Spoofing Fitness Trackers

The website Unfitbits.com has a series of instructional videos on how to spoof fitness trackers, using such things as a metronome, pendulum, or power drill. With insurance companies like John Hancock offering discounts to people who allow them to verify their exercise program by opening up their fitness-tracker data, these are useful hacks.

News article.

Posted on September 30, 2015 at 12:02 PM • 35 Comments

Comments

John PlaxcoSeptember 30, 2015 1:02 PM

Wouldn't this constitute insurance fraud? I'm not a lawyer or an insurance specialist, but this seems to be malicious deception aimed at receiving financial benefit from an insurance company. Is following such "hacks" legal?

BJPSeptember 30, 2015 1:05 PM

If by "useful hacks" one means outright fraud against a company one hopes will pay out megabucks to one's loved ones after one's death?

Marth QueckSeptember 30, 2015 1:12 PM

Cool! One can only hope this will deter the insurance sharks from further investment in invasive meat-tracking tech.

A Bit UnfitSeptember 30, 2015 1:13 PM

A high tech (or even medium tech) hack isn't necessary to fool the insurance company. Just hand over your Fitbit to your friend who's training for a marathon when they go out for training runs.

And of course it wouldn't be legal, it would be fraud. But they'll have to prove it. Personally, I think medical exams and blood tests would be a much better way to evaluate your health and fitness level rather than the Fitbit fad. Always with the high tech solutions, it's making me crazy.

K.S.September 30, 2015 1:35 PM

The only way to beat big data is to poison it. More people do this, less useful all collected data becomes. Go them!

TBLSeptember 30, 2015 1:36 PM

I recently got a free fitbit through work, just the base pedometer model. I set the thing on top of my desktop during the setup and haven't moved it since. Any time I sit down to use my system the fans must spin up and vibrate the case, activating the device.

By the end of my 4 hour gaming sessions I'll get an email about having taken 5, 10, and finally 15 thousand steps. Gaming for my health has never felt better!

dont-track-meSeptember 30, 2015 1:41 PM

Spoofing a fitbit is not necessarily an act of fraud. Some people simply refuse to carry tracking devices (cell phones included) for reasons of privacy, creed, or health. These people may exercise a lot, but feel it's nobody's business when and where they exercise. Spoofing a fitbit can be a way for them to 'get credit' for the exercise they already do, but without actually carrying or wearing the device.

Tracking devices as 'verification' of exercise is already a joke. The devices are not proven to be accurate or precise, and there is no way to verify that the device is actually recording exercise from the person that registered the device.

Anonymous CowSeptember 30, 2015 1:54 PM

...Some people simply refuse to carry tracking devices (cell phones included)...

My employer gave me a new cel phone several months ago. The first thing that got turned off was the geo-locater. A few days later I got a message that I had been exercising sporadically. Turned out there was a fitness tracker pre-installed and in the start-up on this phone (Samsung for those curious). Guess what got uninstalled that night?

Jean HillarySeptember 30, 2015 2:43 PM

@Anonymous Cow

Be very careful with tabs / cell phones provided by your employer. My brother was given an ipad for free by his company. It turned out he discovered keyloggers and other unsavory stuff installed in it (not even well hidden!). When my brother consulted a lawyer friend of ours, we were told that here (in Germany) it is legal for the company to do that (and it's in fact a growing trend), so long as the contract / agreement states that the device belongs to the company (in which case they are free to install anything they want in it).

BJPSeptember 30, 2015 2:45 PM

What's the expected value of a 15% discount on life insurance premiums when one increases the risk of non-payment upon death? If caught, the insurer will declare the policy void, and if you're lucky instead of prosecution they'll simply refund the premium amounts of paid. At that point you may as well have skipped the policy and invested or spent those premium funds.

(Remember: you're dead at this point. You're not defending yourself against their allegations of fraud. Your presumably grief-stricken loved ones are the ones who will be asked "how is it that every single step this guy took over 15 years managed perfect 60bpm timing?")

Everybody, clap your hands!September 30, 2015 2:52 PM

Every breath you take and every move you make
Every bond you break, every step you take, I'll be watching you
Every single day and every word you say
Every game you play, every night you stay, I'll be watching you

Oh, can't you see you belong to me
How my poor heart aches with every step you take

Every move you make, every vow you break
Every smile you fake, every claim you stake, I'll be watching you

(Couldn't help it.)

LevSeptember 30, 2015 3:02 PM

@BJP;

Its not for discount on life insurance; its for a discount on health insurance. How getting middle aged and older adults to exercise and get sports injuries to reduce short term medical bills I'll never know though.

DanielSeptember 30, 2015 3:30 PM

The technology issue aside I have serious conceptual issues with these types of insurance "deals". The whole point of insurance is the distribution of risk. These programs might allow the individual to reduce expenses and the corporation to increase profits but in doing so they make the whole risk pool more risky by increasing systemic risk. Indeed, a good example of this systemic risk is cheating--people are less fit and therefore less healthy than the aggregate pooled data implies. The insurance company doesn't take in enough money to cover eventual expenses and the pool collapses leaving the public on the hook (but notice the corporations short-term profits are still good.)

