New report exposes security flaws of some popular fitness trackers
A number of leading wearables manufacturers continue to pay insufficient attention to security according to a new report. The independent IT-security institute Av-Test examined 7 Android powered trackers and the Apple Watch.
The result? Pebble Time was easily the most secure device tested, while several brands make poor choices for users who want to keep their health data to themselves.
The study follows in the footsteps of the June 2015 report, which reviewed nine different wristbands and exposed large variations in each product’s security model. The latest report tests the Apple Watch, Basis Peak, Microsoft Band 2, Pebble Time, Mobile Action Q-Band, Runtastic Moment Elite, Xiaomi MiBand and Striiv Fusion. If you are wondering why Fitbit is not in the lineup, this is because Av-Test already looked at them separately back in April. Some security flaws were identified, which Fitbit has promptly addressed.
The test setup for the latest report was slightly changed in comparison to last year’s. The fitness trackers were connected with the smartphone, the manufacturer apps were examined, attempts were made to fool them per test app, and the connections were monitored with a proxy. On the proxy, the company ran mitmproxy. This is a Linux tool that allows for penetration of encrypted HTTPS connections.
Unsurprisingly, the activity trackers showed varying levels of security. Overall, the study shows that Pebble Time, Basis Peak and Microsoft Band 2 are among the most secure. They show minor errors, but on aggregate, offer few opportunities for attackers or tampering. The Apple Watch was evaluated using different criteria because of its operating system,. But in the tests that were conducted, researchers noted that it performed well.
“While there were some vulnerabilities, the time and effort required to exploit these is extremely high.” the report notes regarding the Apple Watch.
All other products show at least some minor weaknesses. The worst performers were Runtastic, Striiv and Xiaomi. The chart below summarises the findings.
“What is striking about the test results is the fact that none of the products show major flaws in terms of secure Internet communication. All the products protect the important aspects of user authentication and data synchronization when communicating via secure HTTPS connections. As our extended man-in-the-middle test demonstrated, however, on all the products except for Basis and Pebble we managed to sneak in and monitor the connection. In this respect we might also add that we were only able to do so by installing our own root certificate, which is not easily possible for an attacker under Android, and therefore was not considered a severe flaw.” the report said.
We have written recently on a separate study, which exposes how hackers can potentially develop an algorithm that steals important information by monitoring your wrist movements. The results found that PIN numbers could be cracked with very little effort – 80% accuracy with only one try and more than 90% accuracy with three tries! And the same algorithm can be used to work out your password.
AV-Test didn’t have many recommendations for users, but encouraged manufacturers to increase security of their products via firmware updates.
For more information, read the full Av-Test report.
Like this article? Subscribe to our monthly newsletter and never miss out!