Fitness Trackers – 13 Wearables in a Security Test
Trends in self-monitoring
There is an unabated trend of consumers’ optimizing their own fitness through regular self-monitoring of vital signs: According to a current GfK study, sales of fitness wearables in the first six months of 2017 increased by 22% in Western Europe over the previous year. Germany recorded an even sharper increase in the sales of these devices. The German industry Association, Bitkom, estimates the growth at 50% between 2015 and 2017, corresponding to growth from 1.02 to 1.55 million devices sold per year. Worldwide, the International Data Corporation (IDC) confirms increasing sales for fitness wearables, citing global sales figures of 115.4 million devices for 2017. At the same time, the US market research company declares the Apple Watch the new market leader.
13 wearables in a security test
In a comprehensive security test, the experts from AV-TEST evaluated the most widely-sold fitness wearables. In the test, the candidates featured in the list were required to perform in four test categories: security of local and external communication, app security and data protection.
• Apple - Watch Series 3
• Fitbit - Charge 2
• Garmin - vívofit 3
• Huawei - Band 2 Pro
• Jawbone - UP3
• Lenovo - HW01
• Medion - Life S2000
• Moov - Now
• Nokia - Steel HR
• Polar - A370
• Samsung - Fit2 Pro
• TomTom - Spark 3
• Xiaomi - Mi Band 2
First off, here is one result: Whereas many manufacturers of fitness wearables in the most recent test still exhibited egregious security deficiencies, since then some positive inroads have been made in terms of security of customer data. In this year's comparative test, it is worth noting that the testers gave 8 products the best rating, thus 3 out of 3 stars. 4 products received 2 stars. In merely one instance were the results sufficient to award only one star.
Comprehensive data and analyses of vital signs
For Apple's Smartwatch, comprehensive recording of vital and fitness parameters is but one of many functions. For analysis, the app of the current Apple Watch Series 3 model can even read out training data of standard equipment in fitness studios. Yet fitness wristbands can also compete practically head-to-head with Apple's watch when it comes to detecting vital signs, having long since blossomed from simple pedometers into a mobile diagnostics instrument with a variety of sensors. The latest-generation smart wristbands record calorie consumption, check the heart rate and skin tension, determine stress levels and are even said to be capable of calculating the risk of a heart attack.
By means of built-in movement sensors and GPS modules, wearables detect not only the locations and distances traveled, but based on special movement patterns, even recognize which sport the users are engaging in: whether they are swimming or skiing, jogging or at rest. If some devices discover such inactivity, they also record sleeping behavior, determine sleep apnea and calculate different sleep phases. Some wearables even offer functions intended to promote the physical fitness of pregnant women.
Data disclosure can be expensive
Not least because wearables detect such a vast amount of personal and some medical data, data protection watchdogs view them quite critically. Add to this the fact that the data detected by the devices is transferred to the servers of the manufacturers, stored there and analyzed. Among other concerns, there is the risk that health data will be disclosed to third parties and exploited economically or in other ways. This applies particularly in cases where body and vital signs are combined with data from other sources to create a profile, as this allows for a very accurate picture of the user. These types of profiles enhanced with health data are of interest above all to the providers of long-term contracts. After all, credit institutions, employers, leasing companies, insurance companies and other firms use these means to obtain invaluable information about customers and are able to calculate or adjust the term of contracts and additional conditions accordingly, or in a worst case exclude contracts from the beginning.
For health insurance companies in particular, fitness data is an attractive target. Thus, there are already many insurers around the globe participating in the acquisition costs of fitness trackers. Some, like US insurer John Hancock, already require the use of the devices for certain health policies, along with the forwarding of regularly-recorded fitness readings by the policyholders. In exchange, they receive the Apple Watch Series 3 for a token fee of $25 instead of having to purchase it themselves at the regular market price of at least $329. A bargain offer that can later turn out to be expensive for customers: Because those who do not fulfill the monthly required fitness guidelines of the insurer will be "punished" with rising insurance costs. And they can be considerably higher than the purchase price of the Apple Smartwatch.
