Your Fitbit, or other wearable device, could be tracking more than just your health and wellness metrics.
Cybersecurity journalist Brian Krebs and Buzzfeed reported that some Fitbit accounts were discovered to have been breached sometime over the holiday season, when Fitbits were among the hottest selling wearables.
According to cybersecurity expert Stephen Cobb of IT security company ESET North America, the incursions were not part of a large-scale breach such as those that have recently hit a few big healthcare organizations, but rather cases in which several individual account passwords were stolen, guessed or brute-forced.
“These particular scammers changed the information on the account as soon as they accessed it, thus preventing the real account holders from logging in,” Cobb wrote on the ESET blog. “The scammers then used the hacked accounts to request new devices to replace ‘faulty’ ones under warranty. Not surprisingly, the higher end devices were targeted.”
While Cobb noted that the Fitbit devices themselves weren’t hacked (at least in these episodes), the warranty scammers “demonstrated why people are concerned about the privacy of data generated by wearable devices, some of which is highly personal.”
In his blog post, Cobb also declared that the entire activity tracker ecosystem needs better security practices and technologies, especially in a world in which consumer devices are increasingly interconnected via the Internet of Things.
Cobb maintained that the wearables sector needs to pay more attention to Privacy by Design (PbD), the Ontario, Canada-bred standard for embedding privacy protection into the design specs of technologies, business practices and physical infrastructures. Check out PbD’s seven foundational principles here.
He also suggested consumers consider the following points when buying and using wearables of any brand:
- Do an Internet search of the wearable you want to buy and see if the device has been associated with any hacks, frauds or scams
- Set up your wearable and associated online account using an obscure username and unique password, both of which should be hard to guess