How to make secure fitness devices from data security issues?

A study by the virtual private network provider NordVPN revealed that 1 in 4 (24.6 percent) people use some kind of fitness or well-being device, such as a smartwatch, fitness tracker, etc.
Top fitness apps
However, these devices may be tracking a lot more than your fitness activities, and 25 percent do nothing to protect them, which may pose a serious risk to people’s privacy, the report said.

Among the data collected by fitness wearables and the mobile apps connected to them, there are basic activities such as steps, heart rate, the time you go to sleep or wake up, as well as your consumed calories, weight, or even running routes, which are all of great interest to stalkers or attackers.

For example, Clario research has revealed that Strava collects 41.18 percent of users’ personal data, and MyFitnessPal — 35.29 percent.

“Health information is definitely among the most private and sensitive data in our lives. However, we allow our wearable fitness trackers to capture and store this information in mobile apps without properly knowing about its security vulnerabilities,” comments Daniel Markuson, a digital privacy expert at NordVPN.

Worldwide shipments of wearable devices increased 27.2 percent to 153.5 million in the fourth quarter of 2020. Shipments of wearable devices in 2020 grew 28.4 percent to 444.7 million units.

Jitesh Ubrani, research manager for IDC Mobile Device Trackers, said: “In-home fitness programs are becoming a crucial component of the wearables offering for many companies. The proliferation of health sensors such as skin temperature, ECG, and heart rate tracking are allowing users and health professionals to better understand the onset and tracking of diseases.”

Fitness apps — popular target for hackers

As many gadgets, well-being devices and their apps also have security holes that might allow hackers to gain access to your information. Even without taking control over your device, someone can “sniff” the Bluetooth signal sent back to your smartphone to guess your passcode. Whenever a hacker has your pin, it’s simple to gain access to all your health information.

According to Have I Been Pwned?, in 2018, the diet and exercise service MyFitnessPal suffered a data breach. The incident exposed 144 million email addresses alongside usernames, IP addresses, and passwords. The next year, this data appeared on the dark web and was listed for sale.

The same year, another health and fitness service provider — 8fit — suffered a data breach of 15 million unique email addresses, which later on were also sold on the dark web.

“Many people connect their fitness devices to an outside app to track, share, and analyse their activities. However, that’s the moment when people are easily giving away their sensitive information. Many people share fitness achievements on social media or on the app’s online forum,” Daniel Markuson, a digital privacy expert at NordVPN, said.

How to make sure your fitness data is secure

Since most fitness trackers lack the necessary security systems, Daniel Markuson shares some advice to make your fitness experience less stressful and more secure:

Read the user agreement. Before purchasing any fitness device, take some time to read its user agreement and privacy policy. Make sure that the company values your privacy and takes reasonable steps to protect it.

Make your identity online hidden. If your fitness apps ever get hacked, you can limit the potentially exposed personal information by using a VPN. It creates an encrypted tunnel for your data and protects your online identity by hiding your IP address.

Limit the data that is being collected. More often than not, apps and devices collect data that is not necessary for them to operate. If possible, allow them to collect and store only the data required to give you the service you signed up for.

Regularly delete data stored in the app/device. Many fitness trackers allow you to review and delete the data they store about you. Make sure to check the privacy policy to verify that deleted data is actually deleted from the company’s servers too.