Also in Germany, more and more health insurers are promoting the use of fitness trackers. The financial incentive, however, is currently still far detached from the disclosure of fitness data or at least has no negative ramifications on insurance premiums. According to the current status, the financing model is based on a reward system. Thus, in exchange for "fitness points", customers receive additional insurance benefits, e.g. professional teeth cleaning. One example: In the fitness program of the "Techniker" health insurance provider, customers receive health bonuses if per app they can demonstrate 60,000 steps per week. The app of the health insurance provider reads out the data necessary for proof from third-party apps such as Google Fit, Samsung Health, Apple Health or the Fitbit app. Accordingly, the health insurance company also proportionally subsidizes the purchase of a fitness wristband or an Apple Watch if it is compatible with the relevant apps. It is possible to find out which health insurers in Germany subsidize the purchase of fitness trackers via the krankenkassen.de Info Portal, among other places.
Transmitting into the blue?
The data transmission between wearables and the connected smartphone apps mostly occurs per Bluetooth connection between the tracker and a smartphone. In the test, the local communication with the smartphone app turned out to be secure in 9 out of 13 devices. In an ideal case, authentication is requested by means of a user name and password prior to the start of data transmission, only then does data transmission occur in encrypted mode. Because Bluetooth is a wireless connection with a short range, in this test criterion, the testers also accept data connections at a lower security level. The important aspect here is that the tracker transmits its data exclusively to an authenticated device and also only allows a wireless connection (pairing up) with this device. For other devices in wireless range, however, this connection is not allowed to be visible.
In the test, 9 wearables fulfilled these security requirements, by contrast, 4 products revealed vulnerabilities in local data transmission. This occurred most visibly on the Life S2000 from Medion: In the test, the tracker transmitted training data without previously performing any authentication, not to mention that it took place via an unencrypted wireless connection. Thus, other devices in the wireless range can also receive the personal training data. The Now device from the manufacturer Moov also exhibited significant vulnerabilities. The Bluetooth connection to the smartphone was only initiated after a pushbutton, but the tracker was visible and able to be paired up without authentication, and the connection was not encrypted.
Data scandal on the wrist
The current data scandal concerning the controversial analysis firm Cambridge Analytica, with up to 80 million Facebook users affected thus far, makes some functions of the apps of fitness trackers appear in a different light. Thus, users ought to critically question the sharing of fitness values in social networks, for example. It is surely very enticing and an additional incentive to share one's own fitness successes with others. On the other hand, users need to be aware that Facebook and other companies receive access to health data of the app in this manner and share this data with other companies. The same applies if users, when creating an online account of their fitness app, select the more convenient automated registration and access via their Facebook or Google account – or not. Thus, up to a certain point, users of fitness trackers have individual control over the protection of their health data through prudent use of app functions.
In terms of app security, however, it's a whole different story. Here, users have to rely on providers to deliver a properly-engineered app, which also administers health data securely. In the laboratories of the AV-Test Institute, this was precisely the aspect put to scrutiny. The testers evaluated how secure the app itself was against attacks and whether fitness data was securely transmitted, processed and stored.
For 9 out of the 13 test candidates, there were no complaints, or if there were, they did not jeopardize the security of the health data. The testers saw potential for improvement in 4 apps, but none of the apps were considered deficient. However, the programmers of the apps from Lenovo, Medion, Moov and Xiaomi did lack the necessary craftsmanship, which had negative ramifications on the security of their apps. In the evaluation of these four products, the testers, for example, found hints concerning login data for the app itself, i.e. user name and password, stored in plain text in the accessible cache data of the apps. Moreover, the testers took exception to the vast integration of advertising modules of third-party providers, e.g. to the advertising network Baidu, in the apps from Medion, Moov and Xiaomi. In AV-TEST's view, such modules do not belong in apps of fitness trackers.
