The Sports and Fitness Industry Becomes a Soft Target for Cybercriminals

The fitness industry is already struggling due to the global coronavirus pandemic and now constant cyberattacks are adding bigger challenges to the situation. In addition to this, the use of technology is becoming a double-edged sword for the industry, leaving several loopholes for users to fall into. A vulnerable server or software is enough to make room for cybercriminal to compromise an entire organization.

What happened?

Recently, a white-hat researcher claimed to upload a spyware-laden app to Fitbit’s official site and made it readily available for download by online visitors.
  • A researcher from Immersive Labs created a malicious watch face, using app-building APIs, that could steal personal sensitive data stored in Fitbit devices.
  • Lax Fitbit privacy controls let the researcher push this app to the Fitbit Gallery - Fitbit’s app store that showcases all their in-house and third-party apps; hence bypassed detection.
  • A simple download and install of this application by the end-user could infect the device (Android and iPhone) and steal data.

Challenges for the industry

Rapid digitization and dependence on technology opened new avenues for attack-surface. According to an ESET report, malware attacks may continue to target fitness and sports data as it opens new ways for cybercriminals to pressure businesses into paying up ransoms. The Garmin cyber incident should be an eye opener for the industry players. In addition, the report indicates that besides locking out the data or devices for ransom, cybercriminals may further attempt to steal the data to sell it on underground forums.

Recently disclosed incidents

  • Last month, Town Sports International exposed its customer data after an unprotected server holding almost a terabyte of spreadsheets. The server had no password to access it.
  • In August, Fizikal, a gym application management platform, exposed the information of thousands of users. Researchers were able to bypass security checks and successfully enumerated users.

What to do?

The sports and fitness industry is becoming a soft target for cybercriminals as it does not have any clear security guidelines for protection against cyberattacks. According to experts, organizations must understand the importance of protecting sensitive information and have a proper response plan to recover quickly from such attacks.