Health IT Pulse

Jan 14 2016   4:37PM GMT

Fitbit account hack case a cautionary tale for wearables enthusiasts

Shaun Sutner Shaun Sutner Profile: Shaun Sutner

Internet of Things
Wearable devices

Your Fitbit, or other wearable device, could be tracking more than just your health and wellness metrics.

Cybersecurity journalist Brian Krebs and Buzzfeed reported that some Fitbit accounts were discovered to have been breached sometime over the holiday season, when Fitbits were among the hottest selling wearables.

According to cybersecurity expert Stephen Cobb of IT security company ESET North America, the incursions were not part of a large-scale breach such as those that have recently hit a few big healthcare organizations, but rather cases in which several individual account passwords were stolen, guessed or brute-forced.

“These particular scammers changed the information on the account as soon as they accessed it, thus preventing the real account holders from logging in,” Cobb wrote on the ESET blog. “The scammers then used the hacked accounts to request new devices to replace ‘faulty’ ones under warranty. Not surprisingly, the higher end devices were targeted.”

While Cobb noted that the Fitbit devices themselves weren’t hacked (at least in these episodes), the warranty scammers “demonstrated why people are concerned about the privacy of data generated by wearable devices, some of which is highly personal.”

In his blog post, Cobb also declared that the entire activity tracker ecosystem needs better security practices and technologies, especially in a world in which consumer devices are increasingly interconnected via the Internet of Things.

Cobb maintained that the wearables sector needs to pay more attention to Privacy by Design (PbD), the Ontario, Canada-bred standard for embedding privacy protection into the design specs of technologies, business practices and physical infrastructures. Check out PbD’s seven foundational principles here.

He also suggested consumers consider the following points when buying and using wearables of any brand:

  • Do an Internet search of the wearable you want to buy and see if the device has been associated with any hacks, frauds or scams
  • Set up your wearable and associated online account using an obscure username and unique password, both of which should be hard to guess
  • Read the privacy policy of the device and app you’re about to plunk down cash for and check to see how serious the vendor is about privacy

1  Comment on this Post

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.
  • Kevin Beaver
    Looking at the bigger picture, this is not unlike politics or any other social issue. Not to be too negative, I'm thinking that if we are gullible enough to wear these devices and not question what information is being gathered and how it's being handled then we probably deserve the outcomes. It's how humans evolve - and learn. Unfortunately, in many cases, we are making decisions based on no information at all or deep-seated gullibility that others are always doing the right things in our best interests when it's actually quite the opposite.
    27,520 pointsBadges:

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: