Test: Fitness Wristbands Reveal Data
Fitness wristbands save and transmit the wearer's data directly to the smartphone, then normally without any detours directly into the cloud. Is this secure? Is it possible for everyone to see, manipulate or even exploit the data? AV-TEST examined 9 fitness wristbands and urgently recommends to certain manufacturers that they revamp their security policies.
The new fitness wristbands not only look hip but are also aligned with today's trends: more fitness is a must, and all activity results are recorded and analyzed in an app. This means the user can immediately see how well the toil has been paying off. But is the data secure in transit from the wristband to the user's smartphone? Or is it possible for someone to perhaps tap into this link, copying or even manipulating the data? This question was investigated in the labs at AV-TEST, where 9 fitness wristbands, also referred to as trackers, along with the corresponding Android apps, were monitored in live operation, examined in terms of their security and in terms of their vulnerability to eavesdropping. In the tests, no locks were defeated or any other digital brute force means employed. The researchers only listened in on the communication and evaluated the results. The apps were evaluated in terms of their security and data management. For some products, the current security approach led to a clear expert opinion: do not to use the product
Sony SmartBand Talk
Who would want my data anyway?
Even if the fitness data is still managed without any link to personal details such as the user's name and address, it is still a tantalizing target for some people. In the United States, for example, those who demonstrate good fitness using the tracker are eligible for lower premiums on their private health insurance. What would keep people from simply using the data of their neighbor of the same age with a much higher level of fitness? Those familiar with what people pay for health insurance in the United States know how great the criminal potential may be in this area. And if trackers can be manipulated, it won't be long before kids will be playing pranks on the jogging yuppie by increasing his blood pressure and pulse data by a few notches, thus giving hypochondriacs even more things to worry about. The current test indicates: the potential attack points are more than sufficient.
9 fitness wristbands put to the test
All the products were purchased in the free market by the laboratory. That is why the test only includes wristbands that were available during the test phase in Germany. Thus, the Microsoft Band, for example, is not in the test lineup. Moreover, the selection criteria provided that the product not be linked to a particular smartphone, as opposed to the Samsung tracker, for example. All the products work with the assistance of a connection app on any Android smartphone. The following wristband trackers were assembled in the lab to be tested as a group:
- Acer Liquid Leap
- FitBit Charge
- Garmin Vivosmart
- Huawei TalkBand B1
- Jawbone Up24
- LG Lifeband Touch FB84
- Polar Loop
- Sony Smartband Talk SWR30
- Withings Pulse Ox
In the test phase, the Acer Liquid Leap was given particular scrutiny, as Acer purchased the product and relabeled it. The identical product is also available from the companies Striiv (Touch), Tofasco (3 Plus Swipe) and Walgreens (Activity Tracker). It is not clear, however, whether the other vendors have modified the app and the firmware of the wristbands. In the initial phase of the test, the respective tracking apps for the fitness data were installed on the test smartphones. Afterwards, in order to proceed with the test, the fitness wristbands were paired with the Android smartphone via Bluetooth, as provided in each set of directions. Some of the devices required entering a P
Bluetooth pairing works very securely
The fitness wristbands all use a Bluetooth connection. The known issues: do the devices remain visible after establishing a connection? What is necessary for pairing the devices? Does Bluetooth only activate briefly during data transmission, shutting down afterwards?
The Bluetooth connection can only be manually deactivated on the products Garmin Vivosmart and LG Lifeband Touch. After pairing, the trackers from Sony, Polar and Withings are no longer visible for other Bluetooth devices. The Huawei wristband deactivates Bluetooth if it loses the connection to the paired smartphone for a longer period of time. The Jawbone wristband is also invisible to other devices after pairing, yet if it loses the connection, it partially remains visible for several hours.
On all other wristbands, Bluetooth remains active and thus visible for other Bluetooth devices, which logically includes potential attackers. To connect the wristband and the smartphone, it is sufficient on some products to just press the "OK" button. The Sony Smartband Talk SWR30 also connects automatically via NFC, but only with known, trusted devices. Others prompt for a required PIN entry. On one of the devices, the testers discovered that for clever minds and seasoned hackers, the prompted PIN is practically a no-brainer. That, of course, is disastrous. The manufacturer has been informed but is not being mentioned by name here.
Does Bluetooth transmit data in plain language?
In the next phase of the test, devices connected via Bluetooth were eavesdropped and thus examined to see whether they only communicated with authenticated apps or whether they offer their information to any app. If it was possible to read the data, an analysis was made as to what was being transmitted.
