Fitness wristbands and smart watches are extremely popular, not only with sports fans. Health insurance companies are now even subsidizing the purchase of a tracker or rewarding their use, as fit people cost the insurance companies less. That is why the experts from AV-TEST examined 7 of the latest fitness wristbands under Android and the Apple Watch in terms of their security. The result: some manufacturers are continuing to make disappointing errors.

At first glance, the current and forecast sales figures for fitness trackers mostly elicit an initial "Wow!". According to IDC, in 2014 over 26 million wearables were already sold, in 2015 already more than 75 million, and in 2016 the number is expected to exceed 100 million.

Smart watches and fitness wristbands or trackers are popular and are even being at least recommended by health insurers worldwide. In Europe, the legal playing field only allows the health insurance companies to subsidize the wearables. In the United States, there are already offers of premium rebates, as long as the policyholder is able to demonstrate his or her efforts per fitness tracker. The New York startup, Oscar Health, for example, pays policyholders one dollar per day if they reach the daily fitness goal.

The fitness trackers were connected with the smartphone, the manufacturer apps were examined, attempts were made to fool them per test app, and the connections were monitored with a proxy.

Also in this year's test round, some fitness wristbands present a high safety risk. The Apple Watch is missing in the lineup, as it was evaluated separately due to the test differences compared to Android.

Persistent high risks with fitness trackers

This test evaluated the latest and best-selling fitness wristbands, along with the Apple Watch. All wristbands operate with a corresponding app on an Android smartphone. That is why the findings are summarized in the test for trackers and apps. The laboratory is also making a very detailed test report available as a PDF.

The Apple Watch represents a special case: some test methods cannot be directly applied from Android to the iOS. That is why the evaluation of the Apple Watch is found separately at the end of the article. The following products were tested:

- Basis Peak

- Microsoft Band 2

- Mobile Action Q-Band

- Pebble Time

- Runtastic Moment Elite

- Striiv Fusion

- Xiaomi MiBand

- Apple Watch (see end of article)

The experts focused on two special issues:

1. From the perspective of the private user, is the data recorded in the tracker or app secure against spying or hacking by third parties?

2. From the perspective of health insurers or other companies, is the data in the tracker or app secure against tampering?

The first issue involves the consideration that attackers may use the data or exploit it to the user's disadvantage. It involves private data that rightly needs to be protected. The second issue concerns health insurance companies that reward their policyholders for reaching a fitness goal. If a fitness tracker or app can be manipulated, however, it is inevitable that this approach will be exploited eventually.

Three test steps to risk assessment

The testers subjected each fitness wristband to a total of 10 testing criteria, divided up into three areas: tracker, application and online communication. The graph on risk assessment shows the areas in which test candidates have problems and whether the testers classify the particular criterion as a risk. The terms "fault" or "security gap" were explicitly not chosen, as there is only a heightened or high risk of penetration in the areas evaluated, but not explicitly an open door. Nor did the testers make any further attempt to "hack" a risk area. They simply analyzed what an attacker could do in that area and what the consequences would be.

Tracker – connection, authentication, tampering

Visibility: All fitness trackers use Bluetooth to connect with the smartphone. Here the traditional problems were examined first. One security aspect is invisibility for other Bluetooth devices. You can't connect to or track something that's not there. Only during pairing should the devices be visible for a certain time. This security is only offered by the wristbands from Microsoft and Pebble. Mobile Action claims the capability, but it is still visible.

BLE privacy: The second Bluetooth safety aspect is the function of BLE privacy, which has been a feature since Android 5.0. With this feature, the device repeatedly generates a new MAC address for a Bluetooth connection. The actual address is never disclosed and therefore not trackable. This technology is only used by Microsoft Band 2. None of the others know the technology.

Ability to be found: Once a device is to be connected, technically speaking there are several options. A very secure solution is exclusive Bluetooth pairing (i.e. the tracker only allows a connection to one known smartphone), which in the test, however, is only used by Basis Peak and Microsoft Band 2. Pebble Time allows connections with several devices, but the user is required to manually confirm each one; that is also secure. The Xiaomi MiBand uses a simple, yet safe method: after a successful pairing, it is simply no longer visible and allows no more connections. Only the wristbands from Striiv, Runtastic and Mobile Action fail to use reliable technology to also prevent connections with unknown devices.

