Guess what? A hacker can infiltrate your fitness smartband and extract the data from it, including how many steps you've taken today and how much calories you've burned.
I might be a raging cynic, but in all seriousness, when these devices get a bit more advanced, that data could be valuable to anyone trying to slip you a pop-up ad, or they can just monitor where you’re going while they snoop around your house for valuables.
Kaspersky Lab (opens in new tab) researcher, Roman Unuchek has recently examined how a number of fitness wristbands interact with smartphones and has discovered that several popular bands can actually be connected to by a third-party, allowing them to execute commands and in some cases, extract data held on the device.
According to his research findings, the authentication method implemented in several popular smart wristbands allows a third-party to connect invisibly to the device, execute commands, and – in some cases – extract data held on the device. In the devices investigated, such data was limited to the amount of steps taken by the owner during the previous hour.
However, in the future, when next-generation fitness bands capable of collecting a greater volume of more varied data appear on the market, the risk of sensitive medical data about the owner leaking out could raise significantly.
According to the research, an Android-based device running Android 4.3 or higher, with a special unauthorised app installed can pair with wristbands from certain vendors. To establish a connection users need to confirm the pairing by pressing a button on their wristband. Attackers can easily overcome this, because most modern fitness wristbands have no screen.
When the wristband vibrates asking its owner to confirm the pairing the victim has no way of knowing whether they are confirming a connection with their own device or someone else’s.
Kaspersky’s experts advise users to ask the vendors if their devices are vulnerable.