The rise of IoT devices in the health care sector led to various potential cyber risks. The usage of wearable devices like fitness bands and health trackers has become rampant lately. The security of fitness trackers becomes a perennial concern as they store users’ sensitive data. A recent security investigation from WebsitePlanet found an unsecured database exposing over 61 million records of fitness wearable devices online. The database, which belonged to GetHealth, was not password-protected, allowing anyone open access. The database is now secured after researchers reported the issue to GetHealth.
Based in New York, GetHealth provides a unified solution to access health and wellness data from hundreds of wearables, medical devices, and applications. The GetHealth platform can sync health-related data from various sources, including Fitbit, Misfit Wearables, Microsoft Band, Strava, Google Fit, 23andMe, Daily Mile, FatSecret, Jawbone UP, Life Fitness, MapMyFitness, MapMyWalk, Moves App, PredictBGL, Runkeeper, Sony Lifelog, Strava, VitaDock, Withings, Apple HealthKit, Android Sensor, and S Health.
Most of the exposed information included users’ first and last names, display names, date of birth, weight, height, gender, geolocation, etc. “This information was in plain text while there was an ID that appeared to be encrypted. The geolocation was structured as in America/New_York, Europe/Dublin and revealed that users were located all over the world,” WebsitePlanet said.
While analyzing a sample of 20,000 records, the researchers found that most of the exposed data is from Fitbit (appeared 2,766 times) and Apple HealthKit (17,764). The users of Apple Healthkit are most affected by this security incident as Healthkit collects more health data such as blood pressure, body weight, sleep levels, and glucose levels than other devices or applications.
Security Risks with Fitness Trackers
Fitness trackers are designed to monitor our health by accessing critical information. Unfortunately, they could also lead to several privacy risks. Users’ sensitive information is a money-making business for threat actors. The exposed information could be misused by cybercriminals in targeted phishing attacks, identity thefts or perform social-engineering attacks.
“This case sets an example of how lack of care with sensitive data can make risks escalate indefinitely, as millions of people were exposed simply by wearing tracking devices during their workout sessions,” WebsitePlanet added.