AV-Test.org Finds Popular Fitness Trackers Lack Security

Av-Test.org, an organization known for its thorough and independent testing of antivirus products, has found the usual suspects of lack of authentication and encryption — security lapses that are all too common in IoT devices — present in popular fitness bands.

Av-Test.org, an organization known for its thorough and independent testing of antivirus products, has found the usual suspects of lack of authentication and encryption—security lapses that are all too common in IoT devices—are also present in popular fitness bands such as those from Fitbit and Acer. While the Jawbone UP24, Polar Loop and Sony Smartband Talk SWR32 scored the best security of those products tested.

The researchers admit that counting steps or number of calories burned may not constitute a leak of PII, but acknowledge that in the future that may be different, with manipulation and/or data theft leading to more or less serious threats to user privacy and data authenticity. For example, data intended for healthcare professionals might be manipulated leading to unnecessary medical treatment or masking a serious health issue.

All the fitness bands tested used either Bluetooth or Bluetooth Smart to communicate with apps run on Android 4.4.4 or 5.0.1. The smartphones, in turn, used wireless local area networks for Internet communications.

The fitness band test first looked for unencrypted data passing via Bluetooth or wireless. Then, with the Bluetooth, they looked at pairing processes, whether the user must press a button, enter a pin, or pair without confirmation. They also checked to see whether the tracker or the app could be mis-directed to a malicious device. They also tested the apps, seeing whether a self-made app could establish communications with the tracking device.

Nine fitness bands were tested: Acer Liquid Leap, Fitbit Charge, Garmin Vivosmart, Huawei TalkBand B1, Jawbone Up24, LG Lifeband Touch FB84, Polar Loop, Sony Smartband Talk SWR30, Withings Pulse Ox. It should also be noted that these products were all available in Germany, where AV-Test.org is located.

For authentication, the test found that the Jawbone UP24, for example, does a fairly robust challenge-response authentication. In contrast, “we have the Fitbit Charge, which does not use any authentication on tracker side at all and carelessly provides the saved fitness data to everyone asking for it,” said the authors of the report.

Only two of the bands Garmin Vivos-mart and LG Lifeband Touch allowed the user in case the device is under malicious attack to deactivate through the use of a BlueTooth configuration menu option. The Huawei TalkBand B1 deviates its Bluetooth as well, but only if it fails to communicate for more than three minutes.

Security concerns found with the Acer Liquid Leap, however, are more serious since they may also be present in products not tested from vendors which re-label versions of the same technology. These include products from Striiv (Touch), Tofasco (3 Plus Swipe) and Walgreens (Activity Tracker).

Overall, the report liked the Sony Smartband Talk SWR30 and Polar Loop bst because they both offered the most robust security models. Also scoring high was the Jawbone UP24.

The full report is available from AV-Test.org.