Why fitness trackers data is so valuable

Do you have in mind the countless types of fitness trackers, from wristbands for training or sleep control, to apps that track your movements, count your steps or heartbeats, help you plan your diet or remind you when to take your medication?

All these wearable apps and devices are sending sensitive and personal data to a network. This obviously has implications for privacy and cyber security. Due to the nature and quality of the data processed, wearable devices and fitness trackers have become the object of attention and attack by cyber criminals and the risks involved should not be underestimated.

Fitness trackers and cyber security

Probably many people believe that their fitness and exercise data are not interesting in the eyes of hackers or cyber criminals. Who would be interested in how many minutes of running I do in the morning? What will be the value of the way I use the app for training? With all the information contained in fitness trackers, it is possible to obtain a precise portrait of millions of users, which can then be used to carry out other attacks or to obtain targeted information.

In addition, fitness wristbands - which often do not have monitors and send the visual part back to the associated smartphone - can be compromised without the user noticing.

Personal data when “stolen” is processed by Big Data technologies. Each profile becomes a valuable set of bytes that can be stored anywhere, depending on the interest that the company or person can find there.

Safety of fitness trackers: what are the dangers?

Data that fitness trackers and smartwatches can collect and transfer to the cloud may end up in the wrong hands or be sold to the highest bidder. It is not difficult to think who could benefit from it.

Wearable fitness devices also use intelligent sensors that can help identify movements. These data may be of interest to those involved in urban planning, city traffic control, targeted advertising. But this is nothing compared to the implications in health care and insurance: knowing that a person moves little, does less exercise, sleeps badly compared to the previous year could make you understand that he is more exposed to health problems or (for example) to the risk of cardiovascular disease.

Cyber criminals may sell the information they collect to external companies, advertising and marketing agencies, or entities that are interested in the data in order to design tailor-made advertising campaigns.

Knowing people's habits also makes it easier for criminal attacks to succeed, for example in phishing. For example, if you know that a person often eats a certain food, I can send an email containing a malicious ransomware and lead people to click by betting on their passions, food or sport that is. Or again, if I know this information, pretending to be a fan of the same sport I can gain the trust of others and get more details for a richer attack, perhaps aimed at the society for which the "victim" works.

In short, data theft is never only a damage for those who suffer it, but weakens all online security because it brings to the dark web market a large amount of information that can be exploited for further attacks.

The MyFitnessPal case

The MyfitnessPal app is an emblematic case of fitness trackers and cyber security breach. In March 2018 the app, which still today is one of the most popular ways to keep track of your diet but also of your physical activity, was hacked and the data of 150 million users was stolen. Under Armour, the company that owns the app, said that hackers had access to extremely sensitive information, such as e-mail addresses, eating habits, sports activities, and training times.

The most serious issue of this breach, other than the fact that they entered into possession of extremely confidential data, was the fact that hackers discovered the password used for MyFitnessPal. Since people normally use the same keyword for multiple apps and different services, by having both email and passwords those hackers could have tried to breach much more easily also into other services.

In this case, cyber criminals were unable to obtain their payment details, social security numbers or document numbers. This means that this attack was also unlikely to result in the theft of money from MyFitnessPal customers' credit cards or identity theft. But this attack serves today as very serious and significant reminder in the link between fitness trackers and cyber security, which must be even stronger.