Fitness Bands Struggle With Privacy; Leave Data Exposed

They may be one of the hottest gadgets around right now, but fitness bands and smartwatches may be a disaster waiting to happen from a security point of view, according to a new report. And considering the personal information held on many of them, the consequences of a breach could be disastrous.

The research from AV-Test looked into eight of the biggest selling devices in the fitness band/smartwatch category: Basis Peak, Microsoft Band 2, Mobile Action Q-Band, Pebble Time, Runtastic Moment Elite, Striiv Fusion, Xiaomi MiBand, and Apple Watch. Fitbit was left out of this examination, having undergone its own separate test earlier this year.

AV-Test said it was primarily interested in two areas: “From the perspective of the private user, is the data recorded in the tracker or app secure against spying or hacking by third parties?” And, “From the perspective of health insurers or other companies, is the data in the tracker or app secure against tampering?”

The first issue looked at how secure the data held on the devices or in the app is, while the second was more concerned with a third-party that may access the data. AV-Test used insurance companies who reward users for good health as an example; if the data can be manipulated, then results could be misleading.

The test looked at data on the devices, their corresponding smartphone apps, and the connection between the two. In total, 10 different criteria were tested.

Starting with the trackers, AV-Test looked at visibility, ability to be found, BLE privacy (which is whether a new MAC address is generated with every connection), authentication, and tamper protection. While all devices failed the BLE privacy test, the Pebble Time and Microsoft Band 2 succeeded in all other areas.

The Moment Elite and Fusion both failed every single tracker security test, while the Q-Band passed only one test partially, and the MiBand had one pass and two partial passes.

Moving on to the apps themselves, AV-Test looked at local storage, code obfuscation, and log and debug info. The Q-Band partially redeemed itself by passing all the tests in this category, while the Pebble Time also scored well. The MiBand, Peak, Band 2 and Moment Elite all failed all but one test for app security.

Finally, AV-Test tested the connections between the devices and apps, in particular examining whether the transmission was encrypted and whether the data was tamper-proof. The Pebble Time and Basis Peak came out on top here, while the Q-Band, Fusion and Mi-Band sat at the bottom, only offering partial encryption and tamper protection.

Overall, while no one fitness band can claim to be totally secure, the Pebble Time, Basis Peak and Microsoft Band 2 performed better than the others. “They show minor errors, but on aggregate, they offer few opportunities for attackers or tampering,” the report said.

For those looking for strong security with their fitness app, it’s probably worth staying away from the Mobile Action Q-Band, which has “multiple risk factors.” Additionally, the three worst performing devices were the Runtastic, Striiv and Xiaomi, racking up seven or eight points out of 10.

“These products can be tracked rather easily, use inconsistent or no authentication or tamper protection, the code of the apps is not sufficiently obfuscated, and data traffic can be manipulated and monitored with root certificates. Worst of all, Xiaomi even stores its entire data unencrypted on the smartphone,” AV-Test warns.

All the above devices run on Android, making a test and comparison fairly straightforward. AV-Test also looked at the Apple Watch, but because of differences between Android and iOS it had to take a different approach.

Despite some issues, such as updates happening unencrypted and researchers being able to read some data that should have been encrypted, the Apple Watch still scored highly, AV-Test said. “While the testers did identify certain theoretical vulnerabilities, the time and effort required for attackers to gain access to the watch would be extremely high.”

Photo © Alexey Boldin

What’s Hot on Infosecurity Magazine?