Is Your Gym Exposing More Than Your Abs?

When Apple announced a serious hardware flaw last week, and the critical security patch that addressed it, my first thought was perhaps arbitrary: “That exploit would work at the gym.” My next thought: what else would?

The discovery of a zero-day exploit affecting hardware—specifically a WiFi chip embedded in the main processors of Apple devices—was serious news. The vulnerability makes it possible for a hacker within range to “execute arbitrary code on the Wi-Fi chip.” A similar vulnerability was announced and patched on the Android platform earlier in the month.

The gym is often seen as a safe space to burn off steam, clear your head and boost your heart rate but it can also be dangerous. The gym stores a lot of personal information and is filled with strangers in close proximity to one another. Because of this, it’s important to think about more than building physical strength — building cyber strength is crucial to making yourself a harder target to hit.

Here are a few things to make your next trip to the gym as scam-proof as possible.

How Is Your Personal Information Stored?

Your gym can require and request a ton of personal information: your Social Security number, driver’s license number, credit and banking information, your home address, and in some cases your medical or health information. When in the hands of the wrong person, this information can lead to identity theft and major breach of privacy.

Your job is to reduce your attackable surface and watch out for scams.

The first question you should ask is how your information is stored, and who has access to it. Don’t accept a vague answer unless it is the correct answer. “I’m not sure,” might indicate an ill-informed point of contact at the front desk or, worse, a total lack of data security. Don’t be surprised if everyone who punches the clock at your gym has access to your information.

Because of this, it’s important to think about what kind of information your gym has and why they need it. Try to limit what information they get, even if it is “required.” While the gym needs to identify you, they don’t need much data to do that. It’s your job to give them the bare minimum they need.

Juice Jacking

Be wary of charging your devices at the gym. Simply plugging your phone into the wall can make you vulnerable to juice jacking, a cyberattack where a charging port does double duty as a data connection that either steals user data or downloads malware to steal it at a later time.

Though it seems unlikely, if your gym’s owner isn’t up to date with scams, the gym may unwittingly allow a hacker to install a data-stealing kiosk for members to use.

Always pay attention to phone pop-ups. Both Apple and Android now have stopgaps to avoid juice jacking exploits, but the warning screen can be distractedly tapped away and ignored, thus opening the door to an intruder.
If you want to reduce the risks while charging your devices at the gym, look into USB cords without data transporting cables. You can also make juice jacking impossible by using the AC adapter your device came with or a back-up battery device.

Public Wi-Fi

Here’s another way your devices can leave you vulnerable to attack. Signing on to your gym’s public Wi-Fi can be risky — such is the case whenever you log on to a public Wi-Fi network. Another thing to remember: Hackers may not always ask for the gym owner’s permission to set up the Wi-Fi network that’s labeled with the gym’s name.

In addition to the fake Wi-Fi set up, there’s the threat of a man-in-the-middle attack. This attack can secretly alter the communication between two parties and even lead to eavesdropping by an unknown third party.

If you are going to log on to the Wi-Fi at your gym, always look for HTTPS in the address and the green lock near the URL of the sites you visit and think long and hard before visiting destinations like banks, credit cards and the like that require or provide access to sensitive information.

Remember, if you ever have any suspicion your information has been compromised, always contact your credit card providers ASAP. It’s also helpful to check your credit for any sudden changes (You can get a free credit report snapshot at Credit.com) While knowing the latest threats out there, and utilizing security updates the moment they are issued is great and absolutely necessary, it’s important to bear in mind that there is no anti-fraud silver bullet. Gyms are neither better nor worse than anywhere else when it comes to data security practices, but they are definitely places where you can be harmed.

If you assume your information is vulnerable, at the gym or anywhere else, and you take the effort to limit your data exposure and minimize your attackable surface, you have the best shot at staying in good shape. If you do find a security problem at your gym, maybe it’s time to demand solutions. At the very least, if you see something, say something. And if you’re really worried, find a new gym that practices better cyber and data hygiene.

Image: BraunS