More than 61 million fitness tracker records exposed
- September 21, 2021
- Steve Rogerson
Researchers at Website Planet have discovered an unprotected database containing more than 61 million fitness tracker records belonging to users around the world.
According to security researcher Jeremiah Fowler in a blog post, these records were related to IoT health and fitness tracking devices with multiple references to GetHealth, a New York company that offers access to health and wellness data from hundreds of wearables, medical devices and apps.
“I immediately sent a responsible disclosure notice of my findings and received a reply the following day thanking me for the notification and confirming that the exposed data had been secured,” said Fowler.
Many of the records contained user data that included first and last name, display name, date of birth, weight, height, gender, geo location and more.
“This information was in plain text while there was an ID that appeared to be encrypted,” said Fowler.
In a limited sampling of more than 20,000 records some of the top wearable health and fitness trackers appeared as a source. Fitbit appeared 2766 times and instances of what appeared to be Apple’s Healthkit 17,764 times.
According to GetHealth’s web site they can sync data from 23andMe, Daily Mile, FatSecret, Fitbit, GoogleFit, Jawbone UP, Life Fitness, MapMyFitness, MapMyWalk, Microsoft, Misfit, Moves App, PredictBGL, Runkeeper, Sony Lifelog, Strava, VitaDock, Withings, Apple HealthKit, Android Sensor and S Health.
“The Apple Healthkit can collect more complex metrics that include blood pressure, body weight, sleep levels, glucose and more,” said Fowler. “Once an iPhone user gives permission to Apple’s health and fitness app, it uses sensors in the phone, connected wearables and smart devices to collect more health data than many of the other devices or applications. This operation can run silently in the background and on any iPhone that the user has given permission.”
Fowler said the information in the records could be used in a targeted phishing attack to obtain additional health information about users. The files also show where data are stored and a blueprint of how the network operates from the backend and was configured.