So I can't help but wonder why insurance regulators even allow these programs to exist at all.

Dave BSeptember 30, 2015 3:32 PM

I'm astonished that anyone is using a Fitbit for anything serious. If I applaud at the end of a play or concert or whatever, my Fitbit will record each handclap as a pace. (I wear it on my wrist). It also has a heartbeat function, which often shows my resting heartrate as somewhere in the 50-60 range, which is clearly erroneous because my pacemaker kicks in if my heartrate drops below 60. Basically, it's a toy - fun but just a toy.

(Not to mention that my main types of exercise are cycling and swimming. The Fitbit doesn't record the first accurately and is useless for the second).

Pete CSeptember 30, 2015 3:59 PM

Why don't they just do what they need to do.... If you (like me) are overweight, you pay more unless it is a medical condition such as thyroid problem. We should be charged more for self-induced risk, to include diet. This should also be used for disqualifying for benefits, as government benefits should not subsidize the cost related to preventable situations being caused by personal choices. If you, again like me, choose to live an unhealthy lifestyle based on diet, we have chosen to be in a riskier grouping and more likely to have medical issues. I am the first to say I like my bourbon and hamburgers. No one else should have to subsidize my cost when it catches up to me. Too many of us, at least in America, mix-up the right to do things with the absence of culpability and responsibility. The problem, financially, with our social services in the US isn't the fact that we help people who need it, it is that we help people who are in situations based on choices and refuse to make different ones that they know will change their lives and reduce their need for assistance.

bobSeptember 30, 2015 4:30 PM

The last company I worked at, had a stupid pedometer that we had to upload for steps. A certain number of steps a day got us a pretty nice amount of cash in the HSA fund. I used it legitimately for awhile until the cheap piece of crap kept losing all my steps and the company told me I'd have to pay to replace it. Instead I bought a stepper motor, and a teensy microcontroller. I wrote a program that each day randomly simulated steps up to a number in a range over their "optimum" number of steps. I attached a long arm to the stepper motor, then ran a string to the pedometer, and run the string through a grommet. The end result was that the stepper motor would accelerate the string up and down with enough force to trigger a "step" on the pedometer. I was one of the more "active" employees in the company.

ZorgSeptember 30, 2015 4:46 PM

My wife's Fitbit "One" has gone a few times accidentally into the wash (including the spin cycle) while attached to a garment. It survived unscathed, but she sure broke records every time!

LevSeptember 30, 2015 5:36 PM

@Daniel;
The regulators are the ones mandating these programs. The ACA limits the amounts businesses are allowed to pay for insurance for their employees, but allows them to discount the employees pay amount if their in a program like this.

@Pete;
Go read Gary Taubes. Saying you get fat because you eat to much is like saying the wait to get into a restaurant is to long because more people are coming into it than leaving. It may be true but it doesn't really answer the question. WHY do people eat too much, and why do their bodies hold onto the extra calories instead of passing them? Keep in mind your talking about a 0.1% over optimal daily caloric intake for people gaining weight.

DanielSeptember 30, 2015 6:05 PM

@Lev

Interesting.

@Anon

These people are kooks and I wouldn't give them ten cents for their secure laptop. They build a secure laptop but the only way they will allow delivery is through the most insecure method possible--the US mail system. A system we already know for a fact is compromised.

When they offer retail pick-up at their plant and allow inspection prior to buying then maybe I would take them will a little more seriousness.

MarySeptember 30, 2015 8:24 PM

My Fitbit (which I got at a steep discount through my Heath insurance) counts every stitch as a step when I knit. I'm mostly making sure I am over minimum, rather than reaching for a goal each day. It is funny that often my "count" is the highest when I am at my most sedentary.

MikeASeptember 30, 2015 10:57 PM

How about the insurance companies that offer a discount in exchange for you plugging a dongle into the OBD port on your car? Recently discovered to allow pretty severe hacking via text message from anywhere. Maybe your agent wants to take your Corvette out for a spin.

On a more FitBit related note:
http://www.loweringthebar.net/2015/03/ankle-bracelet-in-custody.html

(Fraud suspect out on bond with an ankle bracelet detaches the bracelet and hooks it to a movement simulator, then disappears)

BJPSeptember 30, 2015 11:08 PM

@Lev

Both articles mention life insurance specifically in their respective first sentence, so I disagree. Both health and life insurers use such programs. But granting that one might use them only for health insurance, they're still fraud and insurer could use to avoid paying for a heart attack + treatment, or terminate coverage, at the most inopportune time.

I think they get around the sports injury thing by offering these mostly to companies with a young healthy workforce.

Morally I've got no problem with these, but for risk management I couldn't recommend them like, say, ad blockers.

NickOctober 1, 2015 3:27 AM

There's quite a big privacy issue with wrist band trackers.

You can tell what they know about your habits if dating sites, lube, porn sites start appearing as adverts on their site.

I suggest changing hands, or wearing the tracker on the other wrist!

:-)

Funny but probably true that they are tracking your masturbatory habits.

