Report. Most fitness trackers leak personal data and are not privacy safe. This is one of more results of an investigation of the privacy and security properties of eight popular wearable fitness tracking systems. The Every Step You Fake investigation from researchers at the University of Toronto look at Apple Watch, Basis Peak, Fitbit Charge HR, Garmin Vivosmart, Jawbone Up 2, Whitings Pulse O2 , Mio Fuse and Xiaomi Mi Band and conclude following:
• 7 out of 8 fitness tracking devices (not Apple Watch) emit persistent unique identifiers (Bluetooth Media Access Control address) that can expose their wearers to long-term tracking of their location when the device is not paired, and connected to, a mobile device
• Jawbone and Withings applications can be exploited to create fake fitness band records. Such fake records call into question the reliability of that fitness tracker data use in court cases and insurance programs.
• The Garmin Connect applications (iPhone and Android) and Withings Health Mate (Android) application have security vulnerabilities that enable an unauthorized third-party to read, write, and delete user data
• Garmin Connect does not employ basic data transmission security practices for its iOS or Android applications and consequently exposes fitness information to surveillance or tampering.
The researchers decided to immediately release the study background, and their technical methodology and findings, given what they felt are urgent security and privacy issues about which consumers needed to know.