A new study finds that of eight fitness trackers on the market, only the Apple Watch regularly changes its Bluetooth MAC address to protect user privacy. While the Apple Watch alters the device’s MAC address every time it’s rebooted and around every 10 minutes while active, all the other trackers maintained the same MAC address for a period of months, leaving the user open to persistent monitoring whenever the tracker is operating independently and sending out “advertising” packets in search of another device.
The joint study from the not-for-profit Open Effect and the University of Toronto found those transmissions can be used to track users and collect data about their behavior that falls far outside the original intent of the device’s intended purpose, reiterating privacy concerns often voiced publicly by Apple CEO Tim Cook.
Fitbit blamed the “fragmented Android ecosystem” for its inability to implement the LE Privacy feature supported by its hardware, while Intel said since the primary use case for its Peak device has it continually connected to the user’s phone, the company has no plans to remedy the persistent MAC address broadcasted when the device is unpaired. Garmin’s Connect had even more serious issues than the static MAC address, opening up user data to tampering and collection by third parties by not using HTTPS when it transmits information.
Withings’ Android Health Mate was also found to allow user data to be intercepted when transmitting encrypted HTTP requests. Neither Withings nor Garmin responded to the survey team’s request for comment.
