Wearable Wednesdays: Security Test

AV Test logo

This week German security research firm AV-Test published a report comparing seven fitness trackers and their Android apps. The Apple Watch got only a passing mention as it has no companion app for Android. That makes sense, but for some reason Fibit was also excluded from the test.

It gets weirder: Pebble Time, a proper smartwatch, was one of the tested devices but Android Wear—which obviously has fitness tracking and works with Android—was nowhere to be found.

The good news is that Pebble Time was found to be the most secure of the group. Woo-hoo?

The seven fitness trackers that AV-Test looked at are as follows:

Basis Peak
Microsoft Band 2
Mobile Action Q-Band
Pebble Time
Runtastic Moment Elite
Striiv Fusion
Xiaomi MiBand

The purpose of their tests was to assess the security of local and cloud-saved user data for each device. To accomplish this they looked at three main areas:

Tracker – connection, authentication, tampering
The App – safeguarding and code check
Secure online communication

Here’s a summary of their findings:

The risk assessment indicates that the trackers from Pebble Time, Basis Peak and Microsoft Band 2 were among the most secure. They show minor errors, but on aggregate, they offer few opportunities for attackers or tampering. After this test, the manufacturers are certain to also fix a few of the smaller defects via a firmware update.

The fitness wristband from Mobile Action indicates multiple risk factors. It features a function that claims to the user that it is invisible for others – but it is not. It also has deficiencies in terms of authentication and tamper protection. In the test, user data could even be modified through the back door.

The threesome of Runtastic, Striiv and Xiaomi racked up the most risk points: 7 to 8 possible risk points out of 10. These products can be tracked rather easily, use inconsistent or no authentication or tamper protection, the code of the apps is not sufficiently obfuscated, and data traffic can be manipulated and monitored with root certificates. Worst of all, Xiaomi even stores its entire data unencrypted on the smartphone.

AV-Test’s report is not exhaustive by any means, but might be instructive if you’re considering one of their seven tested devices. For more information, please see the links directly below.

Sources: AV-Test via Wareable

Leave a Reply