A security audit evaluating many best-selling fitness trackers and wearable devices, including the Apple Watch, revealed that some manufacturers are continuing to make blatant security errors.
Conducted by AV-TEST, the new study found several security flaws in Android-powered fitness trackers. The organization tested the following devices:
- Basis Peak
- Microsoft Band 2
- Mobile Action Q-Band
- Pebble Time
- Runtastic Moment Elite
- Striiv Fusion
- Xiaomi MiBand
- Apple Watch
The security of the wearables varied significantly, with some devices even leaving user data exposed. Furthermore, the results showed similarities from AV-TEST’s first examination one year earlier, meaning manufacturers may not be investing the proper time and resources to address the product’s flaws.
“As already witnessed in the initial test of fitness wristbands last year, many manufacturers are also committing similar errors in the current test,” read the report. “They often don’t pay sufficient attention to the aspect of security,” said AV-TEST.
The risk assessment rated the Android products based on a total of 10 testing criteria divided into three areas:
- Tracker – Controlled Visibility, Bluetooth Smart LE Privacy, Controlled Connectivity, Adequate Authentication, Tamper Protection
- Application – No Unsecured Local Storage, Code Obfuscation, No Log/Debug Output
- Online Communication – Encryption, Tamper Protection
After inspection, wearables from Pebble Time, Basis Peak and the Microsoft Band 2 were given the highest security rating.
“They show minor errors, but on aggregate, they offer few opportunities for attackers or tampering. After this test, the manufacturers are certain to also fix a few of the smaller defects via a firmware update,” said AV-TEST.
The fitness wristband from Mobile Action came in next with multiple risk factors. Researchers said the device features a function that claims is invisible for others – but is not.
“[The Mobile Action wristband] also has deficiencies in terms of authentication and tamper protection,” the report noted. “In the test, user data could even be modified through the back door.”
More alarming, however, were the results of the Runtastic, Striiv and Xiamoi trackers, with seven to eight possible risk points out of 10.
AVAST researchers warned these devices can be tracked rather easily; use inconsistent or no authentication or tamper protection; the code of the apps is not sufficiently obfuscated; and data traffic can be manipulated and monitored with root certification.
“Worst of all, Xiamoi even stores its entire data unencrypted on the smartphone,” the report read.
Researchers evaluated the Apple Watch using different criteria due to its operating system but despite “certain theoretical vulnerabilities,” the device ranked among the most secure.
The report added: “The time and effort required for attackers to gain access to the [Apple] watch would be extremely high.”
According to research firm IDC, more than 75 million wearables were sold in 2015 and the number is expected to surpass 100 million in 2016.
Read AV-TEST’s complete report here (PDF).