Some of the more popular sports wearables are letting other people track you, according to a report on fitness-tracking devices from eight manufacturers, along with their companion mobile apps.

The revealing devices, the Basis Peak, Fitbit Charge HR, Garmin Vivosmart, Jawbone Up 2, Mio Fuse, Withings Pulse O2 and Xiaomi Mi Band, all make it possible for their wearers to be tracked using Bluetooth even when the device is not paired with or connected to a smartphone, said the report, “Every Step you Fake: A Comparative Analysis of Fitness Tracker Privacy and Security." It was published by Canadian nonprofit Open Effect, and researched with help from the Citizen Lab at the Munk School of Global Affairs, University of Toronto. 

Only the Apple device used a feature of the Bluetooth LE standard to generate changing MAC addresses to prevent tracking, the report said. 

In addition, the report said that companion apps for the wearables variously leaked login credentials, transmitted activity tracking information in a way that allowed interception or tampering, or allowed users to submit fake activity tracking information. 

The apps are typically used to gather data from the fitness tracking device and upload it to a central server, where users can analyze their performance and perhaps compare it with that of other device wearers.

The report is at https://openeffect.ca/reports/Every_Step_You_Fake.pdf