Fitness trackers – the small fitness wristbands that people wear, certainly help people stay in shape by tracking their fitness activities and providing relevant data. These fitness wristbands transmit wearer’s data directly to the apps in the smartphones and then to the cloud. Is the transmission secure? Can the data thus transmitted be misused? Is it adequately protected?
AV-Test.org is an independent IT security testing authority. It tested the security of 9 wearable fitness trackers with their corresponding android apps to answer these questions. These trackers were used in normal conditions – no external pressure, force or field was applied. The researchers observed and monitored the information transferred to ascertain weaknesses and vulnerabilities that could lead to data manipulation, data leakage and data theft.
Could a hacker hack into your app via a fitness tracker to simply up your blood pressure for fun or manipulate data for getting benefits on his own medical insurance from the companies who accept data of fitness trackers? Could the multinational companies exploit heart rate data from a fitness tracker to observe consumer reactions on certain products or to certain advertising campaigns? Can a person be kept under surveillance by monitoring data from his fitness tracker? AV-Test wanted to find out.
9 fitness trackers were purchased from the free market to be tested. They were:
– Acer Liquid Leap
– FitBit Charge
– Garmin Vivosmart
– Huawei Talk B and B1
– Jawbone Up24
– LG Lifeband Touch FB84
– Polar Loop
– Sony Smartband Talk SWR30
– Withings Pulse Ox
AV-Test came up with the results and they took everyone by surprise.
All 9 fitness trackers use Bluetooth to transfer data. Bluetooth could be manually deactivated on only two trackers – on Garmin Vivosmart and LG Lifeband Touch FB84. The Huawei TalkB and B1 technically support the deactivation of Bluetooth but it is only triggered if it cannot reach the paired smartphone for more than three minutes.
To transfer information, a connection needs to be established by pairing devices. In our case, the app in the smartphone and the fitness tracker need to be paired via Bluetooth.
To avoid unauthorized access to the fitness tracker, it should stop sending signals about its presence once it is bonded with the smartphone. After pairing with Bluetooth from respective smartphones the fitness trackers from Sony, Polar, and Withings are not visible to other third party Blue tooth devices. The Polar Loop is invisible until it is set to ‘active’ to allow a synchronisation. Even when ‘active’, it does not accept connections from random devices. It impressed.
Tracker from Huawei deactivates Bluetooth if it is unable to connect to a paired smartphone for a longer time so it is safe but again, not 100%. Other fitness trackers which can be detected by other 3rd party Bluetooth devices can attract potential attackers. The Jawbone fitness tracker is invisible after pairing with Bluetooth but when it loses connection, it remains partially visible for several hours which again is not safe.
Accepting the Pairing Request
Accepting a pairing request from a device was a standard test. When a fitness tracker accepts a pairing request it agrees to connect to the corresponding device. Attackers or unauthorized entities may extend pairing requests to trackers. AV – Test wanted to see if there was an option for fitness trackers to manually accept or reject pairing requests which eliminated the possibility of unauthorized entities illegitimately gaining access to the tracker without the user knowing it.
Five out of 9 fitness trackers ensure that the pairing process needs the hardware access. These five ensure that the pairing is done only with legitimate user by taking different measures. Jawbone, L G Lifeband Touch, Polar Loop, Sony Smartband, and Withings pulse meet this criteria in different ways. L G Lifeband Touch completes pairing request by pressing ‘OK’. You need to insert a number displayed on the device or pair via NFC like that with Sony’s Smartband SWR 30.
Acer Liquid Leap, Fitbit charge, Garmin Vivosmart and Huawei have unimpressive pairing request system.
Pairing with Only One Smartphone
Only Polar Loop and Sony Smartband Talk have features that enables them to pair with only one smartphone, which means they are safe. All the other fitness trackers can be connected with multiple smartphones which increases their vulnerability.
Code obfuscation is used by developers to prevent reverse engineering of their product. Acer, Garmin and LG did not use code obfuscation but outsourced their communication protocol to shared libraries which is also an effective way to prevent code analysis. The quality of the obfuscation in most of the apps is sufficient.
A released app should not contain logs or debug information. Garmin, Jawbone and Sony Smartband don’t have it ,other six fitness trackers have debug information which could be helpful in reverse engineering the app. Acer Liquid Leap ships with a debug and release version of the library.
AV- Test.org insists rooted smartphones double the threat. Users who defeat the root protection of their phones compromise heavily on its security. Many apps write their sensitive data in the protected memory which in the rooted smartphones is not protected at all. AV-Test tested with a rooted device and found that the apps stored transaction data, password and access Ids there. This data can be easily hacked and exploited.
From the 9 fitness trackers chosen, Acer Liquid Leap fares badly and can be hacked. The report says, “the Acer tracker seems to have no security concept at all. The flaws in this case were so significant that we were able of completely exploiting almost all aspects of the tracker, including data theft and manipulation of some data and tracker functionality.” Fitbit Charge was criticized too; “Fitbit charge does not use any authentication on tracker side at all and carelessly provides the saved fitness data to everyone asking for it.”
AV – Test finds Sony Smartband Talk SWR30 and Polar Loop the most secure. So, you do not need to be afraid of all the fitness trackers. Go for the best ones and yes, do not root your phones. Stay healthy – stay fit.