The fitness wristband FitBit Charge astonished the test engineers: Any smartphone with Bluetooth is welcome to the fitness tracker. It does not prompt for a PIN or other authentication – it simply connects and voluntarily hands over all its data. The data is not even encrypted or protected in other ways. The FitBit app is currently pre-installed on all new HTC devices in the One M8 and M9 series. According to unconfirmed sources, the One M8 alone is said to have been sold between 500,000 and 1 million times. The products from Jawbone and Huawei allow the sharing of recorded data. The current fitness data is automatically delivered to any paired device having the matching app. The Withings Pulse Ox proved a bit clumsy: it delivers the recorded data to the currently paired device. If you select a previously paired device as the receiver, then the tracker reboots and deletes all the existing data.
How secure are the apps of fitness trackers?
If data in transit between the wristband and the smartphone cannot be hacked, then the next vulnerability may be the smartphone app for the fitness data. A purported game app, for example, could query any connected trackers for their data. If the tracker uses authentication, then the query will go unanswered.
The next vulnerability is the app itself. Attackers first examine the source code. If the app has been cleanly programmed, the code is "obfuscated" using standard tools. Only then is reverse engineering of the app made more difficult. A finished app is no longer allowed to deliver a so-called "log" - or "debug" info. Because this information enables easy reconstruction of how the app works.
Revealing log information as excess baggage
The testers evaluated all the above-mentioned items in the lab. Only 5 out of the 9 fitness apps effectively hide their code. Of the other 4, however, it is worth mentioning that 3 (Acer, Garmin and LG) do store their communications protocols in distributed program libraries. This can also be an effective way of protecting against code analysis by attackers. Only the apps from Polar and Sony use both protection technologies.
The apps from Polar and LG, however, still reveal log information. This may make life easier for attackers to decompile the code, based on the many clues, and to hack the app. Log information even makes code that is actually hidden visible again, as it acts as a road map.
Makeshift App controls the fitness tracker
In a small experiment, the lab simply inserted parts of the app for the Acer wristband into a makeshift app and then queried the Acer fitness wristband. It readily delivered all its data, as if it had been connected to the original app. The experts were even able to manipulate some of the data and send it back. As result, the day's workout was completed in just a few seconds, without breaking a sweat.
Moreover, the testers were able to influence the other functions of the wristband. This included modifying the alarms or even deleting the user from the wristband. In doing so, the Acer wristband rebooted completely and erased all available data. Acer only purchases this fitness wristband and puts its brand name on it. The identical wristband is also sold by Striiv, Tofasco and Walgreens. In case those suppliers do not use a modified App or other firmware, they have the same security risks as with the Acer Liquid Leap.
Rooted smartphones double the threat
Some users defeat the root protection of their smartphone, thus allowing access to what is actually the protected, highest operating system level of Android. While these users have more power over their Android by doing so, they pay a high price in terms of security. Because many apps write their sensitive data to a protected memory to which other apps have no access. Rooting a smartphone removes this protection. Many of the fitness apps write their sensitive data in plain language to the secure memory. In a test, a device was rooted and the data it contained was analyzed: some apps stored transaction keys, access IDs or even passwords there. An app rigged for hacking can thus retrieve and exploit this data.
Safely connecting to the cloud
When transmitting data to the Internet, the apps of the fitness trackers follow current security standards. Thus, the apps use the HTTPS protocol or other secure channels for connectivity, and they transmit the data encrypted. In this test, the lab did not evaluate whether the portals or receiving points in the cloud were secure.
Conclusion: many wristbands are quite capable
Despite minor areas for potential improvement, the products Sony Smartband Talk SWR30 and Polar Loop offer the most robust security models. The other fitness trackers are ranked lower in their security and therefore higher in the risk assessment. The product with the highest probability of a successful attack is Acer Liquid Leap.
You can read the study from AV-TEST with all the individual technical findings in this PDF: Security Evaluation of 9 Fitness Trackers.
Fun and Risk of Fitness Wristbands
Maik Morgenstern, CTO AV-TEST GmbH
It is surely not a bad idea if a small fitness wristband motivates people around the world to live healthier, fitter lives. Huge ad campaigns are supporting the trend and encouraging people to buy this innovative product. But here the same mistakes are being committed as in other realms within the Internet of Things: Security is only a side note. Established approaches such as authentication and encryption are implemented poorly or not at all. <br>Because fitness trackers are expected to play a major role with health insurance funds and insurance companies, it is mandatory that suppliers revamp and improve their security policies. The risk assessment from the lab demonstrates that no product has reached the highest level of security. AV-TEST forwarded to the manufacturers an unvarnished version of the partly harrowing results. After a certain period of time, the lab technicians will probably be forced to engage in more physical activity again if there is a second round of tests. Then we'll see if and how the manufacturers have reacted.