Seven Fitness Wristbands and the Apple Watch in a Security Check 2016
Smart watches and fitness wristbands or trackers are popular and are even being at least recommended by health insurers worldwide. In Europe, the legal playing field only allows the health insurance companies to subsidize the wearables. In the United States, there are already offers of premium rebates, as long as the policyholder is able to demonstrate his or her efforts per fitness tracker. The New York startup, Oscar Health, for example, pays policyholders one dollar per day if they reach the daily fitness goal.
At first glance, the current and forecast sales figures for fitness trackers mostly elicit an initial "Wow!". According to IDC, in 2014 over 26 million wearables were already sold, in 2015 already more than 75 million, and in 2016 the number is expected to exceed 100 million.
Persistent high risks with fitness trackers
This test evaluated the latest and best-selling fitness wristbands, along with the Apple Watch. All wristbands operate with a corresponding app on an Android smartphone. That is why the findings are summarized in the test for trackers and apps. The laboratory is also making a very detailed test report available as a PDF.
The Apple Watch represents a special case: some test methods cannot be directly applied from Android to the iOS. That is why the evaluation of the Apple Watch is found separately at the end of the article. The following products were tested:
- Basis Peak
- Microsoft Band 2
- Mobile Action Q-Band
- Pebble Time
- Runtastic Moment Elite
- Striiv Fusion
- Xiaomi MiBand
- Apple Watch (see end of article)
The experts focused on two special issues:
1. From the perspective of the private user, is the data recorded in the tracker or app secure against spying or hacking by third parties?
2. From the perspective of health insurers or other companies, is the data in the tracker or app secure against tampering?
The first issue involves the consideration that attackers may use the data or exploit it to the user's disadvantage. It involves private data that rightly needs to be protected. The second issue concerns health insurance companies that reward their policyholders for reaching a fitness goal. If a fitness tracker or app can be manipulated, however, it is inevitable that this approach will be exploited eventually.
Three test steps to risk assessment
The testers subjected each fitness wristband to a total of 10 testing criteria, divided up into three areas: tracker, application and online communication. The graph on risk assessment shows the areas in which test candidates have problems and whether the testers classify the particular criterion as a risk. The terms "fault" or "security gap" were explicitly not chosen, as there is only a heightened or high risk of penetration in the areas evaluated, but not explicitly an open door. Nor did the testers make any further attempt to "hack" a risk area. They simply analyzed what an attacker could do in that area and what the consequences would be.
Tracker – connection, authentication, tampering
Visibility: All fitness trackers use Bluetooth to connect with the smartphone. Here the traditional problems were examined first. One security aspect is invisibility for other Bluetooth devices. You can't connect to or track something that's not there. Only during pairing should the devices be visible for a certain time. This security is only offered by the wristbands from Microsoft and Pebble. Mobile Action claims the capability, but it is still visible.
BLE privacy: The second Bluetooth safety aspect is the function of BLE privacy, which has been a feature since Android 5.0. With this feature, the device repeatedly generates a new MAC address for a Bluetooth connection. The actual address is never disclosed and therefore not trackable. This technology is only used by Microsoft Band 2. None of the others know the technology.
Ability to be found: Once a device is to be connected, technically speaking there are several options. A very secure solution is exclusive Bluetooth pairing (i.e. the tracker only allows a connection to one known smartphone), which in the test, however, is only used by Basis Peak and Microsoft Band 2. Pebble Time allows connections with several devices, but the user is required to manually confirm each one; that is also secure. The Xiaomi MiBand uses a simple, yet safe method: after a successful pairing, it is simply no longer visible and allows no more connections. Only the wristbands from Striiv, Runtastic and Mobile Action fail to use reliable technology to also prevent connections with unknown devices.
Authentication: If a third-party smartphone successfully paired up with a tracker, on some products there is an additional safety feature: authentication. Only three out of seven products use this secondary security threshold consistently: Basis Peak, Microsoft Band 2, and Pebble Time. While Xiaomi does also use the technology, it is quite simple to circumvent and therefore useless under certain circumstances. The other three products either do not offer this additional security or they implement it inadequately.
Tamper protection: This item is just as interesting for users as it is presumably for health insurance companies or courts who rely on the authenticity of data. That is why it was tested whether there is an integrity safeguard or access protection for the data stored in the tracker. The protection must be configured so that it prevents access from third parties, and eliminates tampering of data by the smartphone owner. Only the products from Basis, Microsoft, Pebble and Xiaomi offer basic protection in this area. However the device from Xiaomi can also be fooled by weak authentication. It is possible for a third-party to make the wristband vibrate, for example, to change alarm times, or even completely reset the tracker to factory settings.
The fitness trackers from Striiv and Mobile Action do not use any adequate and functioning authentication or any other safety mechanisms, and are therefore vulnerable to tampering. On the Striiv Fusion, the values for body measurements of the user could be changed to superhuman parameters. These were then used as inputs for the calculation of distance traveled and calorie burn. On the tracker from Mobile Action, it was also possible to modify the stored user information on weight, height, step length, etc. during the test. These values were also used directly for the calculation of calorie burn and distance traveled.
