Skip to main content

Is security and data privacy important on tracker devices like Fitbit?

A few days ago, I read about how insecure Fitbit devices are. There was a lot of noise created around it, explaining different ways how you can hack Fitbit device to gain access to personal data. My first reaction when I saw the title of article was “So what!?” and let me explain why I don’t see this a life treating or something that will stop me to use my Fitbit.

Personal data
It is true that a tracker contains personal data, but let us be realistic and look on what data it has. Most of the trackers contains information related to your past activity, heartbeat, number of steps and in some cases GPS information.

Except GPS information, the rest of the data are not so sensitive. What do you think that a hacker can do if he knows that you done 10k steps this morning. Yes, he might know your habits and broke into your house when you are jogging or walk the dog. This scenario can be real, but the true is that there are so many ways to find out what are your habits that you would be impressed.
Just imagine that every like or activity on Facebook can be seen by your Facebook friends. This mean that I know when you rest after a training session or when you are busy with your dog. If I combine this with social activity networks like Strava, than I really do not need to get your Fitbit information. I already know when you go at the gym or to a jog.


For most of the people GPS information is a concern, but we are living a time when we are surrounded of devices that can track us in a way or another. It is enough to connect to multiple wireless networks in the same day for somebody to be able to know where we were and create a virtual activity route. If you are using a cellular, than you already know that your location can be tracked more or less, but you need to become a ‘VIP’ person for this.
If you are a normal personal nowadays, that is using social networks, has a phone and enjoy the benefits of digitalization than you can be tracked easily. I don’t think that this should concern us as long as we don’t have something to hide and we are just a row in some statistics (Yes, we are more than that, but from statistics perspective, we are just a number).

Computation power
The CPU power of a tracker device is higher than most of computer that exists 50 years ago, but still is limited. There is not too much computation power available to run complex algorithms. On top of this I don’t think that you want an activity tracker on your wrist that reach 40 decrease because it starting to encrypt data before sending it.
Integration of dedicated hardware chip for this would increase the price and would make the device more expensive.

Encryption mechanism
In the last years, I saw a lot of new mechanism that improve security. From better algorithms to more complex security mechanism that do not use so many resources as classical solutions.
What should we know that most of them are already patent and if a company like Fitbit would like to use state of the art solutions, they would need to pay. This would be translated in higher price and consumer will not buy anymore.

Hacking locations (hot spots)
Most of the trackers are using Bluetooth to push telemetric data to a smartphone or to a receiver. This means that even if a hacker is able to connect to your device, he will need to be in your proximity.
This might not be so hard if he set a receiver in the supermarket or in the coffee shop where you drink your coffee every morning. The same thing can be done inside your office or any public space.
Even if it is easy find a public space where you go every day to set a receiver, you need to be an 'interesting' person to make people to do something like this. I think that there are cheaper mechanism to find your habits.

Statistics
When data are collected from multiple people, you are becoming just an item inside a database. Nobody will look at you as an individual. You will be putted in a group of people with specific features. This might affect our life in a good way if based on this reports a new coffee shop is open closer to our route or in bad way if an liquor store is open.
At least if you see ads inside an application or a web site at least to see something useful for you.

Plug and play
Implementing complex security protocols might require dedicated receivers or even complex steps that needs to be done when we pair our smartphone with the tracker. Would you like to have a receiver dedicated to your tracker that needs to be carried with you everywhere? On top of this if you lose it you would need to buy a new tracker because it cannot be replaced. I don’t think so…
What if to be able to pair your tracker with your smartphone you would need a PhD degree. You would have some a complex pairing protocol that would make you to hate your life and you would need to do the pairing or the sync.
No, you don't want this. What  you want  is a device that in 5 seconds is ready to be used.

Battery efficient
One of the most important feature of a tracking device is battery life. When you design a device like this, you will give your best to optimize it. Many times people do not realize, but security is an expensive feature from energy consumption perspective.
Data encryption consumes a lot of computation power, which in the end is energy. Would you still buy a tracker that needs to be charged every 12 or 24 hours? I would not buy such a device.

Price
Finally yet importantly is the price. We, the consumers, dictate this. We want devices that are cheap and are affordable enough be replaced every 12 months. Would you buy a tracker if you would need to pay 1000$? We are looking to get the best deal all the time, which force each manufacturer to optimize costs.
This mean that he need to optimize costs and find better ways how we can offer the same basic features with less money.

Nothing is bulletproof
Don’t expect to buy devices that cannot be hacked. Don’t believe that the device is so secure that nobody can access it. A base security level is important on each device, offering us a rudimentary privacy level. However, of course, there is a threshold and with enough imagination and time a device can be compromised.

Do we need something more than this? How much more are you ready to pay for it? This are the questions that each of us should find an answer.   

Comments

Popular posts from this blog

Windows Docker Containers can make WIN32 API calls, use COM and ASP.NET WebForms

After the last post , I received two interesting questions related to Docker and Windows. People were interested if we do Win32 API calls from a Docker container and if there is support for COM. WIN32 Support To test calls to WIN32 API, let’s try to populate SYSTEM_INFO class. [StructLayout(LayoutKind.Sequential)] public struct SYSTEM_INFO { public uint dwOemId; public uint dwPageSize; public uint lpMinimumApplicationAddress; public uint lpMaximumApplicationAddress; public uint dwActiveProcessorMask; public uint dwNumberOfProcessors; public uint dwProcessorType; public uint dwAllocationGranularity; public uint dwProcessorLevel; public uint dwProcessorRevision; } ... [DllImport("kernel32")] static extern void GetSystemInfo(ref SYSTEM_INFO pSI); ... SYSTEM_INFO pSI = new SYSTEM_INFO(...

ADO.NET provider with invariant name 'System.Data.SqlClient' could not be loaded

Today blog post will be started with the following error when running DB tests on the CI machine: threw exception: System.InvalidOperationException: The Entity Framework provider type 'System.Data.Entity.SqlServer.SqlProviderServices, EntityFramework.SqlServer' registered in the application config file for the ADO.NET provider with invariant name 'System.Data.SqlClient' could not be loaded. Make sure that the assembly-qualified name is used and that the assembly is available to the running application. See http://go.microsoft.com/fwlink/?LinkId=260882 for more information. at System.Data.Entity.Infrastructure.DependencyResolution.ProviderServicesFactory.GetInstance(String providerTypeName, String providerInvariantName) This error happened only on the Continuous Integration machine. On the devs machines, everything has fine. The classic problem – on my machine it’s working. The CI has the following configuration: TeamCity .NET 4.51 EF 6.0.2 VS2013 It see...

Navigating Cloud Strategy after Azure Central US Region Outage

 Looking back, July 19, 2024, was challenging for customers using Microsoft Azure or Windows machines. Two major outages affected customers using CrowdStrike Falcon or Microsoft Azure computation resources in the Central US. These two outages affected many people and put many businesses on pause for a few hours or even days. The overlap of these two issues was a nightmare for travellers. In addition to blue screens in the airport terminals, they could not get additional information from the airport website, airline personnel, or the support line because they were affected by the outage in the Central US region or the CrowdStrike outage.   But what happened in reality? A faulty CrowdStrike update affected Windows computers globally, from airports and healthcare to small businesses, affecting over 8.5m computers. Even if the Falson Sensor software defect was identified and a fix deployed shortly after, the recovery took longer. In parallel with CrowdStrike, Microsoft provi...