Nimish SawantJul 19, 2016 13:20:57 IST
Fitness trackers and smartwatches are slowly, but surely becoming mainstream. Over the last couple of years we have seen an explosion in these category of products. According to IDC numbers, from around 26 million wearables sold in 2014, the number is expected to cross 100 million this year and 200 million by 2019. More and more people are using them to monitor their fitness levels, calorie intake, sleep pattern in order to lead a more healthy lifestyle. This whole notion of the Quantified Self has picked up over the last couple of years. A lot of data is being generated by these trackers, some of which is on the trackers themselves which is then offloaded to a companion app on your smartphone.
So far, so good. But like with all data, how secure really is the fitness tracking data that is stored on these wearables?
AV-Test put seven fitness wrist bands as well as the Apple Watch through a battery of security tests to find out how these wearables have fared on the security aspect. The wearables tested included Basis Peak, Microsoft Band 2, Mobile Action Q-Band, Pebble Time, Runtastic Moment Elite, Striiv Fusion, Xiaomi Mi Band as well as the Apple Watch.
AV-Test focussed on two main aspects during the test: a) From the private user's perspective is the data recorded on these devices or apps secure against spying or hacking by third parties, and b) From the health insurer's perspective is the data on these wearables secure against tampering.
The aspect of health insurers comes into the picture as there are some western countries in which health insurance companies are subsidising the cost of the wearables, and in other countries even paying customers to ensure that they meet their daily goals. Lot of health insurance companies reward their policy holders for reaching fitness goals - if those numbers can be manipulated then that approach is bound to be exploited.
He also told tech2 that Ransomware is another big trend with wearables. "Ransomware is already on Android phones and tablets, and this Android ransomware can easily be made to run on Android Wear devices like smartwatches." However, Norton is yet to spot Ransomware targetted at smartwatches in the wild.
While the AV-Test ran around 10 tests on these bands, they mainly fell under three main areas: the tracker itself, the accompanying app and secure online communication.
AV Test could not apply the same testing procedures to Apple Watch as to the other Android based wearables. Since Apple Watch is iOS based, in the Tracker test such areas such as controlled visibility, BLE privacy and controlled connectivity were tested; encryption was tested in area of online communication.
Bluetooth visibility can be controlled by the user. In the BLE Privacy test where a different MAC address needs to be shown each time Bluetooth is activated, it worked fine but showed some issues with airplane mode. "If airplane mode is switched on and off, however, the Apple Watch always shows its genuine MAC address to the Bluetooth components. This should actually not be the case," said the report.
Apple makes use of a special theft prevention technique which makes it difficult for anyone to unpair it from an account. Even factory reset will not work. Such that even if the Watch is stolen, the new user cannot pair it with his or her own iPhone. Watch uses secure encrypted connections. On installing a root certificate, many connections could be monitored and the user can get more access to the data and it can be tampered with.
Giving Watch a good rating on the security front, AV Test report said, "Apple Watch receives a high security rating. While the testers did identify certain theoretical vulnerabilities, the time and effort required for attackers to gain access to the watch would be extremely high."
Android wearables testing
While testing the trackers, AV-Test realised that only Microsoft and Pebble wearables were invisible to other handsets via Bluetooth when in operation. Most wearables connect to your mobile devices via Bluetooth and a visible device is vulnerable to attack. Pebble Time and Microsoft Band 2 were visible only when the wearables were being paired for a short while. Microsoft Band 2 was the only wearable to support Bluetooth Low Energy (BLE) privacy as well. With BLE Privacy, the device repeatedly generates a new MAC address for a Bluetooth connection and since the actual address is not disclosed, it ensures that the device isn't trackable.
Additional authentication after smartphones paired with the wearables was only found on three out of the seven trackers namely Basis Peak, Microsoft Band 2 and Pebble Time. Xiaomi Mi Band's authentication was found to be quite simple to circumvent. In the Tamper protection testing, AV Test found that only Basis, Microsoft and Xiaomi offered tamper protection, but Xiaomi could be fooled by weak authentication. " It is possible for a third-party to make the wristband vibrate, for example, to change alarm times, or even completely reset the tracker to factory settings," said the report.
Altaf Halde, managing director - South Asia for Kaspersky Labs, said that a Kaspersky researcher stumbled upon surprising findings when testing some wearables. "The authentication method implemented in several popular smart wristbands allows a third-party to connect invisibly to the device, execute commands, and – in some cases – extract data held on the device. The rogue connection is made possible because of the way in which the wristband is paired with a smartphone," said Halde.
While in its research Kaspersky found that though the data was limited to steps taken by the owner during the previous hour, in the future that data could be much more personal such as heart rate, calorie intake and other medically important data that could be accessed.
Halde further said that a lot of fitness trackers come with pairing techniques such as vibrations. "To establish a connection users need to confirm the pairing by pressing a button on their wristband. Attackers can easily overcome this, because most modern fitness wristbands have no screen. When the wristband vibrates asking its owner to confirm the pairing the victim has no way of knowing whether they are confirming a connection with their own device or someone else’s," he said.
AV Test tested the companion apps of all the devices under test, as that is where a lot of user data ends up. You can also control the wearables via the app and set things such as alarms, notification reminders and so on. AV-Test found that Xiaomi Mi Band's app stored an extensive log file on app activity in a completely open area. This log containing all the transmitted data and user information was not really encrypted.
Code obfuscation, which tends to prevent reverse engineering to prevent attacks from hackers, was also checked for all the apps. Apps from Mobile Action, Pebble and Xiaomi were found to be using this technology; Basis and Runtastic had issues in this category as they were not using obfuscation consistently; Microsoft and Striiv do not use code obfuscation at all which lets specialists do an app analysis on it.
Secure Online Communication
This testing involved checking the communication between the app and the trackers. All the participants were found to have encrypted communications and open HTTP connections were not of much value and were left unencrypted. The Pebble Time and Basis Peak emerged as the products with most secure communications whereas Q-Band, Fusion and Mi Band offered partial encryption and tamper protection.
The test finally arrived at the conclusion that Pebble Time, Basis Peak and Microsoft Band 2 were the most secure wearables as they showed minor errors but also offered few chances for hackers to tamper with the tracker or app data. The Runtastic, Striiv and Xiaomi were found to be the most risky among the lot as they can be easily tracked, use inconsistent tamper and authentication protection and whose data traffic can be manipulated with root certificates. Xiaomi Mi Band was even found to store entire data on the smartphone unencrypted.