions.
What should we know that most of them are already patent and if a company like Fitbit would like to use state of the art solutions, they would need to pay. This would be translated in higher price and consumer will not buy anymore.

Hacking locations (hot spots)
Most of the trackers are using Bluetooth to push telemetric data to a smartphone or to a receiver. This means that even if a hacker is able to connect to your device, he will need to be in your proximity.
This might not be so hard if he set a receiver in the supermarket or in the coffee shop where you drink your coffee every morning. The same thing can be done inside your office or any public space.
Even if it is easy find a public space where you go every day to set a receiver, you need to be an 'interesting' person to make people to do something like this. I think that there are cheaper mechanism to find your habits.

Statistics
When data are collected from multiple people, you are becoming just an item inside a database. Nobody will look at you as an individual. You will be putted in a group of people with specific features. This might affect our life in a good way if based on this reports a new coffee shop is open closer to our route or in bad way if an liquor store is open.
At least if you see ads inside an application or a web site at least to see something useful for you.

Plug and play
Implementing complex security protocols might require dedicated receivers or even complex steps that needs to be done when we pair our smartphone with the tracker. Would you like to have a receiver dedicated to your tracker that needs to be carried with you everywhere? On top of this if you lose it you would need to buy a new tracker because it cannot be replaced. I don’t think so…
What if to be able to pair your tracker with your smartphone you would need a PhD degree. You would have some a complex pairing protocol that would make you to hate your life and you would need to do the pairing or the sync.
No, you don't want this. What  you want  is a device that in 5 seconds is ready to be used.

Battery efficient
One of the most important feature of a tracking device is battery life. When you design a device like this, you will give your best to optimize it. Many times people do not realize, but security is an expensive feature from energy consumption perspective.
Data encryption consumes a lot of computation power, which in the end is energy. Would you still buy a tracker that needs to be charged every 12 or 24 hours? I would not buy such a device.

Price
Finally yet importantly is the price. We, the consumers, dictate this. We want devices that are cheap and are affordable enough be replaced every 12 months. Would you buy a tracker if you would need to pay 1000$? We are looking to get the best deal all the time, which force each manufacturer to optimize costs.
This mean that he need to optimize costs and find better ways how we can offer the same basic features with less money.

Nothing is bulletproof
Don’t expect to buy devices that cannot be hacked. Don’t believe that the device is so secure that nobody can access it. A base security level is important on each device, offering us a rudimentary privacy level. However, of course, there is a threshold and with enough imagination and time a device can be compromised.

Do we need something more than this? How much more are you ready to pay for it? This are the questions that each of us should find an answer.   

Comments

Popular posts from this blog

ADO.NET provider with invariant name 'System.Data.SqlClient' could not be loaded

Today blog post will be started with the following error when running DB tests on the CI machine:
threw exception: System.InvalidOperationException: The Entity Framework provider type 'System.Data.Entity.SqlServer.SqlProviderServices, EntityFramework.SqlServer' registered in the application config file for the ADO.NET provider with invariant name 'System.Data.SqlClient' could not be loaded. Make sure that the assembly-qualified name is used and that the assembly is available to the running application. See http://go.microsoft.com/fwlink/?LinkId=260882 for more information. at System.Data.Entity.Infrastructure.DependencyResolution.ProviderServicesFactory.GetInstance(String providerTypeName, String providerInvariantName) This error happened only on the Continuous Integration machine. On the devs machines, everything has fine. The classic problem – on my machine it’s working. The CI has the following configuration:

TeamCity.NET 4.51EF 6.0.2VS2013
It seems that there …

How to check in AngularJS if a service was register or not

There are cases when you need to check in a service or a controller was register in AngularJS.
For example a valid use case is when you have the same implementation running on multiple application. In this case, you may want to intercept the HTTP provider and add a custom step there. This step don’t needs to run on all the application, only in the one where the service exist and register.
A solution for this case would be to have a flag in the configuration that specify this. In the core you would have an IF that would check the value of this flag.
Another solution is to check if a specific service was register in AngularJS or not. If the service was register that you would execute your own logic.
To check if a service was register or not in AngularJS container you need to call the ‘has’ method of ‘inhector’. It will return TRUE if the service was register.
if ($injector.has('httpInterceptorService')) { $httpProvider.interceptors.push('httpInterceptorService&#…

Fundamental Books of a Software Engineer (version 2018)

More then six years ago I wrote a blog post about fundamental books that any software engineer (developer) should read. Now it is an excellent time to update this list with new entries.

There are 5 different categories of books, that represent the recommended path. For example, you start with Coding books, after that, you read books about Programming, Design and so on.
There are some books about C++ that I recommend not because you shall know C++, only because the concepts that you can learn from it.

Coding

Writing solid codeCode completeProgramming Pearls, more programming pearls(recommended)[NEW] Introduction to Algorithms

Programming

Refactoring (M. Fowler)Pragmatic ProgrammerClean code[NEW] Software Engineering: A Practitioner's Approach[NEW] The Mythical Man-Month[NEW] The Art of Computer Programming

Design

Applying UML and Patterns (GRASP patterns)C++ coding standards (Sutter, Alexandrescu)The C++ programming language (Stroustrup, Part IV)Object-oriented programming (Peter Coad)P…