The most disturbing discovery is that many records contain user data, including first and last names, display names, date of birth, weight, height, gender, geographical location and so on. These messages are all in plain text, and an ID seems to be encrypted. The geographical structure is the same as "USA/new york" and "Europe/Dublin", and users are distributed all over the world.
In the limited sample of 20k+ records, some top wearable health and fitness trackers seem to be a "source". Fitbit(202 1 acquired by Google for $2 1 billion) appeared 2766 times, which seems to be Apple's Healthkit 17764. Other applications or devices may also be affected. According to GetHealth's website, They can synchronize the following data: 23andMe, DailyMile, FatSecret, Fitbit, GoogleFit, JawboneUP, LifeFitness, MapMyFitness, MapMyWalk, Microsoft, Misfit, MovesApp, PredictBGL, Runkeeper, SonyLifelog、Strava、VitaDock、Withings、AppleHealthKit、AndroidSensor、sHealth。
AppleHealthkit can collect more complex indicators, including blood pressure, weight, sleep level, blood sugar and so on. Once iPhone users are allowed to use Apple's health and fitness applications, it will use sensors in mobile phones, connected wearable devices and smart devices to collect more health data than many other devices or applications. This operation can be run silently in the background, or it can be run on any iPhone that the user grants permission to.
The following are the details of the survey results:
Total size: 16.7 1GB/ total record: 6 1053956 exposure index: deviceapi _ fitnessdeviceapi _ heartrateediceapi _ profiledeviceapi _ pulseoxdeviceapi _ sleepdeviceapi _ trackerdeviceapi _ weight.
Expose the following internal records: deviceapi_ profile, type, id, score, source, source, id, weight, e_id, collection time, height, birthday, gethealthid, first name, last name, display name, url, gender, organization id and time zone. This information can be used for targeted phishing attacks or other health information of users. The file also shows where the data is stored and a blueprint for how to run and configure the network from the back end.
Example of how user data appears in the database:
Personal data account example:
Fitness trackers pose privacy risks.
Fitness tracker aims to understand and improve our health by providing key information that may indicate health risks. In the process of collecting user information, devices must be able to access very private information such as our life and health.
According to a report by the Pew Research Center, it is estimated that 20% of adults in the United States own some kind of wearable device or fitness tracker. These devices will generate a large number of health-related data points in many years and create long-term privacy risks.
Many of these devices are not anonymous and are bound to user accounts, encouraging them to enter personally identifiable information in their profiles. This makes it extremely easy to identify who the data belongs to in the case of data leakage. Another problem is that there is no uniform privacy standard for wearable devices, and companies may use these data for advertising, marketing or sharing with third parties. Another question to consider is, how will the company provide users with the "end-use policy" and how long will these data be stored? What is a medical device?
Wearable devices bring complicated problems.
There is some debate about how to regard wearable devices such as wearable and fitness trackers or the Internet of Things as medical devices. The boundaries between medical applications are becoming increasingly blurred. In recent years, regulators in Britain, the United States and the European Union have tried to define what medical devices are and how to supervise them. This information is very valuable for medical research and health care industry.
The US Food and Drug Administration has designated FitBit as over-the-counter software and second-class medical equipment. On September 14, 2020, Fitbit's ECG tracking function was approved by FDA and CE mark. Fitbit's devices currently collect data from about 29 million users around the world, and Google claims that Fitbit users' health data will not be used for Google advertising. In many other fields, this technology has gone beyond laws and regulations and sacrificed user privacy.
According to Gethealth. Io's website and FAQ are in line with HIPAA standard, and it is stated that "user's data is safe through SSL transmission, AES256 encryption, logging and monitoring, and all data are stored and managed in a way in line with HIPAA standard".
1996 health insurance portability and accountability act (HIPAA) is a federal law in the United States, which aims to protect sensitive patient health information from being disclosed without the patient's consent or knowledge. At present, there is no clear HIPAA regulation applicable to wearable technology, as long as the data is used for personal use. However, once the data of wearable technology is transmitted to health care providers or other institutions, it may be bound by HIPAA regulations and HIPAA compliance standards. Wearable devices and smartphones have the technology to collect patient-generated health data (PGHD), which may expose sensitive health data, but supervision seems to be far from enough.
Most wearable users think that no cyber criminals will be interested in how many steps they took or how long they slept, but it is wrong to ignore the use of data or enjoy it. All the data are valuable. With the development of wearable device technology, the types and accuracy of data collected from users are also improving. Simple pedometers or pedometers are relatively harmless, while some wearable devices can identify more detailed information, such as heart rate or body mass index. In theory, the detailed information collected by the fitness tracker from millions of users can provide an overall description of these people and their overall health. Then, these data can be used to carry out other attacks, fraud, extortion, or to obtain more targeted health information.
Collecting and storing health data is risky.
All collected information must be stored somewhere, which will create loopholes and potential data exposure points. The medical industry needs a data management platform to collect and filter the large amount of data they collect. By 2026, the global health management market is expected to grow to $46.7 billion. With the development of medical technology industry, the amount of data collected and stored is also increasing.
The health data of wearable devices is a treasure house of information, which will undoubtedly become the target of cybercrime. As we all know, the health industry suffers more data leakage than any other industry. According to a report by Trustwave, health care data can be sold on the black market or the dark net for as much as $250 per record. This is a considerable amount compared with the credit card record valuation of about $5.40.
It is unclear how long these records have been exposed, and it is unclear who else has access to the data set. As security researchers, we never extract or download the data we find, and only take a limited number of screen shots for verification. We have not implied any misconduct by Gethealth, its customers or partners. We are not saying that any customer or user data is at risk. We can't determine the exact number of affected individuals until the database is banned from public access. We just emphasize our findings to raise people's awareness of the dangers and network security vulnerabilities brought by the Internet of Things, wearable devices, fitness and health trackers, and how these data are stored. We recommend any company or organization to encrypt sensitive data, formulate network health measures and conduct penetration tests frequently.