Potentially millions of people who use smart-health wearable devices are having their personal information exposed, security company Aries Security has revealed.
In an exclusive interview, Aries Security Chief Executive Brian Markus told Techly that he and his team have discovered a potentially huge concern with the highly popular fitness devices: using an exploit, they were able to pull personal health data, usernames, passwords and other information from hundreds of internet users during the annual 2014 DEF CON hackers conference.
Those hundreds were just users within range of Markus and crew’s hardware – meaning anyone with an unsecured device is potentially at risk under the right (or wrong) circumstances.
“I don’t know how many makes and models they have, or which makes and models are affected, but we saw several hundred users exposed since we started looking last night,” he said. “Say health company number one with a bracelet, band or health monitor, if they sell several million of them, it could be several million.”
Though one particular brand of health device has particularly egregious security flaws, Mr Markus said his team saw vulnerabilities in multiple devices and brands.
“We actually just discovered today how bad it really was,” he said.
The team at Aries is attempting to contact the company, though Mr Markus admits they’ve struggled as they don’t have an “inside connection”.
Techly won’t reveal the main type of device at fault in the interests of security.
The chief executive said it wasn’t just attendees of the DEF CON conference whose data was sucked up from the ether – he could also access info from casino patrons’ devices as they roamed the Vegas strip.
Markus said the vulnerability was a sign of what happens when the medical industry – which is far more regulated – runs behind the faster-paced, less-regulated consumer health industry.
“It’s not an HMO (Health Maintenance Organisation), a PPM (Physician Practice Management) or a doctor that is giving these things to internet users,” he said. “It’s an individual consumer buying it from the store, so there’s really no regulations to say you can’t expose your own data like that.
“It’s contradictory because hospitals have to protect themselves and their customers from having their information exposed, but meanwhile, people are walking around with these devices strapped to them… beaming out all their personal information because they bought it in a store. They’re exposing themselves unknowingly.”
Techly has reached out to all the major companies with health devices, including Nike (Fuel Band), Fitbit, and Jawbone (UP, UP24) to find out:
- which of them encrypt their communications between their proprietary systems, retail devices, and the devices consumers use to connect to their wearables (think smartphones and PCs), and
- for the ones that do not encrypt their communications, whether they plan to.
The flaw highlights the urgency of compulsory encryption for health devices – and really any hardware that needs to communicate with multiple devices to be effective.
UPDATE: Contrary to previous assumptions, I have heard back from FitBit definitively that
it encrypts “the hardware and the devices they communicate with”.
Fitbit previously issued this statement below, which seemed a little vague, so we went back to the company for clarification:
The company told Techly that it uses a combination of vague but “technical and administrative security controls to maintain the security of the users data”.
“First and foremost, Fitbit doesn’t sell any data that could identify the user,” the spokesperson said. “We only share data about the user when it is necessary to provide our services, when the data is de-identified and aggregated, or when the user directs us to share it.”
UPDATE: A Jawbone spokesperson said the company “takes security extremely seriously” by providing secure connections without utilising any wireless functionality.
“The company provides two versions of the UP Band, one connects through the audio interface on the phone, providing a secure connection without utilising any wireless functionality,” the spokesperson said.
“The second – the UP24 band – provides a wireless connection using BTLE, and we have put in place additional security mechanisms to provide a secure wireless connection. In addition, our phone-to-band wireless protocols have been independently audited by a third party security firm.”
UPDATE: A Google spokesperson refused to be drawn on whether it encrypts Google Fit communications but said “as with any product at Google, we’re focused on the privacy and security of our users’ information.”
Consumer health brands aren’t the only offenders, the chief executive said. Two of four major anti-virus companies still don’t encrypt their updates as they push them through to consumer devices. For a link to that story, click here.
» Read all of Techly’s exclusive DEFCON 22 hacks series:
– How to hack a Macbook using just a USB
– Anti-virus companies potentially leaking customer data ‘for years’