Some fitness trackers falling short on security, reveals new report

Emphasis on security varies widely across fitness wristbands.

David bisson
David Bisson
@

Fitness tracker

Manufacturers of several different fitness trackers continue to pay insufficient attention to security, reveals a security check.

Researchers from AV-TEST.org have published their findings in a test examining the security features of several fitness wristbands available for Android and iOS.

AV-TEST.org specifically examined the following products:

  • Basis Peak
  • Microsoft Band 2
  • Mobile Action Q-Band
  • Pebble Time
  • Runtastic Moment Elite
  • Striiv Fusion
  • Xiaomi MiBand
  • Apple Watch

This report is the AV-TEST’s second examination of fitness tracking devices. In June 2015, the organization, which is famous for its in-depth tests into anti-virus technology, reviewed nine different wristbands and found large variations in each product’s security model.

Sign up to our free newsletter.
Security news, advice, and tips.

AV-TEST overall used the same test setup for its 2016 security analysis as it did for its initial test. As they explain in their paper:

“Naturally, the relevant tracker is still connected via Bluetooth to a smartphone (either with the original or test app installed), the Bluetooth traffic is monitored, the original app is analyzed and the online communication between the app and the server is tested for potential vulnerabilities, i.e. unencrypted or weak encrypted connections.”

The organization did, however, add a second computer between the smartphone and internet to act as a man-in-the-middle (MitM). On that computer, they ran mitmproxy, a Linux tool which allows for the penetration of HTTPS connections using a MitM approach.

Index

The researchers tested each fitness wristband for a set of 10 criteria divided up into three categories: tracker, application, and online communication. Each of those criteria fed into two questions: is the data recorded in the tracker or app secure against spying or hacking by third parties, and is the data transmitted between the tracker or app secure against tampering?

Not surprisingly, the fitness device trackers did not perform equally:

Fitness tracker chart

Take the Basis, Microsoft, and Pebble products, for example. Each of those devices didn’t show any weaknesses and generally offered a high level of security. The same was true for the Apple Watch which – because of some fundamental differences between iOS and Android – was tested differently in some areas.

All in all, the Apple Watch receives a high security rating. While the testers did identify certain theoretical vulnerabilities, the time and effort required for the attackers to gain access to the watch would be extremely high.

The same cannot be said about the Stirliv, which “earned a poor rating,” and the Xiaomi, which “[left] something to be desired” when it came to the practical implementation of an otherwise positive security design.

None of the products showed major flaws in terms of of secure internet communication. Even so, most fell short in one key area.

As the researchers note:

“…On all the products except for Basis and Pebble we managed to sneak in and monitor the connection. In this respect we might also add that we were only able to do so by installing our own root certificate, which is not easily possible for an attacker under Android, and therefore was not considered a severe flaw. However, we identified quite a number of flaws regarding local communication, i.e. user authentication on the tracker side and protection of the tracker functionality. Overall the detected flaws are sufficient to question the use of fitness trackers for purposes which can have serious financial and/or legal consequences for the user.”

Those flaws, among some of the other weaknesses, could be enough for attackers to gain unauthorized access to a wristband. In the past researchers have demonstrated how security weaknesses could potentially open opportunities for all manner of attack.

Most recently, experts even described how a highly sophisticated attack might even be capable of stealing a wearer’s ATM PIN or password by capturing wrist movements.

For additional privacy implications, please read AV-TEST’s full report.


David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Tripwire's "The State of Security" blog.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.