The App – safeguarding and code check
Local storage: Even if the technology of the tracker is secure, the corresponding app on the smartphone can be the weakest link. That is why testing was conducted as to whether the apps save data accessible to other apps on the smartphone. The security functions for non-rooted Android devices actually prevent this access. But if data is saved in the wrong place, it is accessible to everyone. Xiaomi MiBand was the only one committing this error. It stores an extensive log file on app activity in a completely open area. This log contains all the transmitted data, as well as user information, alias, body measurements, and much more, which is also used for the authentication process.
Code obfuscation: During the second test, the object is to identify sloppy programming of the apps. It was checked whether the apps use code obfuscation. This technology prevents reverse engineering and hides useful information from attackers. The apps from Mobile Action, Pebble and Xiaomi use the technology entirely. The apps from Basis and Runtastic raised flags in this category. They do not consistently use obfuscation – this can enable attackers. The products from Microsoft and Striiv do not use obfuscation at all. Which means that specialists could perform an app analysis.
Log and debug info: An additional programming error is the output of log and debug information. Sometimes there is so much important information in these outputs that other security mechanisms are defeated in the process. Only the app from Mobile Action works cleanly in this category. All the other apps continue to spit out information that attackers would love to get their hands on.
Secure online communication
The final check involved all connections established by the app. Can the communication be monitored or does it perhaps even occur unencrypted? And if so, what is being transmitted? The good news: all connections that ought to be encrypted are encrypted. Intercepted open HTTP connections were worthless – and therefore probably unencrypted.
Furthermore, the lab examined whether the contents of a secure connection were readable after the installation of a root certificate. This evaluation is important, as it is a possible pathway for users to manipulate transmitted data themselves. The products from Basis and Pebble show that security is also possible in this area. They are sufficiently protected against unwanted access. For all other products, it was possible to monitor the secure connections and partly also to successfully tamper with them. Thus, authentication and synchronization data were readable.
Conclusion: sports, fun – and lack of security
As already witnessed in the initial test of fitness wristbands last year, many manufacturers are also committing similar errors in the current test. They often don't pay sufficient attention to the aspect of security. The risk assessment indicates that the trackers from Pebble Time, Basis Peak and Microsoft Band 2 were among the most secure. They show minor errors, but on aggregate, they offer few opportunities for attackers or tampering. After this test, the manufacturers are certain to also fix a few of the smaller defects via a firmware update.
The fitness wristband from Mobile Action indicates multiple risk factors. It features a function that claims to the user that it is invisible for others – but it is not. It also has deficiencies in terms of authentication and tamper protection. In the test, user data could even be modified through the back door.
The threesome of Runtastic, Striiv and Xiaomi racked up the most risk points: 7 to 8 possible risk points out of 10. These products can be tracked rather easily, use inconsistent or no authentication or tamper protection, the code of the apps is not sufficiently obfuscated, and data traffic can be manipulated and monitored with root certificates. Worst of all, Xiaomi even stores its entire data unencrypted on the smartphone. You can read more about the comprehensive security study developed by the lab on the testing of fitness trackers in this PDF file.
The Apple Watch Put to a Security Check
The Apple Watch is also used as a fitness tracker in conjunction with an iPhone. Yet how safely does it handle the data, or can data even be retrieved?
The test of the Apple Watch is configured essentially the same way as the test of the Android devices. However, iOS and Android are so different in some areas that the test of various risk criteria could not be performed, whereas others are not relevant for the Apple device. That is why in the category of trackers, the lab only examined the criteria of controlled visibility, BLE privacy and controlled connectivity. In the area of online communication, it was examined whether the connections are encrypted and whether the results can be manipulated using root certificates.
Visibility per Bluetooth can be controlled by the user. Thus, the watch cannot be constantly tracked. An interesting element was the test for BLE privacy. In this test, the Apple Watch was supposed to show a different MAC address each time Bluetooth was newly activated. This makes it almost impossible to track. In the test, this function worked repeatedly. If airplane mode is switched on and off, however, the Apple Watch always shows its genuine MAC address to the Bluetooth components. This should actually not be the case.
In terms of controlled connectivity, Apple uses a special theft prevention technique: If the Watch has been paired with an account, it can only be released with great effort. A factory reset does not even help here. If a thief then sells the smart watch, the new user could no longer pair up with his own iPhone.
In terms of connections, the Apple Watch mostly uses encrypted connections that are additionally secured. Updates, however, only occur unencrypted via HTTP.
In connections that were encrypted, yet not further secured, the testers were able to read some of the information. There were lines of text, for example, including the geo data of the user with his or her location – right down to the street address! In a further step, as with Android devices, a root certificate was installed. Afterwards, many connections could be monitored. In this manner, the user himself has more access to the data and could tamper with it.
All in all, the Apple Watch receives a high security rating. While the testers did identify certain theoretical vulnerabilities, the time and effort required for attackers to gain access to the watch would be extremely high.