help menu

Join us on the Community Forums!

  • Community Guidelines

    The Fitbit Community is a gathering place for real people who wish to exchange ideas, solutions, tips, techniques, and insight about the Fitbit products and services they love. By joining our Community, you agree to uphold these guidelines, so please take a moment to look them over.

  • Learn the Basics

    Check out our Frequently Asked Questions page for information on Community features, and tips to make the most of your time here.

  • Join the Community!

    Join an existing conversation, or start a new thread to ask your question. Creating your account is completely free, and takes about a minute.

Not finding your answer on the Community Forums?

Cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Security concerns before I buy a Fitbit

ANSWERED
Replies are disabled for this topic. Start a new one or visit our Help Center.

‎07-29-2019 09:58

‎07-29-2019 09:58

Hello. Sorry for posting this in this forum, was not sure where to post this. I have some security concerns I want to go over before I buy a Fitbit. I posted this in the forums so that maybe it will help others having the same concerns as me. If someone steals your Fitbit can they open an account and pull all the information off of your Fitbit? Can you use a Fitbit without creating an account? If you have a Fitbit device that has GPS if the Fitbit device is stolen can someone pull up and see everywhere you have been? If law enforcement or the government wanted access to my account and data would Fitbit give them access? Can Fitbit be infected with malware and that malware send your data to where ever? Can Fitbit be hacked through the Bluetooth? I know you probably couldn’t do this with all devices but does any Fitbit devices have anyway to secure your device with a password/pin or finger print? If not does Fitbit ever plan on offering that?

Best Answer
0 Votes
1 BEST ANSWER

Accepted Solutions

‎07-29-2019 11:12

‎07-29-2019 11:12

@BobbyJ1 wrote:

Hello. Sorry for posting this in this forum, was not sure where to post this. I have some security concerns I want to go over before I buy a Fitbit. I posted this in the forums so that maybe it will help others having the same concerns as me.

 

If someone steals your Fitbit can they open an account and pull all the information off of your Fitbit? No when they open an account it wipes out all your information and takes over for them

 

 

Can you use a Fitbit without creating an account? No you need to have an account

 

 

If you have a Fitbit device that has GPS if the Fitbit device is stolen can someone pull up and see everywhere you have been? No because it has been synced to the server not the device it self

 

 

If law enforcement or the government wanted access to my account and data would Fitbit give them access? Im sure they would if they were given a warrant

 

Can Fitbit be infected with malware and that malware send your data to where ever? NO

 

 

Can Fitbit be hacked through the Bluetooth? NO

 

I know you probably couldn’t do this with all devices but does any Fitbit devices have anyway to secure your device with a password/pin or finger print?NO

 

If not does Fitbit ever plan on offering that? Cant Answer

 

Community Council Member

Wendy | CA | Moto G6 Android

Want to discuss ways to increase your activity? Visit the Lifestyle Forum

View best answer in original post

Best Answer
10 REPLIES 10

‎07-29-2019 11:12

‎07-29-2019 11:12

@BobbyJ1 wrote:

Hello. Sorry for posting this in this forum, was not sure where to post this. I have some security concerns I want to go over before I buy a Fitbit. I posted this in the forums so that maybe it will help others having the same concerns as me.

 

If someone steals your Fitbit can they open an account and pull all the information off of your Fitbit? No when they open an account it wipes out all your information and takes over for them

 

 

Can you use a Fitbit without creating an account? No you need to have an account

 

 

If you have a Fitbit device that has GPS if the Fitbit device is stolen can someone pull up and see everywhere you have been? No because it has been synced to the server not the device it self

 

 

If law enforcement or the government wanted access to my account and data would Fitbit give them access? Im sure they would if they were given a warrant

 

Can Fitbit be infected with malware and that malware send your data to where ever? NO

 

 

Can Fitbit be hacked through the Bluetooth? NO

 

I know you probably couldn’t do this with all devices but does any Fitbit devices have anyway to secure your device with a password/pin or finger print?NO

 

If not does Fitbit ever plan on offering that? Cant Answer

 

Community Council Member

Wendy | CA | Moto G6 Android

Want to discuss ways to increase your activity? Visit the Lifestyle Forum

Best Answer

‎07-29-2019 11:22

‎07-29-2019 11:22

That's a lot of questions in one post.

 

Clearly the web page https://help.fitbit.com/articles/en_US/Help_article/1133/

 

indicates you can download some GPS data, so yes, that information could be accessed.

You may want to take off your fitbit and leave it at home, when going on black ops missions 🙂

or buy a lesser model without gps.

 

Other security info is here:

 

https://help.fitbit.com/articles/en_US/Help_article/1758/?l=en_US&fs=RelatedArticle

 

Which answers that they have a process for law enforcement to contact them.

 

As a software developer, code is never perfect, so yes, its probably possible for fits to get malware.

