“Leaky” Wearables Constitute Dire Privacy and Security Risks

Last updated June 28, 2021
Written by:
Bill Toulas
Bill Toulas
Infosec Writer

Wearables and small smart gadgets are everywhere today, promising to help their users with health, fitness, and even productivity. However, and as even the most obscure companies out there are involved in the making of these devices, many of them aren’t employing any real privacy and security protection measures. Many consumers aren’t paying any attention to these aspects of the devices they’re buying, but as a vpnMentor report details, they should be. The researchers inspected three popular wearables along with their apps and found serious information leak problems with them.

Starting with the “Digitsole Warm Insoles”, this product is meant to help runners track their sessions while keeping their feet warm. The user is providing their age, height, weight, and gender, but the Digitsole app is also collecting and storing the location and time of the runs, as well as the user’s Facebook profile and their friends. Every couple of seconds, data from the user’s device is sent to the Digitsole servers, albeit in encrypted form. Even if the tracking feature in the app is turned to off, the app continues to track the device’s location as long as the GPS is active.

Digitsole-collected-Facebook-data

Source: vpnMentor

Moving on to the “Modius Headband”, this wearable device is supposed to be helping the wearer lose weight by sending appetite-subduing electric signals to their brain. First, the band can be taken over by hackers who can set it to the highest electric current level, causing nausea to the user. Secondly, it can leak physiological details, the usage history of the device, location, Facebook tracking details, fingerprint data, name, email address, and various other personal data. All of this is sent from the Modius app to the firm’s servers right after the user’s registration, and then again at regular intervals when the app is used.

Modius-App-integrates-Facebook

Source: vpnMentor

Finally, the researchers analyzed the “Ivy Health Kid’s Thermometer” and version 1.0 of the accompanying app. The app requests too many permissions during installation, including reading and writing access to external storage, camera, location, and more. The app collects various pieces of personal data like the user’s name, date of birth, gender, usage stats, family member relationships, temperature readings, and more. To make matters worse, the app’s API and online portal sit under an HTTP domain, so hackers could have a party with it. This is particularly bad when these data concern young children, and parents should be very careful when they are shopping for wearables.

IvyHealth-list-of-permissions

Source: vpnMentor



For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: