Enterprise Mobility Management / BYOD , Governance & Risk Management , Privacy

Fitbit Hack: What Are the Lessons?

Why Wearable Device Makers Need to Get Serious About Privacy
Fitbit Hack: What Are the Lessons?

Hackers have reportedly gained access to the accounts of dozens of Fitbit wearable fitness device users.

See Also: Mitigate Fraud Risk by Implementing an Identity Proofing Strategy

Cybercriminals allegedly used leaked email addresses and passwords from third-party sites to log into accounts of Fitbit wearable device users in December, according to a report from BuzzFeed.

Fitbit confirmed that once inside the accounts, the attackers changed details and attempted to defraud the company by ordering replacement items under the user's warranty, according to the BuzzFeed report. The attackers also reportedly had access to customer data, including GPS history, which shows where a person regularly runs or cycles, as well as data showing what time a person usually goes to sleep.

A Fitbit spokeswoman tells Information Security Media Group, "This is not a case of Fitbit emails or servers being hacked, and it would be inaccurate to state or imply otherwise. Our investigation found that the accounts were accessed by an unauthorized party using previously stolen or compromised credentials - email addresses and passwords - from other third-party sites unrelated to Fitbit."

The company took "immediate action to protect our users by resetting the passwords of affected users and prompting them to create new passwords," the spokeswoman says. "As a best practice, Fitbit recommends that our customers avoid reusing passwords associated with their email address or any other accounts, as this practice leaves them more vulnerable to this type of malicious behavior. It's also important to note that these types of account takeover attempts are now a routine issue for many popular online sites and part of doing business."

Taking Privacy Seriously

The incident shows why manufacturers of wearable devices, some of which may be used to gather data for healthcare purposes, "need to get serious about 'privacy by design' and provide security that is not so dependent on users," says security expert Stephen Cobb of IT security firm ESET.

"It is not acceptable to sell the general public on the idea of a device that harvests highly personal data and then put the burden on the general public to protect the data," he says. "The data should be secure and private by default, for any user, regardless of their technology skills. Companies that make wearables need a customer-friendly response plan in place for when something like this happens - and they should not assume it won't."

Security expert Mac McMillan, CEO of the consultancy CynergisTek, says device makers can take a number of steps to improve the security of their products. For example, he says, they can "employ two-factor authentication on consumer databases. Implement and enforce a robust security and privacy policy. Use a container approach to protecting data between applications and encrypt the data. Make sure devices use only the latest operating systems that take advantage of security features. Don't take consumer data for granted. They do care when it becomes an issue."

The Fitbit spokeswoman says customers using "Log in with Google" can make use of multi-factor authentication today. "We are also working on native multi-factor authentication for Fitbit.com accounts and plan to make this available later in 2016."

Passwords Woes

Cobb says the alleged breach "sounds like account passwords were guessed or brute-forced. The security of the compromised accounts may have been weakened by password re-use."

Hackers try username/password combinations harvested from prior attacks on different systems to see if they work on the target website, Cobb says. "While the devices were not hacked in this case, the highly personal nature of data generated by wearable devices creates the need for a secure ecosystem in which to use them; this implies security practices that go beyond the typical 'user name and password' authentication that websites employ to control access to user data," he says.

Cobb says the security and safety of any wearable device depends on how they work. "If they have to communicate with other systems in order to work, and those other systems cannot be appropriately secured, then the security of the device itself is a moot point," he says. "Users need to look at whether they can use the device with a different app, one that is more secure."

Protecting Consumer Data

The Fitbit hack demonstrates that the infrastructure required to support wearable technology is immature and not yet able to guarantee privacy, Cobb adds. "It is currently up to consumers to weigh the risks and realize that the burden of data protection is on them; they need to observe the rules of cyber hygiene," he says.

McMillan says that consumers should also be aware of additional risks that wearable devices may pose.

"Other security issues that FitBit users need to be aware of involve the devices themselves and their susceptibility to hack and or compromise," he says. "There have been issues identified by researchers that have found vulnerabilities with these wearable devices that could cause them to be compromised and then, in turn, compromise other devices that users use to connect to them to see data, like your laptop, for instance."


About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.