Some health insurance companies fund or encourage the use of these gadgets, as people who are in good shape are less likely to get into trouble and do not require insurance benefits. Therefore, AV - TEST experts examined 7 of the most modern fitness bracelets developed on the Android and Apple Watch platforms for their safety. The result of the study was the conclusion that individual firms still, to everyone’s disappointment, make unforgivable mistakes.
Smart watches and sports bracelets or transmitters have gained widespread popularity, and are even recommended for use by various insurance companies around the world. European law allows health insurance companies to subsidize the purchase of these devices. In the United States, insurance premiums are awarded if the policyholder can demonstrate his or her athletic performance with the help of data obtained by a fitness bracelet. For example, the New York-based young company Oscar Health pays insurance policy holders one dollar each day, provided that they meet the daily fitness requirement.
At first, the most superficial glance, the current and projected sales of
monitoring devices for sports achievements can cause exclamations of admiration. According to studies conducted by IDC, in 2014, sales of such devices amounted to 26 million, in 2015 - exceeded 75 million, and it is expected that in 2016 the number of sales will increase to 100 million copies.
Here are the results of a test that determines the cost of popular and most modern bracelets. All investigated bracelets can only work in tandem with a specially installed program on a smartphone. That is why in all our findings both the devices and the software are tested. The laboratory also carries out a detailed check, the results of which are available for download in PDF format.
Apple Watch is a special device: therefore, many verification methods cannot be applied to both iOS and Android. That's why the analysis of the Apple Watch will be done separately and described in the final part of the article.runtastic-moment
The following models were tested:
- Basis Peak
- Microsoft Band 2
- Mobile Action Q-Band
- Pebble Time
- Runtastic Moment Elite
- Striiv Fusion
- Xiaomi MiBand
- Apple Watch (see the end of the article).
The experts focused all their attention on the study of two main aspects:
1. In terms of personal use, how much data stored on the bracelet or directly in the application’s memory can be protected from spyware attacks and hackers?
2. To what extent are the data stored on the bracelet or in the installed application protected from hacking and falsification, which is vital for health insurance companies?
The first problem is that hackers may incorrectly use personal information about the device user. This is considered a significant drawback. All personal data, of course, must be protected. The second problem concerns those same medical insurance companies that reward policyholders for achieving special results in the field of a healthy lifestyle. If the bracelet or special application lends itself to external influences, then this property of theirs will definitely not be used for the most good purposes.
THREE STEPS TO RISK ASSESSMENT
The experts tested the bracelets of all selected brands according to ten basic criteria, which were divided into three main groups: protection level, application operation and online communication. The graphic image of the risk assessment demonstrates the areas in which the test piece has flaws and is classified by such criteria as risk.
The special terms “error” and “safety vacuum” were specifically chosen, since the studied values showed a significant level of penetration hazard, but which, nevertheless, cannot be considered an “open door”. At the same time, the experts did not at all specifically try to “crack” the studied area. They just tried to consider the theoretical possibility of “hacking" and its expected consequences.
BRACELET - CONNECTION, IDENTIFICATION, "HACKING"
Visibility: All bracelets designed for sports have a device called Bluetooth that is used to communicate with your smartphone. Here are the main problems that need to be investigated first. One of the most important aspects that are directly related to assessing the degree of security is the invisibility of Bluetooth for other similar devices.
You cannot connect to it and track it. Only in the case of a special pairwise connection can devices communicate with each other for a certain amount of time. The proposed security system is designed exclusively for bracelets from Microsoft and Pebble. The described phenomenon requires certain skills, but, nevertheless, it can be traced.
Privacy BLE (Low Energy Bluetooth): The next aspect regarding security is the BLE privacy feature, which has become a feature of the Android platform. This repeatedly updated connectivity device is manufactured by the MAC lab. In fact, the real address is never communicated, and therefore, it is difficult to trace.
This innovative technology is exclusively used in Microsoft Band 2. No one else knows about it.
Possibility of identification: In technical terms, some ways to connect with a bracelet have been invented. Perhaps one of the safest solutions is a special connection (that is, your bracelet is allowed to connect exclusively to the only known smartphone). Among the tested models, the use of such technology was noticed in Microsoft Band 2 and Basis Peak.
Pebble Time has a unique ability to connect simultaneously with several devices , but the owner must confirm each connection request manually, which is, of course, completely safe. Another way is used in the Xiaomi MiBand model: after a successful connection, it just becomes invisible and does not allow any device to connect additionally.
And only the Striiv, Runtastic and Mobile Action bracelets were not able to develop a worthy technology that protects against connecting other unknown devices.
Authentication test: if, suddenly, an unknown smartphone was able to successfully connect to the bracelet, then some companies will help to solve this problem using authentication or authentication. Only three of the seven bracelets tested use this additional security barrier: Basis Peak, Microsoft Band 2, and Pebble Time . A similar technology is also used in Xiaomi models, but it is so simplified that it is not difficult to get around it. This makes her completely useless. The remaining three devices either do not have any additional protection at all, or they cannot correctly implement it.
Protection against falsification: This item is also of interest to individual owners, as well as to insurance companies or courts that trust exclusively genuine information. That is why the experts also tested whether there is a guarantee of protection of access to personal data stored in the bracelet's memory.
It must be developed in such a way as to prevent third parties from interfering, and to eliminate the introduction of modifications by the smartphone owner. Only Basis, Microsoft, Pebble, and Xiaomi products have developed the core protection for this industry. However, the Xiaomi device can be easily fooled, as the protection is extremely weak. Hackers can make the bracelet vibrate, change the signal time or completely reset all personal settings and return to the factory settings.