Nearly all online accounts are well protected
Most wearables hardly use stationary software on the PC anymore for the display and analysis of fitness data. Instead, almost all trackers require a user account on the smartphone, which in turn is coupled with an online account on a cloud server of the provider. This is practical, because it allows fitness data and analyses to be saved and retrieved at any time and from anywhere. The fact that this does pose additional risks, however, is seen in the latest data scandal of the fitness app "MyFitnessPal". In a hacker attack dating back to February, the data of 150 million users fell in the wrong hands. The provider, Under Armor, only informed its customers about the incident at the end of March, however. Users were requested to quickly change their passwords.
That is why in the test, AV-TEST also evaluated the security of data communication, storage and access to the online accounts of the fitness trackers. The test result turned out to be surprisingly good in this category. Nearly all online accounts communicated the fitness data of their customers via encrypted connections. The registration and the login for online accounts also mostly occurred properly in encrypted mode, and proved invulnerable to man-in-the-middle attacks. This is also the case with Garmin's vívofit 3, however the firmware updates for revising the fitness trackers still occur via an unencrypted http connection. The manufacturer can easily correct this, however. HW01 from Lenovo was the only product that did not perform well in this test. Both registration and login to the online account occurred in unencrypted mode. While the passwords were not transmitted in plain text, the static data used for login were sufficient, however, to nonetheless gain access to the actual account. Thus, respective Lenovo accounts are also vulnerable to attackers.
Privacy policies are often exemplary
Manufacturers are required to address user questions concerning the handling of data, i.e. its storage, processing and forwarding, in their privacy policies. Under certain circumstances, the data recorded by fitness trackers may involve "special types of personal data" which enjoy special protection under German data protection law. That is why companies offering fitness trackers are well advised to approach the protection of their customers' fitness data with the appropriate degree of seriousness. The good news is: 10 out of 13 providers are in fact capable of doing so. While the privacy policies are very detailed in most cases, nonetheless they are easy to understand without the reader's requiring a law degree. The providers often reserve the right to use and disclose data of their customers, yet they promise in such cases to anonymize the user data. If user data is saved and processed outside of the European Union, information to that effect is found in most privacy policies. Kudos goes to the rules from Garmin, Huawei, Nokia and Samsung, which completely exclude any data disclosure to third parties without the user's consent.
In the test of 13 fitness wearables, 8 out of 13 pass the test with the highest point score, receiving three out of three stars, including the market leader, the Apple Watch Series 3. Additional good products come from the manufacturers Fitbit, Garmin, Huawei, Jawbone, Nokia, Samsung and TomTom. Compared to earlier tests, the manufacturers have taken the security of fitness data and the data protection of their customers significantly more seriously, which appears to make sense in light of the current data scandals. The AV-Test Institute is clearly critical towards the integration of advertising modules in the apps of the instructors. Because users can neither determine nor influence whether and the extent to which there is an exchange of data with the apps of third-party providers. For this reason, when selecting the device, buyers of fitness wearables should also take a critical look at the app.
Fitness trackers betray military bases around the globe
"I've got nothing to hide" is a frequent response when it comes to the security of data, including that of fitness trackers. A current highly-sensitive security incident provides a case study in the risks of being too lax in the handling of data.
In order to protect the security of the mission and staff, the locations of military bases are normally subject to the highest level of security and secrecy. This applies above all to regions of armed conflict. But precisely these secret military locations are now visible around the globe for friend and foe, due to the careless transmission of data from fitness trackers to the Strava online service.
The online service displays sports activities, i.e. the data of the fitness trackers of its users, on a high-resolution world map. On the so-called heat map, distances traveled during training can also be seen. In major cities, the Strava map shows extremely high activity in parks, for instance. No wonder, as parks are typically used for jogging, not only by Strava users. By contrast, in sparsely populated or actually uninhabited regions, activities on the Strava heat map reveal the possible presence of military bases and make precise location possible. As the soldiers stationed there, who are registered with Strava and who transmit the data of their fitness trackers to the online platform, normally have no other option than to stay fit in or in immediate proximity to the camp. For military secrecy, and thus for the security of staff and mission, the breach of geo-data by the fitness trackers represents a risk that is not to be underestimated. That is why the US Defense Department now also seeks to evaluate and regulate the use of fitness trackers, apps and online services by members of the armed forces.