Because people desire a digital supervisor, fitness trackers have become omnipresent devices consumers invite to track their lives.
Fitbit is one of the most recognizable fitness trackers on the market. And as such, the company has to help customers maintain secure devices.
"We're kind of the best house in a bad neighborhood," said Marc Bown, director of security for Fitbit, in an interview with CIO Dive. Experts agree IoT devices are not secure enough to support the data they collect daily.
Spending on IoT security is forecast to reach $3.1 billion by 2021, according to a Gartner report. Yet its underlying security is still a strain, especially when shadow IT is introduced in an enterprise's IT ecosystem.
As IoT devices mature and migrate from Bluetooth-based syncing to syncing automatically over Wi-Fi, security departments will put policies and protocols in place that make up for the "absence of 'security by design'" in regulations for the IoT, according to Gartner.
Why a hacker would want to know step counts
Steps, calories, sleep and heart tracking are the primary features device wearers want. But what can a malicious actor really do with that kind of data?
Bown said there aren't many ways to "weaponize" a user's step count.
"How many steps you do a day might be useful to your health insurance company, or to your mom ... but it's not necessarily going to be interesting to an attacker," said Bown.
But part of Bown's job is to scratch beneath surface-level assumptions. It's not always "immediately obvious" as to why a hacker would need such data, but it's up to Fitbit's security team to figure out why someone would want that data.
For example, there are features Fitbit offers on some smart watches that enable Fitbit Pay. Instead of swiping a credit card upon checkout, the watch is used instead. This type of data is obvious to a hacker's desires.
To prevent data compromise, Bown's team works in a layered approach. Fitbit structures device security around the perspective of an attacker by asking, who is trying to attack us, why and how they're going to try, according to Bown.
By doing this, "we can put in place the right controls to give ourselves the best chance of defending against" a cyberattack, he said.
Bown's team "technically designs" the controls of what they document and determine what needs protection. The controls are implemented into the hardware and software during manufacturing.
How to secure a user's fitness data
The company combats any notion of distrust by giving customers "really granular privacy controls" and by informing them what Fitbit is going to do with their data, explaining to them why that is the case, and giving them the ability to control who they are sharing their data with at the time.
"We're really lucky to have been called out for having had a very clear privacy policy," said Bown and that speaks to the best security practices for all IoT participants. Bown recommends all consumers read the "dialogue that says 'you're about to share this data with this third party'" so it forces the user to take a moment of pause before they automatically choose the convenience of the "make it work button."
Ignoring the warning signs of sharing data may be the underlying cause of the scandal surrounding Strava's heat mapping research. Fitness geographic tracking app Strava released research showcasing physical activity around the world. But, some Strava users unintentionally mapped military bases while exercising. Fitbit only collects data on those who enable GPS tracking.
"I suspect that if we look at that heat map a year from now, less data will be shared," Bown said with a laugh.
IoT security is unhealthy
The majority of IoT technologies on the market are targeted at consumers. Because of this, best security measures are replaced in favor of societal and individualistic needs.
IoT devices can get a "bad reputation" from manufacturers that discontinue monitoring the security of their devices once they're in the field. IoT vendors often abandon support for devices once they are sold. But for Fitbit, "we have to monitor if the assumptions that we made hold true" beyond the design phase, said Bown.
But data collection is the cash cow for many modern businesses, like Facebook and Google. In fact, companies are only operational if they can have continued access to consumer data.
Last week Fitbit and Google entered into a deal to assist doctors who manage patients with chronic conditions by combining Google Cloud's Healthcare API with Fitbit's recently acquired Twine Health platform. Fitbit will operate on Google's cloud platform.