I would expect a cell phone to be a more likely target.

 

Can it be hacked through bluetooth?  Again, code is generally not perfect, so probably.

 

If someone steals your fitbit,  then they could pull the data off the fitbit directly.  Once you give up physical access, all bets are off.  Unless they are encrypting the data at rest on the fitbit itself, but the key would be in the fitbit, or you wouldn't be able to sync.

 

Is your threat model protecting your wife from finding out you are cheating on them, or preventing a nation state from knowing where the secret uranium processing facility is ?  And is your wife a skilled computer security professional ?

Best Answer
0 Votes

‎07-29-2019 11:57

‎07-29-2019 11:57

Hello Bobby,

 

That's a lot of questions.

 

If someone steals your fitbit, they will have your data on the device anyway, so it doesn't matter about the account.

 

I think you can use a device without an account to just track steps, but there are much cheaper options if you are going to give up the added features like syncing the account allows.  So from a security perspective, decrease your attack surface if that's what you want with a less capable device.

 

GPS data can be downloaded if you loose your account credentials as described here:

https://help.fitbit.com/articles/en_US/Help_article/1133/?q=download+data&l=en_US&fs=Search&pn=1

 

I don't think they design the fitbit to be able to have malware, however malware takes advantages of bugs in the code.  Code in a consumer device should not be considered perfect, so there is a slight possibility for this to occur.  I think the risk of malware on your smartphone would be more than that of a fitbit.

 

For the bluetooth,  probably hard to hack through that channel, but since that's how software updates occur, a bug might exist to allow it.  Again I don't think this is a big risk, but your threat model may require more security than mine.

 

It is encouraging that fitbit has a bug bounty program and regularly updates their software.

 

 

 

Best Answer
0 Votes

‎07-29-2019 12:25

In response to WendyB

‎07-29-2019 12:25

If you cannot use your Fitbit device until you create an account and if the Fitbit devise is wiped when someone tries to use another account for that same device then that is pretty good. So if it is stolen they couldn't see much information or nothing to alarming because the GPS and other information is kept on the server. If it was stolen I would contact Fitbit and Fitbit would do what exactly? Hopefully make it useless to anyone. I get to choose who does or does not see my information from my account settings. My hat's off to you Fitbit. Seems like you have thought of everything so far and you have cleared up concerns, thank you. Only thing I have to worry about is my Fitbit account. Thank you.

Best Answer
0 Votes

‎07-29-2019 12:47 - edited ‎07-29-2019 13:02

In response to MrIncredible

‎07-29-2019 12:47 - edited ‎07-29-2019 13:02

@MrIncredible wrote:

Hello Bobby,

 

That's a lot of questions.

 

If someone steals your fitbit, they will have your data on the device anyway, so it doesn't matter about the account.

 

I think you can use a device without an account to just track steps, but there are much cheaper options if you are going to give up the added features like syncing the account allows.  So from a security perspective, decrease your attack surface if that's what you want with a less capable device.

 

GPS data can be downloaded if you loose your account credentials as described here:

https://help.fitbit.com/articles/en_US/Help_article/1133/?q=download+data&l=en_US&fs=Search&pn=1

 

I don't think they design the fitbit to be able to have malware, however malware takes advantages of bugs in the code.  Code in a consumer device should not be considered perfect, so there is a slight possibility for this to occur.  I think the risk of malware on your smartphone would be more than that of a fitbit.

 

For the bluetooth,  probably hard to hack through that channel, but since that's how software updates occur, a bug might exist to allow it.  Again I don't think this is a big risk, but your threat model may require more security than mine.

 

It is encouraging that fitbit has a bug bounty program and regularly updates their software.

 

 

 

 

The questions I asked is just things I thought about and what could happen. I always think about security on any kind of device that has programs, a OS or any code on it. I know I could get a pedometer and heart rate monitor but I have sleep problems and I am really interested in monitoring my sleep. What other cheaper options are you talking about?

Best Answer
0 Votes

‎07-29-2019 17:30

In response to BobbyJ1

‎07-29-2019 17:30

@BobbyJ1,

 

Generally, if you lose your device, it's really not an issue, but I'd be mindful of two corner cases:

  • Tap to pay: Some of the models have that feature.  You can set it to always prompt you for your pin (I believe...  may vary on model), but I have it set so that it only prompts me to enter it once.  However, once I take the device off (and it notices a gap in my heart beat), it prompts me for the pin again.  If a thief knows this, they can steal your device, strap it on to their wrist quickly (it'd need to be within a few seconds), and then go make a big purchase with it.
  • Notifications: For your convenience you can have your Fitbit receive notifications (like calls, texts, etc.).  These will remain visible even after you've taken off your device.  So if you're really mindful about security, I'd turn off notifications on your Fitbit (or choose them carefully).

