Independent IT security testing authority AV-Test.org has put nine different fitness trackers under the microscope, in order to explore how well they are protecting users’ data.
At first it may seem peculiar that the organisation, famous for its in-depth tests of anti-virus technology, has turned its attention to fitness trackers.
But in recent months security researchers have shown increased interest in digging into vulnerabilities on the wearable devices, uncovering weaknesses in authentication processes, and how easy it can be for an unauthorised party to connect to a wearable device without the owner even knowing.
So it’s good to see an independent testing agency also investigating the issue.
After all, fitness trackers are becoming more sophisticated – with vendors adding new features all the time in an attempt to increase their popularity in an increasingly competitive market. But the more features that are added to the system, making it more complex, the chances of it becoming less secure increases.
In its investigation, AV-Test.org researchers examined nine fitness wristbands – Acer Liquid Leap, Fitbit Charge, Garmin Vivosmart, Huawei TalkBand B1, Jawbone Up24, LG Lifeband Touch FB84, Polar Loop, Sony Smartband Talk SWR30, Withings Pulse Ox – and found some big differences when it came to their security model.
(Unlike most product comparison charts, in this case the more checkboxes displayed next to the name, the worse it is!)
There are a variety of issues raised by the investigation, including that many fitness trackers appear to make it too easy for an unauthorised smartphone to connect to the wristband. On one device, which the testers declined to name, they say that it is “disastrous” that that the PIN required is “practically a no-brainer”, and the manufacturer has been informed.
Additionally, some of the products failed to properly authenticate that the smartphone app communicating them was legitimate, opening the door for abuse:
“For this case, the tracker must be able to determine the identity of the connection initiator. At least four of the tested trackers have the ability of authenticating the app they are communicating with. The Jawbone UP24 for example does a challenge-response authentication. It sends a byte sequence to the app which then has to use a secret byte array to calculate an MD5 byte sequence which is then sent back to the tracker. The concept itself seems to be robust, whether or not this authentication procedure works as intended depends on the actual implementation. In contrast, we have the Fitbit Charge, which does not use any authentication on tracker side at all and carelessly provides the saved fitness data to everyone asking for it.”
The Fitbit Charge raised concerns in other ways too.
In the words of the testers, “[the Fitbit Charge] simply connects and voluntarily hands over all its data. The data is not even encrypted or protected in other ways. The FitBit app is currently pre-installed on all new HTC devices in the One M8 and M9 series. According to unconfirmed sources, the One M8 alone is said to have been sold between 500,000 and 1 million times.”
Although no products came out with completely flying colours, some clearly did better than others.
“Despite minor areas for potential improvement, the products Sony Smartband Talk SWR30 and Polar Loop offer the most robust security models. The other fitness trackers are ranked lower in their security and therefore higher in the risk assessment. The product with the highest probability of a successful attack is Acer Liquid Leap.”
According to AV-Test.org, concerns with the Acer Liquid Leap may also be present in other products from other vendors which use relabelled versions of the same technology – Striiv (Touch), Tofasco (3 Plus Swipe) and Walgreens (Activity Tracker). Although, it should be noted, the testers have not confirmed the same vulnerabilities are present and it is always possible (although I would be surprised) that those vendors have modified the app or firmware.
Unfortunately, the AV-Test researchers limited their test to products available in Germany, with apps running on Android phones of different manufacturers, which excluded the likes of the Microsoft Band and the Samsung tracker.
Maybe a wider range of products will be be covered in future testing, by which time lets hope that products have improved.
Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.