Top Fitness Trackers Have Lousy Security, Testers Find

Credit: AV-TESTCredit: AV-TEST

If fitness wearables know when you've been sleeping, and can know whether what you've been eating is bad or good for you, then why — for goodness' sake — aren't they properly secured? In a study released today (June 22), the well-respected German antivirus testing lab AV-TEST lists vulnerabilities and other security and privacy issues in nine models of fitness bands.

The most problematic of these devices, the Acer Liquid Leap and the FitBit Charge, can be accessed from any Bluetooth-LE-enabled device, such as a stranger's smartphone, without user authorization, AV-TEST found.

MORE: Best Fitness Trackers for Running, Swimming and Training

Once AV-TEST researchers gained unapproved access to the Acer device, the amount of data they could read was unprecedented. Not only could they download data off the device, but they were able to alter that data and then upload it back to the device. Alarms set by users, as well as entire accounts, could be deleted from the Liquid Leap with little effort. In nine different ways in which any of the tested fitbands were found to be deficient, the Acer Liquid Leap failed all nine.

AV-TEST said that the device's vulnerability may be due to the fact that Acer does not appear to manufacture the Liquid Leap itself, but instead seems to relabel a third-party product that is sold under several other brands and names, such as the Walgreens Activity Tracker.

The tests, conducted on devices retailing in Germany, paired wearables with Android devices and focused on both the Bluetooth connections and the data stored on the devices' companion apps. Only three devices — the Jawbone UP24, Polar Loop and Sony Smartbrand Talk SWR30 — earned high marks from AV-TEST in terms of how they protected data.

The Acer Liquid Leap, Garmin Vivosmart and LG Lifeband Touch FB84 got "Low/Not existent" grades for how they protected user data. If AV-TEST's evaluations are accurate, users of those devices are walking around with more than just their heart rates on their sleeves, but exposing a ton of raw data about their daily lives.

Credit: AV-TESTCredit: AV-TEST

Similar to predictive data services such as Google Now, a fitness wearable can be only as smart as the amount of data users plug into it. So with every app you link to your device, the more of a valuable target your device becomes.

If fitness-band companion apps are promiscuous in the ways they share access and data with smartphones or other apps, as seven of the tested devices were, their users may be organizing their life's data for those looking to spy as much as they are for their own health.

Furthermore, for anyone not worried about strangers stealing information about their daily routines, fitness bands are often linked to accounts, so your real name, email address and date of birth — enough to get an identity thief started — are also open for the taking.

Henry T. Casey is a Staff Writer at Tom’s Guide. Follow him on Twitter @henrytcasey. Follow us @tomsguide, on Facebook and on Google+.

Create a new thread in the Fitness Trackers forum about this subject
This thread is closed for comments
No comments yet
    Your comment