Security researchers have uncovered several vulnerabilities in health and fitness wearables such as Ivy Health Kids Thermometer, Modius Headband and Digitsole Warm Insoles that allow hackers not only to gain access to device APIs but also to obtain sensitive personal information of users.
A research commissioned by VPN experts vpnMentor found that all three health and fitness wearables posed a major privacy risk to their users as they collected and exposed personal information of users to third parties.
For instance, the Ivy Health Kids Thermometer, a portable thermometer for babies and small children, contained security weaknesses that allowed hackers to access names, gender, dates of birth and other details of children who used the device to take measurements. They could also access temperature measurement history of a device and details of previous users.
The researchers also found that the app’s API and portal were served over insecure HTTP, thereby exposing login details of users to malicious third parties.
Similarly, the Modius Headband, which is designed to help users achieve their weight-loss goals, leaked sensitive details such as location, tracking information via Facebook integration and weight, height, body fat percentage and fingerprints of users to third parties. The leakage of fingerprints could easily be used by cyber-criminals to access users' phones or bank accounts.
The researchers also observed that the Bluetooth-enabled Digitsole Warm Insoles, that allow users to track their activities and adjust the temperature of their shoes for maximum performance, contained vulnerabilities that allowed hackers to take control over the wearables, collect location information and Facebook data, and even increase the temperature of the device remotely.
"With Germany banning kids' smartwatches last year and China banning smartwatch usage in the army a few years ago, it comes as no surprise that the security of wearables remains questionable. As shown in the vpnMentor report, wearables ranging from insoles to thermometers can all be too easily compromised," they noted.
They also expressed concern over the fact that the rise in sales of Internet-connected wearables across the globe could render millions of new users vulnerable to cyber-attacks, physical harm and data exfiltration. According to IDC's Worldwide Quarterly Wearable Device Tracker, the smart wearables market is expected to grow from 115.4 million shipments in 2017 to 222.3 million by 2021. Forbes' 2017 Roundup of IoT Forecasts also projected that the global Internet of Things (IoT) market could see an annual growth rate of 28.5 percent till 2020.
Commenting on the new-found vulnerabilities in frequently-used health and fitness trackers, Ed Williams, director EMEA, SpiderLabs at Trustwave, told SC Magazine UK that the findings of vpnMentor's research is not surprising as many wearable technology makers do not undertake security due-diligence at the design stage.
"If they could, from the outset, ‘bake-in’ security and create viable threat models we would see a vast reduction in these types of issues, unfortunately, this is not the case.
"The ability to harvest names, dates of birth etc is worrying and symptomatic of the industry at large. A rush to market without any consideration of the consumer and general public," he said.