Striiv and Mobile Action bracelets are considered extremely vulnerable, which do not have any effective protection (such as authentication). Moreover, Striiv Fusion models allow you to change the basic parameters of the human body to superhero values. Using this trick, you can easily change the data on the distance traveled and the number of calories burned. During the check on the Mobile Action bracelet, it was possible to make changes to the stored information about weight, height, step length. The same thing happened with information on calories burned and the distance traveled.
APPENDIX: SECURITY SETTINGS AND CODING VERIFICATION RESULTS
Local memory: In the case of guaranteed bracelet security, the application installed on your smartphone may have very weak protection.
In view of this, a check was conducted as to whether the application can make the data available for other offers on the smartphone. Separate Android devices have special functions that can prevent the danger of access to personal information. But, if the information is stored in a different folder, it becomes available to everyone. Xiaomi MiBand is almost the only manufacturer that has not fixed this defect. It stores system log files about application activity in a completely insecure zone.
It contains all the stored data, as well as information about the user, his nickname, the main parameters of the body, and many other information used for authentication.
Code obfuscation: The purpose of the next test is to determine inaccurate programming. It was checked whether code obfuscation was used in the application.
It can prevent reprogramming and help in hiding information that is useful to hackers. This innovative technology is quite successfully used in Mobile Action, Pebble and Xiaomi applications. And Basis and Runtastic failed the test on this point. They do not use code obfuscation at all, which gives strength to hackers. Microsoft and Striiv also do not use this technology. Confirmation of this can be considered the fact that specialists were able to freely penetrate all applications.
Log and error correction data: Another significant programming error is the output of the error correction information log. Sometimes it contains a mass of necessary data sufficient to make all security schemes unusable during an attack. And only the only Mobile Action application is able to resist them. All other applications continue to freely provide hackers with all the necessary information.
SECURING ONLINE COMMUNICATIONS
The last test was aimed at examining all the connections established using the application. Is it possible to check their quality, or will they be unencrypted? And if so, what information will be available? Great news: every connection that needs to be encrypted is one. But intercepted open HTTP connections have become useless, and in all likelihood, unencrypted.
Among other things, laboratory experts examined the issue of whether information was available after installing the root certificate. This study turned out to be very important, since it enables the owners themselves to manage the transmitted information. As the experience of researchers shows, in this area it is quite possible to ensure safety (as in the Basis and Pebble products).
They have a fairly adequate degree of protection against unwanted hacking. For all other devices, it turned out to be possible to control safe connections and partially, but quite successfully intervene in them. As a result of which it became possible to read authentication and synchronization data.
The main conclusion of experts: sports, fun and lack of security.
As already noted in an analysis of last year's study of bracelets for sports, many manufacturers of our time still make similar mistakes this year. Very often they do not pay enough attention to resolving security problems. As a study of the degree of risk shows, the bracelets of Pebble Time, Basis Peak and Microsoft Band 2 are considered the most protected. They have minor disadvantages, but in reality, they provide very little chance for hackers. After this test, manufacturers try to fix small problems through the update system.
The Mobile Action Fitness Bracelet is also not without a myriad of detected risk factors. They convince owners that their information remains invisible to others, but this is not so, unfortunately. They also have disadvantages in the area of authentication and penetration protection.
The three manufacturers of Runtastic, Striiv and Xiaomi scored a significant number of points in terms of risk: 7-8 points out of ten. These devices are easy to track, because they use inconsistent, or do not use any protection from interference or authentication the application code is not complicated enough, and the movement of information can be controlled and verified using the root certificate. Worst of all, Xiaomi stores all the data on the smartphone in unencrypted free access.
You can read more facts about a comprehensive study of security issues, developed by experts of the laboratory for testing sports bracelets in the proposed PDF file.
CHECKING YOUR APPLE WATCH DEVICE FOR SECURITY
Apple Watch can also be used as a bracelet for sports, in conjunction with the iPhone. How high is the degree of security in data processing, and is there any way to recover lost information?
The Apple
Watch Validation Plan was designed in a similar fashion to Android Validation. However, iOS and Android are so different in several criteria that it made it difficult to test the degree of risk, while the other criteria are not so important for Apple. That is why, in the category of spyware availability, methods for monitoring BLE security and connection control were investigated. In the field of online communications, it was investigated how coded the connections are and whether it is possible to manage the results using root certificates.
The ability to detect via Bluetooth can be controlled independently. As a result, it becomes impossible to constantly monitor the clock. The BLE test also seemed interesting. It is assumed that a new MAC address is constantly generated in the Apple Watch, each time Bluetooth is activated. To track him in this case is completely impossible. During the test, the function worked constantly. But with the airplane mode turned on and off, the Apple Watch repeatedly shows the original MAC address. In fact, this should not happen.
The ability to control the connection in an Apple watch is made using a special anti-theft technology: if an account is already tied to the watch, it is very difficult to disconnect it. Even a total reset will not help here. And if a thief sells a smart watch, the new owner will never connect them to his iPhone.
To establish a secure connection, Apple Watch reliably uses encrypted connections with additional protection. However, updates can be downloaded via an unencrypted HTTP channel.
In connections that were simply encrypted, without additional protection, experts were able to detect some information. These were lines of text containing geographical data on the whereabouts of the owner - up to his address. The next step, as with the Android device, was the root certificate. As a result, it became possible to establish control over many compounds. In this way, the owner himself was able to get more access to the data and can now manage it.
Apple Watch , in general, takes one of the highest places in the ranking of smart devices in terms of data protection. However, experts identified theoretically weak points, although the time and efforts made by experts to gain access to the watch turned out to be incredibly high.