CouldntPossiblyCommentOctober 1, 2015 3:33 AM

Next up from insurance companies - to qualify for this life insurance, you must wear a camera that monitors your fitness tracker and validates in real-time that you are still qualifying for a discount.

@Dave B - the low-tech Fitbit that is worn on the hip and just records steps is actually reasonably accurate for walking; more than enough for trends per day - totally agree that it's pointless for swimming - I guess it depends what you define as 'serious'. Unfortunately a lot of people just go 'ooh latest smartwatch, it measures stuff' rather than actually understanding measuring technology, where it needs to be applied, and where it doesn't work.

swoledevOctober 1, 2015 5:00 AM

I easily lift 10+ metric tonnes on a leg day and do prowler/tire flip for cardio, or stairmaster while my hands and arms fixed holding the bar.

I am probably fitter than most who only walk/jog/run, but I'd have to resort to cheating if the number of steps taken is the only measure to get the discount

Dirk PraetOctober 1, 2015 7:01 AM

With insurance companies like John Hancock offering discounts to people who allow them to verify their exercise program by opening up their fitness-tracker data, these are useful hacks.

Sounds like a great plan. You get a small discount on your insurance policy for handing them your data, which is then used for the sole purpose of finding anything whatsoever in there that could be used to reject your claims. Realizing that, you resort to silly hacks.

I crossfit 5 days out of 7, but scr*w Fitbit and scr*w John Hancock.

root@localhostOctober 1, 2015 4:04 PM

Back in college, my ex suckered me into signing up for this Nielsen ratings pager deal (they'd send you $5 or so a month for wearing the thing.) I tore it down, pulled the patents, and rigged a barbeque grill rotisserie to wear the thing for me. I suppose the electricity negated that hack. I should have put it on the dog.

DavidOctober 1, 2015 4:43 PM

Sad this is "news". Anyone with a Fitness tracker knows how easily they're spoofed. It's one of the reasons why serious people went to the higher quality trackers...better performance and enhanced accuracy.

Now, put money into the puzzle and boom..."Life Hack"? *sigh*

SteveOctober 1, 2015 6:55 PM

If a company wants to encourage better health, then they should just do health screenings, not try to track activity. You can spoof a fitness tracker, but you can't fake your cholesterol level, resting pulse, bmi, etc.

GregWOctober 3, 2015 6:19 AM

We were all given these Fitbits at my work to encourage walking and fitness, as part of individual and pre-assigned team competitions where the person with the most steps would get a free HDTV (with gift card awards for the teams with the most steps).

There were, inevitably, water cooler discussions about workarounds to avoid doing the actual work of walking/exercising.

If you think most people don't naturally have a security mindset, you just need to couple the task at hand with being lazy.

I wasn't going to cheat for ethical reasons but I did explore some of the device limitations. One of my coworkers observed you could just hold it in your hand and do arm exercises and it'd count as steps but that seemed a bit much work for me. I found I could sit at my desk having shoved the Fitbit in my sock, and bounce my knee up and down on the balls of my feet rapidly (something I used to occasionally when nervous/bored) and it seemed to think I was walking very rapidly.

In our case, with humans in the monitoring loop (a bit different from the insurance company privacy threat model), I observed two problems with these step-avoidance methods. First, the CEO who was monitoring the resulting activity graphs might wonder why I was doing so much walking during business hours and at some point notice I was at my desk. Second, it also became clear over time that, for some of us, one's lack of weight loss despite high activity might "give it away". Sure enough, some people like myself who weren't particularly fit and did a lot of steps did lose a visibly-noticable amount of weight during the course of the competition.

Over time it seemed clearer that the company's fitbit competition effort was a prelude to requiring us to wear them to reduce our company's insurance premiums. Over the course of the competition I lost my devices several times and the big brother aspect and my higher-priority concerns made it a bit slow for me to replace them despite the CEO telling us we all needed to do so.

The loss of work/home boundaries was a bit big-brotherish; if you took it off then you inevitably weren't getting credit for all your steps so you were sort of incented to wear it all the time. I was really bummed one day when I biked/walked to work and didn't get credit because I'd left it on my bedside nightstand. And then it became clear that the devices once worn all the time effectively displayed your sleep patterns to your employer (if you got up during the night or went to bed late or woke early or if you had a more expensive device that explicitly had the sleep-monitoring feature.)

Thankfully the corporate effort to have us all wear Fitbits seemed to fizzle out after about nine months, a few months after the initial competition ended and the CEO's attention waned and went to other things. Perhaps it wasn't as helpful for the CEO personally losing weight as he'd hoped? Or it was too much work to get people to comply with wearing them and the host of logistical and policy issues around replacing devices and requiring employees to wear them off-hours was too unworkable?

GregWOctober 3, 2015 6:25 AM

@DaveB
My fitbit tracked my biking just fine if I attached it to my ankle rather than my wrist. Even in my front pocket it seemed to detect my biking OK.

Stephen WhiteOctober 7, 2015 2:22 AM

Its not for discount on life insurance.I'm still waiting for the paper explaining how someone used FitBit data to determine the intimate habits of wearers (surely someone is already doing this and selling that info to marketers).

Best Fitness deals in UAE

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.