Fitness monitors popular with consumers are at risk of leaking data and allowing attackers to modify information on the devices, according to a study released on June 23 by German security testing firm AV-Test.
The testing firm did not attempt to hack the devices, but instead eavesdropped on their communications and looked for security weaknesses. The researchers also evaluated the security and data-protection capabilities of the applications used to manage the devices.
The study found that the devices had up to nine security issues, out of the 11 issues, for which the company tested. Most of the devices did not allow Bluetooth to be disconnected on the wristband and some applications associated with the fitness devices exposed log information. All of the applications did encrypt communications, however.
"We all know that criminals will find a way to gain financial profit from these security problems sooner or later—they are more creative than we are," Maik Morgenstern, chief technology officer for AV-Test, said in an email interview with eWEEK. "That is why, at least the basics of security—encryption and proper authentication, secure updates, secure storage and communication—should be enforced for all devices that are connected to the Internet."
As consumer devices become increasingly connected into what is known as the Internet of Things, they have become a focal point of security research. Starting with smart phones, researchers have found security vulnerabilities that could allow eavesdropping and hacking. Home automation, automobile computer systems and industrial-control systems are now all under scrutiny.
In the latest research, AV-Test looked at devices from nine different major manufacturers, including Acer, Fitbit, Garmin, Sony and Withings. Acer's Liquid Leap wristband fell short in nine of the 11 tests, including not allowing Bluetooth to be turned off, failing to show confirmation of pairing on the devices and leaving debug data in the application. Fitbit's Charge had seven of 11 tested weaknesses, including exposing log information and leaving the device always visible via Bluetooth.
While the security failures will not likely lead to significant breaches, they could allow pranksters to modify a wristband’s data and cause data loss for the user. The researchers, for example, were able to use the issues to hack together a program that could communicate with the Acer wristband, ask for specific data and return modified information.
The wristband "readily delivered all its data, as if it had been connected to the original app," AV-Test wrote in the report.
In addition, as fitness devices become more capable and record more data, any security shortcomings could constitute a major privacy risk in the future, AV-Test's Morgenstern said.
"The Internet of Things is inherently insecure," he said. "Security is often not part of the design and its implementation is often flawed."