Connected watches: danger of millions of personal data in nature

14 May 2022

A multi-gigabyte database has been discovered on the web, exposing millions of personal information from connected watches and other objects and medical devices.

Another data leak … This time it’s a 16.71 gigabyte database with 61million entries. It was discovered by the WebsitePlanet site and contains activity and health information from bracelets and connected watches.

The team, led by cybersecurity researcher Jeremiah Fowler, determined that the database, posted online without any protection, came from New York-based GetHealth. The firm offers a service to synchronize health data from different connected devices. The information presented relates to users located around the world.

Most affected Fitbit and Apple users

The database contains a lot of sensitive information, including first and last name, pseudonym, date of birth, weight, height, gender, and date of birth. In total, the data would come from hundreds of different connected objects, medical devices and fitness apps. After a partial analysis, however, the researchers determined that the victims mainly used Fitbit bracelets and Apple’s Healthkit, which allows connected objects to be synchronized through an iPhone.

Contacted by the WebsitePlanet team, GetHealth confirmed to own the database and secured access during the day. However, researchers could not determine since when the information was exposed, or if anyone else accessed it. This once again underlines how vigilant you have to be with connected objects and all the data they collect.

Can smartwatches be hacked?

Think again: smartphone security has weak points. In fact, these devices have already been the subject of a few attempted attacks. However, while smartwatches have not yet been the subject of many major breaches, white hats (also known as “good” hackers, that is, those that help companies spot weaknesses in their products / programs / software) have revealed some security gaps.

Phishing – in relation with connected watches

Phishing can happen if you download a fraudulent app and enter personal information into it. These apps are more common in unofficial app stores, but not entirely absent from Google and Apple app stores. These bogus apps ask you to log into your Google account, then a fake form retrieves your credentials, compromising your own account without your consent through connected watches.

Bluetooth Low Energy

Bluetooth Low Energy technology allows you to pair your smartwatch with your phone, headphones and other devices. However, Bluetooth data encryption has vulnerabilities due to the complexity of its protocols. Due to inefficient data encryption, a criminal can forcibly access your connection with minimal effort (unfortunately, Bluetooth technology is an important connection feature on devices that work primarily wirelessly, such as watches. connected).

connected watches

Accelerometer

Foot pod data helps your smartwatch track movement, and this data is used by health and fitness features, such as the number of steps taken.

This accelerometer data can also be analyzed to reveal passwords and credit card numbers. Trends in repetitive motion data can be used to determine computer keyboard typing motions that mimic your credentials. Granted, it takes a lot of work, which reduces the likelihood of this hacking method being used, but it is possible. In fact, if the profits are large enough, cybercriminals can choose higher-value targets to apply this approach.

Factory default passwords on connected watches

Default passwords are a technical background tool used to access connected devices. As these remain unchanged after you take these devices home with you, a hacker can easily find your password online or buy these default passwords from the dark web.

To prevent this easy access, consumers must first be aware of its existence.

Usually, manufacturers bury password change instructions in technical manuals that a user never reads. Sometimes you will need to contact the company directly to update your password correctly. However, some owners who have bought cheaper smartwatches even fail to contact the original manufacturer.

Inexpensive online products are usually bought in bulk and marketed under a new brand by tons of secondary distributors. Many children’s watches are sold in this way, which poses a major safety threat. That is why it is better to buy smartwatches only from reliable and well-known brands, like Apple, Fitbit or Garmin, etc.

Reconfiguration by text message on connected watches

It has been discovered that some smartwatches for children can be hacked simply by sending them a text message. Thanks to specific text messages, some watches can be reprogrammed for the benefit of the hacker. This method allows the watch to be paired with the criminal’s phone, giving them more control and better access to the device. The hacker can then track the watch using GPS, and he can even call the user.

While this discovery was made on low-end children’s models connected watches, many other cheaper smartwatches can have similar vulnerabilities. This is because when developing an entry-level product, manufacturers of low-cost products generally don’t place much importance on safety and prefer to focus on usability. In contrast, reputable high-end brands like Apple are taking on more responsibility, but still often come up against this debate between convenience and security.

These security concerns have prompted manufacturers to upgrade their products with more emphasis on encryption and protection against app store malware. However, due to the lack of industry standards, it is impossible to guarantee that all products will be properly protected.

Contact Swiss Tomato app developers for more info !

Awards

Virtual Tomato Awards
awards wave
Award First Image
Award Second Image

Best of Swiss Web 2019

Winner, Mobile Category
Best of Swiss Web 2019
Award First Image
Award Second Image

Best of Swiss Apps 2019

Bronze, Enterprise Category
MCI Share app
Award First Image

Best of Swiss Apps 2019

Top 5, AR/VR Category
Award Second Image
Award First Image

Best of Swiss Web 2019

Top 4, Innovation Category
Award Second Image
Award First Image

Best of Swiss Web 2019

Top 4, Mobile Category
Award Second Image
Award First Image

Developer of an Apple Featured App

(Top 0.2%), 2019
Award Second Image
Award First Image

Best of Swiss Web 2017

Top 3, Mobile Category
Award Second Image
Award First Image

Best of Swiss Web 2016

Top 3, Mobile Category
Award Second Image
Award First Image

Best of Swiss App 2015

Finalist, Mobile Category
Award Second Image

CONTACT US

Have a project in mind?
Let’s have a tomato juice together!






    Contact Us Image

    Geneva

    Phone: +41 76 804 92 53
    Email: hello@swisstomato.com
    Address: Route de Florissant 4 1206 Genève

    Zurich

    Phone: +41 44 585 21 92
    Email: hello@swisstomato.com
    Address: Dufourstrasse 40A 8702 Zollikon