Skip to main content

Is security and data privacy important on tracker devices like Fitbit?

A few days ago, I read about how insecure Fitbit devices are. There was a lot of noise created around it, explaining different ways how you can hack Fitbit device to gain access to personal data. My first reaction when I saw the title of article was “So what!?” and let me explain why I don’t see this a life treating or something that will stop me to use my Fitbit.

Personal data
It is true that a tracker contains personal data, but let us be realistic and look on what data it has. Most of the trackers contains information related to your past activity, heartbeat, number of steps and in some cases GPS information.

Except GPS information, the rest of the data are not so sensitive. What do you think that a hacker can do if he knows that you done 10k steps this morning. Yes, he might know your habits and broke into your house when you are jogging or walk the dog. This scenario can be real, but the true is that there are so many ways to find out what are your habits that you would be impressed.
Just imagine that every like or activity on Facebook can be seen by your Facebook friends. This mean that I know when you rest after a training session or when you are busy with your dog. If I combine this with social activity networks like Strava, than I really do not need to get your Fitbit information. I already know when you go at the gym or to a jog.


For most of the people GPS information is a concern, but we are living a time when we are surrounded of devices that can track us in a way or another. It is enough to connect to multiple wireless networks in the same day for somebody to be able to know where we were and create a virtual activity route. If you are using a cellular, than you already know that your location can be tracked more or less, but you need to become a ‘VIP’ person for this.
If you are a normal personal nowadays, that is using social networks, has a phone and enjoy the benefits of digitalization than you can be tracked easily. I don’t think that this should concern us as long as we don’t have something to hide and we are just a row in some statistics (Yes, we are more than that, but from statistics perspective, we are just a number).

Computation power
The CPU power of a tracker device is higher than most of computer that exists 50 years ago, but still is limited. There is not too much computation power available to run complex algorithms. On top of this I don’t think that you want an activity tracker on your wrist that reach 40 decrease because it starting to encrypt data before sending it.
Integration of dedicated hardware chip for this would increase the price and would make the device more expensive.

Encryption mechanism
In the last years, I saw a lot of new mechanism that improve security. From better algorithms to more complex security mechanism that do not use so many resources as classical solutions.
What should we know that most of them are already patent and if a company like Fitbit would like to use state of the art solutions, they would need to pay. This would be translated in higher price and consumer will not buy anymore.

Hacking locations (hot spots)
Most of the trackers are using Bluetooth to push telemetric data to a smartphone or to a receiver. This means that even if a hacker is able to connect to your device, he will need to be in your proximity.
This might not be so hard if he set a receiver in the supermarket or in the coffee shop where you drink your coffee every morning. The same thing can be done inside your office or any public space.
Even if it is easy find a public space where you go every day to set a receiver, you need to be an 'interesting' person to make people to do something like this. I think that there are cheaper mechanism to find your habits.

Statistics
When data are collected from multiple people, you are becoming just an item inside a database. Nobody will look at you as an individual. You will be putted in a group of people with specific features. This might affect our life in a good way if based on this reports a new coffee shop is open closer to our route or in bad way if an liquor store is open.
At least if you see ads inside an application or a web site at least to see something useful for you.

Plug and play
Implementing complex security protocols might require dedicated receivers or even complex steps that needs to be done when we pair our smartphone with the tracker. Would you like to have a receiver dedicated to your tracker that needs to be carried with you everywhere? On top of this if you lose it you would need to buy a new tracker because it cannot be replaced. I don’t think so…
What if to be able to pair your tracker with your smartphone you would need a PhD degree. You would have some a complex pairing protocol that would make you to hate your life and you would need to do the pairing or the sync.
No, you don't want this. What  you want  is a device that in 5 seconds is ready to be used.

Battery efficient
One of the most important feature of a tracking device is battery life. When you design a device like this, you will give your best to optimize it. Many times people do not realize, but security is an expensive feature from energy consumption perspective.
Data encryption consumes a lot of computation power, which in the end is energy. Would you still buy a tracker that needs to be charged every 12 or 24 hours? I would not buy such a device.

Price
Finally yet importantly is the price. We, the consumers, dictate this. We want devices that are cheap and are affordable enough be replaced every 12 months. Would you buy a tracker if you would need to pay 1000$? We are looking to get the best deal all the time, which force each manufacturer to optimize costs.
This mean that he need to optimize costs and find better ways how we can offer the same basic features with less money.

Nothing is bulletproof
Don’t expect to buy devices that cannot be hacked. Don’t believe that the device is so secure that nobody can access it. A base security level is important on each device, offering us a rudimentary privacy level. However, of course, there is a threshold and with enough imagination and time a device can be compromised.

Do we need something more than this? How much more are you ready to pay for it? This are the questions that each of us should find an answer.   

Comments

Popular posts from this blog

Windows Docker Containers can make WIN32 API calls, use COM and ASP.NET WebForms

After the last post , I received two interesting questions related to Docker and Windows. People were interested if we do Win32 API calls from a Docker container and if there is support for COM. WIN32 Support To test calls to WIN32 API, let’s try to populate SYSTEM_INFO class. [StructLayout(LayoutKind.Sequential)] public struct SYSTEM_INFO { public uint dwOemId; public uint dwPageSize; public uint lpMinimumApplicationAddress; public uint lpMaximumApplicationAddress; public uint dwActiveProcessorMask; public uint dwNumberOfProcessors; public uint dwProcessorType; public uint dwAllocationGranularity; public uint dwProcessorLevel; public uint dwProcessorRevision; } ... [DllImport("kernel32")] static extern void GetSystemInfo(ref SYSTEM_INFO pSI); ... SYSTEM_INFO pSI = new SYSTEM_INFO(

Azure AD and AWS Cognito side-by-side

In the last few weeks, I was involved in multiple opportunities on Microsoft Azure and Amazon, where we had to analyse AWS Cognito, Azure AD and other solutions that are available on the market. I decided to consolidate in one post all features and differences that I identified for both of them that we should need to take into account. Take into account that Azure AD is an identity and access management services well integrated with Microsoft stack. In comparison, AWS Cognito is just a user sign-up, sign-in and access control and nothing more. The focus is not on the main features, is more on small things that can make a difference when you want to decide where we want to store and manage our users.  This information might be useful in the future when we need to decide where we want to keep and manage our users.  Feature Azure AD (B2C, B2C) AWS Cognito Access token lifetime Default 1h – the value is configurable 1h – cannot be modified

What to do when you hit the throughput limits of Azure Storage (Blobs)

In this post we will talk about how we can detect when we hit a throughput limit of Azure Storage and what we can do in that moment. Context If we take a look on Scalability Targets of Azure Storage ( https://azure.microsoft.com/en-us/documentation/articles/storage-scalability-targets/ ) we will observe that the limits are prety high. But, based on our business logic we can end up at this limits. If you create a system that is hitted by a high number of device, you can hit easily the total number of requests rate that can be done on a Storage Account. This limits on Azure is 20.000 IOPS (entities or messages per second) where (and this is very important) the size of the request is 1KB. Normally, if you make a load tests where 20.000 clients will hit different blobs storages from the same Azure Storage Account, this limits can be reached. How we can detect this problem? From client, we can detect that this limits was reached based on the HTTP error code that is returned by HTTP