Smartwatches, trackers and fitness trackers can expose networks if they are not properly connected and managed. What and how much security risk activity trackers pose to IT? Well, more than you might think.
Hackers target such trackers and smartwatches because of poor security, they can expose passwords, reveal habits of employees, or even serve as an entry point to other networks and systems.
A German-based research organization called AV-TEST Institute, tested 12 fitness trackers, including the Apple Watch Series 3, just to see the security of these devices. 8 of 13 received three stars (highest possible rating). The institute evaluated the fitness trackers for personal security, and not how big of a risk they are for the enterprise.
Activity trackers can’t be 100% secure, 100% of the time – they are almost like any other devices which can connect to the internet, or an app. One incident (Strava) earlier this year, showed us how data is shared and could be potentially useful for cyber criminals or other people with malicious intent.
Below you will find 5 things you didn’t know about activity trackers in terms of enterprise IT security 2018.
1. More secure fitness trackers, but with risk.
“Compared to earlier tests (that AV-TEST conducted), the manufacturers have taken the security of fitness data and the data protection of their customers significantly more seriously, which appears to make sense in light of the current data scandals.”
Concluded by AV-TEST Institute – report for most secure trackers in May 2018. And in 2016, they concluded the manufacturers don’t pay that much of attention to the security part of the devices.
In 2018, AV-TEST did research for the security of connected apps, data protection, external communications, and local communications. Based on these, the results were given an overall score of one, two or three stars.
Fitbit, received a similar score from AV-TEST, for Charge 2. According to IDC, Fitbit is on the third place among wearable device makers. Many people and workers wear Fitbits, acquired through the employer fitness programs; which is managed by Fitbit Health Solutions platform.
Huawei and Garmin earned three stars from AV-TEST, they are ranked fourth and fifth according to IDC’s list.
Polar, Moov and Xiaomi earned two stars and Lenovo’s HW01 tracker got only one star. People from North America enterprise IT teams will not quite wear these devices. Though Xiaomi is ranked 2nd on the IDC list, and Moov and Polar are note even on the list.
2. Targeting tracker metadata
Hackers are interested in the bigger picture of the tracker’s metadata, not on how many steps did you take or what is your average resting heart rate.
“Triangulating how long you exercise and what distances you normally exercise and what time of day you exercise can show a hacker when you are or aren’t at work, and that could make you an optimal target”
– said Ramon T. Llamas
In January 2018, the media reported, U.S. soldiers which paired their activity tracekrs to the fitness network Strava, were revealing GPS coordinates, via Strava’s heat map – which is quite easy to access if you have an internet connection.
Strava CEO James Quaries said:
“working with military and government officials to address potentially sensitive data”
3. Your low security priority could be a high priority for hackers
“Activity trackers are lower on the list of IT security concerns, especially compared to risks like password database breaches,” says Merritt Maxim, a Forrester principal analyst. “But while trackers may be low on your list, the reverse might be true for hackers. They sometimes focus on things that enterprise IT isn’t too concerned about, because they’re looking for easy targets.”
4. Stolen smartwatches by hackers, should not be your biggest concern
Fitness trackers have gotten less sales during Q1 2018, compared to smartwatches from Fitbit, Apple and others – they grew 28.4%.
Whereas earlier smartwatches were mostly limited to connectivity via Bluetooth, many of today’s models connect via Wi-Fi to smartphone apps. Wi-Fi connectivity gives hackers greater flexibility in tapping into, say, a user’s email, which can be accessed from a smartwatch.