Fitness device security inadequate

Many fitness trackers have a glaring lack of secure connections and can be tampered with to expose private user data, a security firm finds

Fitness device security inadequate

Smart fitness device makers Xiaomi and Microsoft are among those making products that are susceptible to man-in-the-middle (MiM) attacks, says AV-Test, the German independent IT security institute.

MiM attacks are where a hacker intercepts and changes communications between parties who think they are communicating with each other.

“Some manufacturers are continuing to make disappointing errors,” the lab, which tested seven fitness bands and the Apple watch, says in its report, published last week.

+ Also on Network World: Wearables could compromise corporate data +

Remarkably, the problems discovered weren’t in terms of secure internet communications, where one would think there would be room for holes. The security issues were predominantly related to local communications—the devices tend to use a smartphone as a host device, and so rely on local communications.

Listening to data conversations

AV-Test says it could listen in on the data conversations of all of the devices it tested, with the exception of two fitness tracking devices.

“On all the products except for Basis and Pebble, we managed to sneak in and monitor the connection,” the lab says in the report.

The institute tested the Basis Peak, Microsoft Band 2, Mobile Action Q-Band, Pebble Time, Runtastic Moment Elite, Striiv Fusion and Xiaomi MiBand fitness bands, as well as the Apple Watch.

It wasn’t easy, the lab says. They had to install an Android root certificate, which it concedes is challenging.

But it does bring into question just how much personal data is flying around the average workout spot that can be plucked from thin air by a gym rat ne’er-do-well.

And while one might question the value that can be construed from someone’s heartbeat measurements for the day (“whoo, my heart beat all day”), location breadcrumbs of a run from home, for example, is potentially dangerous.

AV-Test does caveat its report using phrases such as “favorable showing” in terms of overall levels of security for Basis, Pebble, Microsoft and Apple products.

It gave the Apple Watch a high security rating. And it said devices from Pebble Time, Basis Peak and Microsoft Band 2 were among the most secure, showing only minor errors

"All of the products protect the important aspects of user authentication and data synchronization when communicating via secure HTTPS connections,” it says.

It also says that it doesn’t consider the MiM possibilities a “severe flaw” because it is so hard to do.

Unsafe local communication flaws

However, there were “quite a number of flaws regarding local communication,” which includes tracker authentication. Connections, authentication and tampering are potential issues with the trackers.

Particularly poor showings came from the Striiv Fusion, which had numerous vulnerabilities and was “unsafe,” the report says. The Xiaomi, while including security features, was found “lacking practical implementation of the security concept,” AV-Test says.

But it was privacy worries that was the notable take-away from the report. And indeed the institute says it intends to concentrate on that element in its future testing of these kinds of products.

“Overall the detected flaws are sufficient to question the use of fitness trackers for purposes which can have serious financial and or legal consequences for the user,” the report says.

Manufacturers “don't pay sufficient attention to the aspect of security,” it concludes.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2016 IDG Communications, Inc.

SD-WAN buyers guide: Key questions to ask vendors (and yourself)