Authentication: If a third-party smartphone successfully paired up with a tracker, on some products there is an additional safety feature: authentication. Only three out of seven products use this secondary security threshold consistently: Basis Peak, Microsoft Band 2, and Pebble Time. While Xiaomi does also use the technology, it is quite simple to circumvent and therefore useless under certain circumstances. The other three products either do not offer this additional security or they implement it inadequately.

Tamper protection: This item is just as interesting for users as it is presumably for health insurance companies or courts who rely on the authenticity of data. That is why it was tested whether there is an integrity safeguard or access protection for the data stored in the tracker. The protection must be configured so that it prevents access from third parties, and eliminates tampering of data by the smartphone owner. Only the products from Basis, Microsoft, Pebble and Xiaomi offer basic protection in this area. However the device from Xiaomi can also be fooled by weak authentication. It is possible for a third-party to make the wristband vibrate, for example, to change alarm times, or even completely reset the tracker to factory settings.

The fitness trackers from Striiv and Mobile Action do not use any adequate and functioning authentication or any other safety mechanisms, and are therefore vulnerable to tampering. On the Striiv Fusion, the values for body measurements of the user could be changed to superhuman parameters. These were then used as inputs for the calculation of distance traveled and calorie burn. On the tracker from Mobile Action, it was also possible to modify the stored user information on weight, height, step length, etc. during the test. These values were also used directly for the calculation of calorie burn and distance traveled.

The App – safeguarding and code check

Local storage: Even if the technology of the tracker is secure, the corresponding app on the smartphone can be the weakest link. That is why testing was conducted as to whether the apps save data accessible to other apps on the smartphone. The security functions for non-rooted Android devices actually prevent this access. But if data is saved in the wrong place, it is accessible to everyone. Xiaomi MiBand was the only one committing this error. It stores an extensive log file on app activity in a completely open area. This log contains all the transmitted data, as well as user information, alias, body measurements, and much more, which is also used for the authentication process.

Code obfuscation: During the second test, the object is to identify sloppy programming of the apps. It was checked whether the apps use code obfuscation. This technology prevents reverse engineering and hides useful information from attackers. The apps from Mobile Action, Pebble and Xiaomi use the technology entirely. The apps from Basis and Runtastic raised flags in this category. They do not consistently use obfuscation – this can enable attackers. The products from Microsoft and Striiv do not use obfuscation at all. Which means that specialists could perform an app analysis.

Log and debug info: An additional programming error is the output of log and debug information. Sometimes there is so much important information in these outputs that other security mechanisms are defeated in the process. Only the app from Mobile Action works cleanly in this category. All the other apps continue to spit out information that attackers would love to get their hands on.

Secure online communication

The final check involved all connections established by the app. Can the communication be monitored or does it perhaps even occur unencrypted? And if so, what is being transmitted? The good news: all connections that ought to be encrypted are encrypted. Intercepted open HTTP connections were worthless – and therefore probably unencrypted.

Furthermore, the lab examined whether the contents of a secure connection were readable after the installation of a root certificate. This evaluation is important, as it is a possible pathway for users to manipulate transmitted data themselves. The products from Basis and Pebble show that security is also possible in this area. They are sufficiently protected against unwanted access. For all other products, it was possible to monitor the secure connections and partly also to successfully tamper with them. Thus, authentication and synchronization data were readable.

Conclusion: sports, fun – and lack of security

As already witnessed in the initial test of fitness wristbands last year, many manufacturers are also committing similar errors in the current test. They often don't pay sufficient attention to the aspect of security. The risk assessment indicates that the trackers from Pebble Time, Basis Peak and Microsoft Band 2 were among the most secure. They show minor errors, but on aggregate, they offer few opportunities for attackers or tampering. After this test, the manufacturers are certain to also fix a few of the smaller defects via a firmware update.

The fitness wristband from Mobile Action indicates multiple risk factors. It features a function that claims to the user that it is invisible for others – but it is not. It also has deficiencies in terms of authentication and tamper protection. In the test, user data could even be modified through the back door.

The threesome of Runtastic, Striiv and Xiaomi racked up the most risk points: 7 to 8 possible risk points out of 10. These products can be tracked rather easily, use inconsistent or no authentication or tamper protection, the code of the apps is not sufficiently obfuscated, and data traffic can be manipulated and monitored with root certificates. Worst of all, Xiaomi even stores its entire data unencrypted on the smartphone. You can read more about the comprehensive security study developed by the lab on the testing of fitness trackers in this PDF file.