Ask any security researcher, and you’ll hear the same thing: If a device has an operating system, it can be compromised. Fitness bands may not seem like a prime target for hacking, but given the potential information they offer about users’ health, losing control of one could be a very bad thing. Unfortunately for exercise aficionados, most fitness bands are not particularly secure, and their companion smartphone apps aren’t much better.
AV-Test, a Madgeburg, Germany-based security firm, researched seven different fitness bands as well as the Apple Watch in order to see if things had improved since the company’s first round of evaluations last year. The short answer: kind of. While no fitness band is above reproach, a handful are relatively impenetrable. On the other hand, the ones that fall short are essentially exploits waiting to happen.
MORE: Best Fitness Trackers
In order to gauge the state of fitness band security, AV-Test looked at eight products: the Basis Peak, the Microsoft Band 2, the Mobile Action Q-Band, the Pebble Time, the Runtastic Moment Elite, the Striiv Fusion, the Xiaomi MiBand and the Apple Watch. If you’re wondering why AV-Test didn’t include Fitbits, arguably the most popular fitness trackers, it’s because the company already looked at them separately back in April. (Spoilers: They weren’t very good initially, but Fitbit has since cleaned up their devices.)
AV-Test looked at 10 different factors when determining each fitness band’s security. The first five were related to the connection between the fitness band and its host device. Visibility tested whether a device was visible only during pairing. BLE privacy tested whether a device generates a new MAC address during Bluetooth pairing. Authentication tested whether a device asked for a secondary code after pairing. Tamper protection tested whether users could manipulate fitness tracker data.
From there, AV-Test looked at the app itself. Local storage tested whether an attacker could access user data on a non-rooted Android system. Code obfuscation tested whether the app’s code hid information from potential attackers. Log and debug info tested whether the debugging process could give away critical user info.
Finally, AV-Test evaluated whether important information was transmitted over a secured connection, and whether this secured connection was vulnerable to tampering.
After all was said and done, the Pebble Time was easily the most secure device tested, falling prey only to BLE privacy and debugging vulnerabilities. The Basis Peak and Microsoft Band 2 also performed well, sporting three potential vulnerabilities apiece. (Each device had three totally different vulnerabilities, so it’s hard to say which one, if either, is really “more” secure.)
At the other end of the spectrum, the Striiv Fusion fell prey to eight out of the possible 10 vulnerabilities, scoring points only in app security and encrypted connections. The Runtastic Moment Elite and Xiaomi MiBand held seven flaws apiece, making the similarly poor choices for active users who want to keep their health data to themselves.
Although AV-Test couldn’t subject the Apple Watch to the same tests, it did have some good news for Apple fans who use the smartwatch as a fitness tracker. The team found multiple vulnerabilities, including a very easy trick that fooled the watch into giving away its MAC address. Worse still, unencrypted transmissions included plain text, up to and including users’ locations with street addresses. Still, the AV-Test team explained that these vulnerabilities generally required abstruse tricks, and wouldn’t interest the average malicious hacker, giving the device a high rating overall.
AV-Test didn’t have many recommendations for users, but encouraged manufacturers to tighten up their products via firmware updates, particularly those with numerous vulnerabilities. Until then, consider whether you really need a fitness tracker; they work much better for some sports than others.