That said, as it happens there are a few reasons why stealing a Fitbit isn't necessarily the most effective way to get this information:

  • Once a Fitbit syncs, it purges that information from the device (well, kinda).  So if you last synced your Fitbit at 4pm, then it doesn't try to push any more information to the servers that is from before 4pm.
  • It's probably easier to hack the Fitbit servers than to reverse engineer the protocol by which it communicates through the Fitbit App.
  • It's probably even easier to hack that individual account through social engineering.  If you can somehow gain access to someone's Amazon (or Apple, etc.) account by way of sending them fishing mail.  They're fairly likely to use the same e-mail and password on their Fitbit account.

I hope this helps.

Frank | Washington, USA

Fitbit One, Ionic, Charge 2, Alta HR, Blaze, Surge, Flex, Flex 2, Zip, Ultra, Flyer, Aria, Aria 2 - Windows 10, Windows Phone

Take a look at the Fitbit help site for further assistance and information.

Best Answer

‎07-29-2019 20:22

In response to PureEvil

‎07-29-2019 20:22

@PureEvil wrote:

@BobbyJ1,

 

Generally, if you lose your device, it's really not an issue, but I'd be mindful of two corner cases:

  • Tap to pay: Some of the models have that feature.  You can set it to always prompt you for your pin (I believe...  may vary on model), but I have it set so that it only prompts me to enter it once.  However, once I take the device off (and it notices a gap in my heart beat), it prompts me for the pin again.  If a thief knows this, they can steal your device, strap it on to their wrist quickly (it'd need to be within a few seconds), and then go make a big purchase with it.
  • Notifications: For your convenience you can have your Fitbit receive notifications (like calls, texts, etc.).  These will remain visible even after you've taken off your device.  So if you're really mindful about security, I'd turn off notifications on your Fitbit (or choose them carefully).

That said, as it happens there are a few reasons why stealing a Fitbit isn't necessarily the most effective way to get this information:

  • Once a Fitbit syncs, it purges that information from the device (well, kinda).  So if you last synced your Fitbit at 4pm, then it doesn't try to push any more information to the servers that is from before 4pm.
  • It's probably easier to hack the Fitbit servers than to reverse engineer the protocol by which it communicates through the Fitbit App.
  • It's probably even easier to hack that individual account through social engineering.  If you can somehow gain access to someone's Amazon (or Apple, etc.) account by way of sending them fishing mail.  They're fairly likely to use the same e-mail and password on their Fitbit account.

I hope this helps.

It did help, thank you. I would never use tap to pay and I wasn't planning on using notifications. After WendyB answered my questions and I learned how it it works I am not too concerned about it anymore. Fitbit devices are more secure than I thought. Fitbit has a real good system. 

Best Answer

‎07-30-2019 06:15

In response to BobbyJ1

‎07-30-2019 06:15

I was just thinking about the basic pedometers out there.  I think my health insurance gave me one, and the wii fit had some $20 models...   kind of like the fitbit zip.  None of those did sleep tracking.  But if you want sleep tracking, I haven't researched stuff with that feature, and I suspect you are looking for something with a small embedded processor at that point so won't be much of a savings.

Best Answer
0 Votes

‎08-18-2020 00:24 - edited ‎08-20-2020 05:33

‎08-18-2020 00:24 - edited ‎08-20-2020 05:33

About a year ago, someone stole my phone. I didn't think of my Fitbit account as a possible problem because I thought there's much more information there I should worry about. However, notifications on my account were turned on, so I knew when someone tried to do something behind my back. For safety reasons, I run some penetration testings including an IT health check every year, to make sure there's nothing to worry about. I like that Fitbit info is synced to the server, not the device itself, this makes it more reliable.

Best Answer
0 Votes

‎08-18-2020 07:57

In response to WsunyaruW

‎08-18-2020 07:57

@WsunyaruW,

 

As it happens, most modern smartphone platforms have safeguards for lost phones.  Depending on the platform, they entail:

  • Find my phone - The ability to locate your phone and it'll put it on a map.  May not be as helpful if it's an apartment building, but it's still better than nothing.
  • Remote ring your phone - This works even if your phone is in silent mode.
  • Remote lock your phone - Posts a message on your phone ("If found call X or e-mail Y.") and locks it with a particular pin.
  • Remote wipe your phone - This allows you to flatten your phone.  I was curious about this feature and tried it when I was ready to reset it; it works as you'd expect.  In fact, many enterprises reserve the right to do this if you have corporate sensitive information (work e-mail) if you report your phone missing.

I hope this helps.

Frank | Washington, USA

Fitbit One, Ionic, Charge 2, Alta HR, Blaze, Surge, Flex, Flex 2, Zip, Ultra, Flyer, Aria, Aria 2 - Windows 10, Windows Phone

Take a look at the Fitbit help site for further assistance and information.

Best Answer
0 Votes