Latest News
April 20, 2016 | Internet of Things
Follow-up: FitBit, shocked by the AV-TEST Security Check, has now provided protection for its fitness wristband.
Several months ago, the AV-TEST labs evaluated 9 fitness wristbands and their security approach. The FitBit Charge wristband received one of the worst ratings. It paired up without any delay with any willing smartphone and revealed its data. After intensive cooperation with AV-TEST, FitBit now presents its products with updated security measures.
Additional testing
With its completely revamped firmware, the fitness wristband from FitBit now operates much more securely
When the managers at FitBit read about the evaluation results of the security test for fitness wristbands a few months ago, the internal alarm bells went off. After all, the test proved that every FitBit wristband of the Charge series would pair up with any willing smartphone without any further query. Once this happened, the wristband readily delivered all its saved fitness data.
The fitness trackers are paired via Bluetooth with a smartphone. In addition to the manufacturer's app, it was tested whether a homemade app was able to intercept the data.
Test retrospective
In the previous test of 9 fitness wristbands, their security models were put to the test. It was evaluated whether the fitness trackers could be manipulated. To do so, the trackers and the appropriate apps were examined and their communication was eavesdropped on. In the tests, no locks were defeated, however!
The result was varied: While the FitBit product, for instance, received 7 out of 9 risk points in the risk evaluation (the higher the score, the higher the risk), the Smartband Talk from Sony only had one risk point.
FitBit: properly secure effective immediately
The existing report AV-TEST Analysis of Fitbit Vulnerabilities provided the basis for cooperation between AV-TEST and the security team at FitBit. The analysis provides a precise expert description of the two vulnerabilities in the FitBit security model. In summary, the vulnerabilities can be described as follows:
1. Each smartphone with an appropriate app – the FitBit app, for example – in proximity to a FitBit tracker was able to pair up with the device. Via this connection, all the data stored in the fitness tracker was able to be read out, thus deducing a profile.
2. Using an app, each paired smartphone was able to send manipulated data to the fitness tracker or even modify the alarms. Users lost control over their fitness data.
The security team from FitBit initiated contact to AV-TEST after the test and decided to totally revamp its security model. In the interim and upon completion, the FitBit product with the latest firmware was completely tested again. This time, testers were very satisfied. In the meantime, FitBit has rolled out the new firmware 110 on all devices in the market and thus also protected even older devices per update.