Test: Fitness Wristbands Reveal Data

Who would want my data anyway?

Even if the fitness data is still managed without any link to personal details such as the user's name and address, it is still a tantalizing target for some people. In the United States, for example, those who demonstrate good fitness using the tracker are eligible for lower premiums on their private health insurance. What would keep people from simply using the data of their neighbor of the same age with a much higher level of fitness? Those familiar with what people pay for health insurance in the United States know how great the criminal potential may be in this area. And if trackers can be manipulated, it won't be long before kids will be playing pranks on the jogging yuppie by increasing his blood pressure and pulse data by a few notches, thus giving hypochondriacs even more things to worry about. The current test indicates: the potential attack points are more than sufficient.

9 fitness wristbands put to the test

All the products were purchased in the free market by the laboratory. That is why the test only includes wristbands that were available during the test phase in Germany. Thus, the Microsoft Band, for example, is not in the test lineup. Moreover, the selection criteria provided that the product not be linked to a particular smartphone, as opposed to the Samsung tracker, for example. All the products work with the assistance of a connection app on any Android smartphone. The following wristband trackers were assembled in the lab to be tested as a group:

- Acer Liquid Leap
- FitBit Charge
- Garmin Vivosmart
- Huawei TalkBand B1
- Jawbone Up24
- LG Lifeband Touch FB84
- Polar Loop
- Sony Smartband Talk SWR30
- Withings Pulse O_x

In the test phase, the Acer Liquid Leap was given particular scrutiny, as Acer purchased the product and relabeled it. The identical product is also available from the companies Striiv (Touch), Tofasco (3 Plus Swipe) and Walgreens (Activity Tracker). It is not clear, however, whether the other vendors have modified the app and the firmware of the wristbands. In the initial phase of the test, the respective tracking apps for the fitness data were installed on the test smartphones. Afterwards, in order to proceed with the test, the fitness wristbands were paired with the Android smartphone via Bluetooth, as provided in each set of directions. Some of the devices required entering a P

Bluetooth pairing works very securely

The fitness wristbands all use a Bluetooth connection. The known issues: do the devices remain visible after establishing a connection? What is necessary for pairing the devices? Does Bluetooth only activate briefly during data transmission, shutting down afterwards?
The Bluetooth connection can only be manually deactivated on the products Garmin Vivosmart and LG Lifeband Touch. After pairing, the trackers from Sony, Polar and Withings are no longer visible for other Bluetooth devices. The Huawei wristband deactivates Bluetooth if it loses the connection to the paired smartphone for a longer period of time. The Jawbone wristband is also invisible to other devices after pairing, yet if it loses the connection, it partially remains visible for several hours.
On all other wristbands, Bluetooth remains active and thus visible for other Bluetooth devices, which logically includes potential attackers. To connect the wristband and the smartphone, it is sufficient on some products to just press the "OK" button. The Sony Smartband Talk SWR30 also connects automatically via NFC, but only with known, trusted devices. Others prompt for a required PIN entry. On one of the devices, the testers discovered that for clever minds and seasoned hackers, the prompted PIN is practically a no-brainer. That, of course, is disastrous. The manufacturer has been informed but is not being mentioned by name here.

Does Bluetooth transmit data in plain language?

In the next phase of the test, devices connected via Bluetooth were eavesdropped and thus examined to see whether they only communicated with authenticated apps or whether they offer their information to any app. If it was possible to read the data, an analysis was made as to what was being transmitted.
The fitness wristband FitBit Charge astonished the test engineers: Any smartphone with Bluetooth is welcome to the fitness tracker. It does not prompt for a PIN or other authentication – it simply connects and voluntarily hands over all its data. The data is not even encrypted or protected in other ways. The FitBit app is currently pre-installed on all new HTC devices in the One M8 and M9 series. According to unconfirmed sources, the One M8 alone is said to have been sold between 500,000 and 1 million times. The products from Jawbone and Huawei allow the sharing of recorded data. The current fitness data is automatically delivered to any paired device having the matching app. The Withings Pulse Ox proved a bit clumsy: it delivers the recorded data to the currently paired device. If you select a previously paired device as the receiver, then the tracker reboots and deletes all the existing data.

How secure are the apps of fitness trackers?

If data in transit between the wristband and the smartphone cannot be hacked, then the next vulnerability may be the smartphone app for the fitness data. A purported game app, for example, could query any connected trackers for their data. If the tracker uses authentication, then the query will go unanswered.
The next vulnerability is the app itself. Attackers first examine the source code. If the app has been cleanly programmed, the code is "obfuscated" using standard tools. Only then is reverse engineering of the app made more difficult. A finished app is no longer allowed to deliver a so-called "log" - or "debug" info. Because this information enables easy reconstruction of how the app works.

Revealing log information as excess baggage

The testers evaluated all the above-mentioned items in the lab. Only 5 out of the 9 fitness apps effectively hide their code. Of the other 4, however, it is worth mentioning that 3 (Acer, Garmin and LG) do store their communications protocols in distributed program libraries. This can also be an effective way of protecting against code analysis by attackers. Only the apps from Polar and Sony use both protection technologies.
The apps from Polar and LG, however, still reveal log information. This may make life easier for attackers to decompile the code, based on the many clues, and to hack the app. Log information even makes code that is actually hidden visible again, as it acts as a road map.

Makeshift App controls the fitness tracker

In a small experiment, the lab simply inserted parts of the app for the Acer wristband into a makeshift app and then queried the Acer fitness wristband. It readily delivered all its data, as if it had been connected to the original app. The experts were even able to manipulate some of the data and send it back. As result, the day's workout was completed in just a few seconds, without breaking a sweat.
Moreover, the testers were able to influence the other functions of the wristband. This included modifying the alarms or even deleting the user from the wristband. In doing so, the Acer wristband rebooted completely and erased all available data. Acer only purchases this fitness wristband and puts its brand name on it. The identical wristband is also sold by Striiv, Tofasco and Walgreens. In case those suppliers do not use a modified App or other firmware, they have the same security risks as with the Acer Liquid Leap.

Rooted smartphones double the threat

Some users defeat the root protection of their smartphone, thus allowing access to what is actually the protected, highest operating system level of Android. While these users have more power over their Android by doing so, they pay a high price in terms of security. Because many apps write their sensitive data to a protected memory to which other apps have no access. Rooting a smartphone removes this protection. Many of the fitness apps write their sensitive data in plain language to the secure memory. In a test, a device was rooted and the data it contained was analyzed: some apps stored transaction keys, access IDs or even passwords there. An app rigged for hacking can thus retrieve and exploit this data.

Safely connecting to the cloud

When transmitting data to the Internet, the apps of the fitness trackers follow current security standards. Thus, the apps use the HTTPS protocol or other secure channels for connectivity, and they transmit the data encrypted. In this test, the lab did not evaluate whether the portals or receiving points in the cloud were secure.

Conclusion: many wristbands are quite capable

Despite minor areas for potential improvement, the products Sony Smartband Talk SWR30 and Polar Loop offer the most robust security models. The other fitness trackers are ranked lower in their security and therefore higher in the risk assessment. The product with the highest probability of a successful attack is Acer Liquid Leap.
You can read the study from AV-TEST with all the individual technical findings in this PDF: Security Evaluation of 9 Fitness Trackers.