Manufacturers are still careless when it comes to IoT security, as seven of the newest Android-based fitness trackers and Apple’s smart watch have shown security weaknesses that hackers can use to steal and manipulate data, AV-TEST found.
AV-TEST ran risk assessment tests in areas such as the security of connection, authentication, online communication, visibility and privacy for Basis Peak, Microsoft Band 2, Mobile Action Q-Band, Pebble Time, Runtastic Moment Elite, Striiv Fusion, Xiaomi MiBand and the Apple Watch. The focus was to investigate whether the data was secure and protected against third-party hacking, spying and manipulation.
The most red flags were raised by Runtastic, Striiv and Xiaomi, with seven or eight risk points out of a possible 10.
“These products can be tracked rather easily, use inconsistent or no authentication or tamper protection, the code of the apps is not sufficiently obfuscated, and data traffic can be manipulated and monitored with root certificates,” the report said. “Worst of all, Xiaomi even stores its entire data unencrypted on the smartphone.”
The most secure proved Pebble Time, Microsoft Band 2, Basis Peak and the Apple Watch, the latter being more difficult to hack in spite of some theoretical vulnerabilities. “If airplane mode is switched on and off, however, the Apple Watch always shows its genuine MAC address to the Bluetooth components. This should actually not be the case.”
With over 75 million sold in 2015, health insurance companies encourage users to purchase these wearables, sometimes even offering incentives. International Data Corporation (IDC) anticipates the number of wearables sold in 2016 will surpass 100 million.