61M Fitbit, Apple Users Had Data Exposed in Wearable Device Data Breach

September 16, 2021 - Over 61 million fitness tracker records from both Apple and Fitbit were exposed online in a recent wearable device data breach, according to a report from WebsitePlanet and independent cybersecurity researcher Jeremiah Fowler.

Researchers found that the data breach stemmed from GetHealth, a New York-based health and wellness company that allows users to unify their wearable device, medical device, and app data. The exposed data belonged to wearable device users around the world and contained names, birthdates, weight, height, gender, and geographical location.

The database was not password-protected, and the information was clearly identifiable in plain text. Fitbit was listed in over 2,700 records, and Apple’s Healthkit was mentioned over 17,000 times.

GetHealth’s website states that it can sync data from other vendors, but Fowler only confirmed that Apple and Fitbit were impacted by the breach. 

Researchers also discovered that the files showed where the data was stored, along with a blueprint of the network’s backend operations, making it an extremely easy target for cyberattacks.

Fowler said he immediately sent a responsible disclosure notice of his findings and received a reply from GetHealth the next day. The company confirmed that the data had since been secured.

“Fitness trackers by their design are intended to understand and improve our health by providing critical information that could indicate health risks,” the report pointed out.

“In the process of collecting this information on users the device must be able to access very private information about our lives, health, and much more.”

Bad actors can use this highly personal data to send personalized phishing emails, commit fraud, and obtain even more personal information.

"We are not implying any wrongdoing by Gethealth, their customers or partners," the report continued.

"Nor, are we implying that any customer or user data was at risk. We were unable to determine the exact number of affected individuals before the database was restricted from public access. We are only highlighting our discovery to raise awareness of the dangers and cyber security vulnerabilities posed by IOT, wearable devices, fitness and health trackers, and how that data is stored."

That convenience comes with a cost for users, and a responsibility to protect private data for companies. At this time, there are no universal privacy standards for wearable devices, which gives companies the ability to use the data for advertising or third-party sharing.

The report also noted that there is a debate over whether wearable fitness trackers are medical devices. Federal agencies have released lots of literature on medical device cybersecurity, most of which could apply to fitness trackers. But fitness trackers often blur the lines between being a convenient consumer application and a device used for medical purposes.

However, the US Food and Drug Administration (FDA) classified FitBit as a Class II medical device in 2020 and later gave FDA clearance for its electrocardiogram function.

In June, the FDA released guidance surrounding medical device cybersecurity in response to the National Institute of Standards and Technology’s (NIST) call for position papers on its drafted guidelines for enhancing software supply chain security.

“Cybersecurity is crucial for medical device safety and effectiveness,” the FDA wrote. “Critical functions are shifting from on-premises software infrastructure to distributed and remote infrastructure, including newly essential cloud services depended upon during the diagnosis and treatment of disease.”

The FDA stressed that medical device security is crucial to ensuring a protected supply chain and preventing unauthorized access to medical data.

Without proper security standards, hackers may be able to infiltrate medical devices and inflict harm on patients.

McAfee researchers recently discovered significant vulnerabilities in two types of B. Braun infusion pumps that may allow hackers to deliver double doses of medications remotely. There have been no reported incidents, but the possibility points to significant gaps in medical device cybersecurity that could have disastrous consequences.