As more devices are connected to the Internet and continue to store and share information, data security has become a long-term concern. Network security researcher Jeremiah Fowler published a report on WebsitePlanet, stating that because a centralized database is not protected, more than 61 million wearable device user data has been exposed on the Internet.
Fowler and his team analyzed the scan and found that GetHealth’s database is at risk of exposure. This is an API for a unified solution for accessing health and healthcare data from hundreds of wearable devices, medical devices, and applications.
Here are the details of the findings:
- Total Size: 16.71 GB / Total
- Records: 61,053,956
- Exposed Indices:
- deviceapi_fitness
- deviceapi_heartrate
- deviceapi_profile
- deviceapi_pulseox
- deviceapi_sleep
- deviceapi_speed
- deviceapi_tracker
- deviceapi_weight
Further investigation revealed that these data contained potentially sensitive information, including people’s name, date of birth, weight, height, gender, and even geographic location. In addition, the researchers found that the flow of this information can be traced back to sources such as Fitbit, Microsoft Band, Misfit Wearables, Google Fit and Strava, and its users come from all over the world. All this information is stored in plain text, and an ID is encrypted.
Example of how user data appeared in the database:
After confirming the ownership of the data, Fowler contacted GetHealth privately, and the company responded quickly to the notice. The company thanked the researchers later in the same day, claiming that the problem had been resolved. However, it is unclear how long the 16.71GB of user data was exposed, or even who might have accessed the database during this period.
Example of a Profile Account: