Testing the Security Fitness of Wearables and Who’s Out of Shape

As one of the most visible aspects of the Internet of Things (IoT), wearables are becoming commonplace on wrists throughout the country. They track, record and analyze activity (and behavior to an extent), giving consumers insight into their daily habits and offering helpful tips on living a healthier life. But how do they do this without also broadcasting user data with reckless abandon?

AV-TEST, a German security research lab, put nine fitness wristbands through the ringer with several tests designed to gauge the health index of their protective measures. Each wristband failed at least one of the tests, but some of the most popular wearable fitness trackers appeared to be significantly out of shape when it came to security.

So why is this important?

Not only do these trackers record and broadcast your daily fitness habits — everything from your walking route and time of day to your sleeping habits — but they can also broadcast sensitive information like your email address, date of birth and other account information useful to identity thieves. You are essentially wearing some of your most vital data on your wrist, and this could have serious implications to your identity if not protected properly.

The most troubling part of all of this is how easy it is to access that data. In AV-TEST results, two of the most popular wearable fitness trackers can be accessed from any Bluetooth-LE-enabled device without user authorization. In fact, seven out of the nine tested wristbands can be used on several smartphones simultaneously, according to AV-TEST. It would be trivial for a scrupulous hacker to set up a system where they can simply catch valuable data out of the air.

In some cases, cybercriminals may be able to manipulate data, too. Hackers would be able to reset alarms, delete accounts, trigger vibrations and alter a device’s time, too. Seemingly smaller inconveniences, but some that could have serious ramifications as several countries across the globe allow insurers to use fitness trackers to reward activity with discounts on insurance contributions, among other things. A lazy customer could easily manipulate data to make it appear they’re active. Likewise, a less-than-honest employer could also manipulate data to make it appear as if an insured employee doesn’t exercise.

Finally, the more opportunities hackers have to compromise devices, the more chances they have to access sensitive information or spread malicious software. When wearables lack basic security precautions, we’re all put at risk.

Wearables can be immensely useful, but they need to be secure. The same privacy and safety precautions used for mobile devices and computers should apply to wearables — especially when they’ll set the standard for IoT devices for years to come.

Security-conscious users should take precautions with all of their devices. For owners of wearable technology, be proactive and stay on top of updates issued by the manufacturer. As always, know what sort of information your devices and programs gather on you and adjust their settings accordingly.

Stay on top of the latest consumer and mobile security threats by following @IntelSec_Home on Twitter and like us on Facebook.