Microsoft Band 2
Credit: AV-Test
Your fitness band or smartwatch collects a lot of important data about you, & communicates it to your smartphone. At each step, personal data is potentially open to interception by third parties.
Striiv Fusion
Credit: AV-Test
Some health insures provide various incentives for policy holders to buy & use fitness trackers. Rationale is that fit policy holders are healthier & so cost the health insurer less. Some insurers require evidence, from the fitness tracker, that the user is reaching targets. This can create an incentive for the user to tamper with data.
Pebble Time – fewest risk points among the devices tested
Credit: AV-Test
AV-Test evaluated 8 fitness bands & watches:
● Apple Watch
● Pebble Time
● Basis Peak
● Microsoft Band 2
● Mobile Action Q-Band
● Runtastic Moment Elite
● Striiv Fusion
● Xiaomi MiBand
https://www.av-test.org/en/news/news-single-view/seven-fitness-wristbands-and-the-apple-watch-in-a-security-check-2016/ / how secure fitness band fitness tracker smartwatch smart watch smart-watch seven fitness wristbands Apple Watch security check 2016 fitness wristbands smart watches extremely popular sports fans health insurance companies subsidizing purchase tracker rewarding their use fit people cost insurance companies less experts from AV-TEST examined 7 fitness wristbands Android Apple Watch security result manufacturers disappointing errors smart watches fitness wristbands trackers popular recommended health insurers Europe legal playing field health insurance companies subsidize wearables United States offers premium rebates policyholder is able to demonstrate efforts per fitness tracker New York startup Oscar Health pays policyholders one dollar per day reach daily fitness goal 2014 over 26 million wearables sold 2015 75 million 2016 exceed 100 million high security risks fitness trackers test evaluated latest best-selling fitness wristbands Pebble watch Apple Watch wristbands operate corresponding app Android smartphone findings summarized test trackers apps laboratory very detailed test report available as a PDF Apple Watch special case test methods cannot be directly applied Android iOS evaluation Apple Watch products tested Basis Peak Microsoft Band 2 Mobile Action Q-Band Pebble Time Runtastic Moment Elite Striiv Fusion Xiaomi MiBand Apple Watch experts focused two special issues perspective private user data recorded tracker app secure against spying hacking third parties health insurers other companies data tracker app secure against tampering attackers may use data exploit user's disadvantage private data rightly needs to be protected health insurance companies reward policyholders policy holders reaching fitness goal fitness tracker app manipulated exploited eventually tamper tampering three test steps risk assessment testers fitness wristband 10 testing criteria tracker application online communication graph risk assessment test candidates testers criterion as a risk fault security gap not chosen heightened or high risk penetration areas evaluated explicitly open door testers hack risk area analyzed attacker consequences tracker connection authentication tampering visibility fitness trackers use Bluetooth connect smartphone traditional problems examined first security aspect invisibility for Bluetooth devices can't connect rack during pairing devices visible security offered wristbands Microsoft Pebble Mobile Action claims capability still visible BLE privacy Bluetooth safety aspect function BLE privacy feature Android 5.0 feature device repeatedly generates new MAC address Bluetooth connection actual address never disclosed therefore not trackable technology only used Microsoft Band 2 ability to be found device connected very secure solution exclusive Bluetooth pairing tracker only allows connection one known smartphone test only used by Basis Peak Microsoft Band 2 Pebble Time allows connections several devices user required manually confirm each one that is also secure Xiaomi MiBand simple yet safe method successful pairing no longer visible allows no more connections wristbands from Striiv Runtastic Mobile Action fail to use reliable technology prevent connections unknown devices authentication third-party smartphone successfully paired tracker additional safety feature authentication secondary security threshold consistently Basis Peak Microsoft Band 2, Pebble Time Xiaomi use the technology quite simple to circumvent additional security implement it inadequately tamper protection health insurance companies courts rely authenticity data tested integrity safeguard access protection data stored in the tracker protection configured prevents access third parties eliminates tampering data smartphone owner Basis Microsoft Pebble Xiaomi basic protection device Xiaomi fooled weak authentication third-party make wristband vibrate change alarm times completely reset the tracker to factory settings fitness trackers Striiv Mobile Action adequate functioning authentication safety mechanisms vulnerable to tampering Striiv Fusion values body measurements user changed superhuman parameters used as inputs calculation distance traveled calorie burn tracker Mobile Action modify stored user information weight height step length test values used directly calculation calorie burn distance traveled app safeguarding code check local storage technology tracker secure corresponding app smartphone weakest link testing apps save data accessible other apps smartphone security functions non-rooted rooted root Android devices prevent access data saved accessible to everyone Xiaomi MiBand committing this error stores extensive log file app activity completely open area log transmitted data user information body measurements authentication process code obfuscation second test object Identify sloppy programming apps apps use code obfuscation technology prevents reverse engineering hides useful information from attackers apps Mobile Action Pebble Xiaomi technology apps Basis Runtastic raised flags obfuscation enable attackers products Microsoft Striiv obfuscation perform an app analysis log debug info programming error output log debug information important information outputs security mechanisms defeated process app Mobile Action works cleanly information attackers secure online communication connections app communication monitored un encrypted transmitted good news connections encrypted encrypt intercept intercepted open HTTP connections unencrypted contents secure connection readable installation of a root certificate evaluation possible pathway users manipulate transmitted data Basis Pebble security sufficiently protected against unwanted access monitor secure connections successfully tamper with them authentication synchronization data readable lack of security fitness wristbands similar errors current test security risk assessment trackers Pebble Time Basis Peak Microsoft Band 2 most secure minor errors offer few opportunities attackers tampering test smaller defects firmware update fitness wristband Mobile Action multiple risk factors function invisible has deficiencies authentication tamper protection test user data modified back door Runtastic Striiv Xiaomi most risk points products tracked easily authentication tamper protection code apps obfuscated data traffic manipulated monitored root certificates Xiaomi stores data unencrypted smartphone comprehensive security study testing fitness trackers Apple Watch security check Apple Watch fitness tracker iPhone safely handle data retrieved test Apple Watch configured Android devices iOS Android risk criteria performed not relevant Apple device trackers controlled visibility BLE privacy controlled connectivity online communication connections encrypted manipulated using root certificates visibility Bluetooth controlled by the user watch constantly tracked BLE privacy different MAC address Bluetooth newly activated almost impossible to track airplane mode switched on and off genuine MAC address Bluetooth components controlled connectivity Apple special theft prevention technique Watch paired with an account released with great effort factory reset thief sells smart watch new user Apple Watch uses encrypted connections additionally secured updates unencrypted via HTTP connections encrypted further secured testers read information geo data of user location street address Android devices root certificate installed connections monitored user more access data tamper Apple Watch high security rating testers vulnerabilities attackers gain access watch /
