As we strive to become more health-conscious, fitness bands have exploded on the world market. Millions of individuals strap on a fitness band each day. We monitor, compare and compete with ourselves and a community of like-minded individuals. Data including the number of steps taken daily, calories burned, heart rate and even our sleep patterns are wirelessly transmitted to our smartphones or computers. But is our data secure?

Low Energy Equals Low Security

There are a few security concerns with fitness bands, and for that matter, any Internet of Things (IoT) device that uses Bluetooth 4.0 VLE, or Very Low Energy.

A key exchange encryption protocol was created specifically for Bluetooth 4.0 VLE. It meets its design goal for using very little energy, but it can be easily compromised. The session encryption protocol uses AES-CCM, a well-known and very secure protocol. Due to the limitations of the key exchange, however, it is relatively simple to become a man-in-the-middle by brute-force attacking the temporary key (TK) because the key exchange is performed in cleartext.

A core i7 processor can guess all possible combinations of the key pair in a single second. Once in communication via the TK, the protocol is followed to negotiate the short-term key (STK) and finally the long-term key (LTK). An attack must begin at the initial pairing. However, it is also simple to jam a session and force a new paring (key exchange) session to start.

The range on Bluetooth 4.0 VLE can be as high as 100 feet, so the sniffing device need not be right by your side. That jogger running 50 feet behind you could be intercepting your data transfer from your fitness band to your phone.

A Treasure Trove of Data

Aside from your name and age, there is an immense amount of personal information attached to your fitness tracker account. GPS data regarding your home address, current location and daily running route could lead to issues of personal safety. If your tracker is linked to your Facebook or Twitter account, even more information regarding your personal life and preferences becomes available to multiple parties.

This information has proven valuable to companies screening new hires and business partners. Information regarding your daily calorie intake and diet as well as your regular exercise level could also be extremely valuable to a health or life insurance company seeking to rewrite policy coverage and decrease profit loss.

Data has become immensely valuable in framing the future of health care and many other industries. Companies with vast banks of data are being purchased for their knowledge potential. Even unstructured data is becoming more valuable since technology can analyze it more rapidly and draw correlatives that were never before possible. In light of this, health care data is currently very valuable on the Dark Web.

Best Practices for Fitness Bands

How do you protect yourself and your private data?

The simplest thing to do is to turn the Bluetooth feature on your phone off until you are home or in a safe environment. Most fitness bands can store a day or more of fitness data. Sync your band and phone once a day, away from potential threats. This keeps your data from being intercepted during unprotected transfers.

One additional benefit: You might experience improved battery life on your phone by only enabling Bluetooth when you actually need it.

More from Endpoint

Unified endpoint management for purpose-based devices

4 min read - As purpose-built devices become increasingly common, the challenges associated with their unique management and security needs are becoming clear. What are purpose-built devices? Most fall under the category of rugged IoT devices typically used outside of an office environment and which often run on a different operating system than typical office devices. Examples include ruggedized tablets and smartphones, handheld scanners and kiosks. Many different industries are utilizing purpose-built devices, including travel and transportation, retail, warehouse and distribution, manufacturing (including automotive)…

Virtual credit card fraud: An old scam reinvented

3 min read - In today's rapidly evolving financial landscape, as banks continue to broaden their range of services and embrace innovative technologies, they find themselves at the forefront of a dual-edged sword. While these advancements promise greater convenience and accessibility for customers, they also inadvertently expose the financial industry to an ever-shifting spectrum of emerging fraud trends. This delicate balance between new offerings and security controls is a key part of the modern banking challenges. In this blog, we explore such an example.…

Endpoint security in the cloud: What you need to know

9 min read - Cloud security is a buzzword in the world of technology these days — but not without good reason. Endpoint security is now one of the major concerns for businesses across the world. With ever-increasing incidents of data thefts and security breaches, it has become essential for companies to use efficient endpoint security for all their endpoints to prevent any loss of data. Security breaches can lead to billions of dollars worth of loss, not to mention the negative press in…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today