Are fitness bands safe? Where do they send medical data?

From year to year, the demand for "smart" devices measuring fitness (fitness bands) is constantly growing. According to GFK research, sales in Europe of fitness bands increased by as much as 22% in 2017 compared to the previous year. The AV-Test laboratory, which verified the safety of smart bands, provides data that agrees with GFK research. Well, in 2015-2017, our western neighbors with an upward trend recorded more than one million devices sold each year. Is it possible that physical monitoring equipment comes under thatch around the world? It remains to be seen. In the meantime, we'll look at how it really is with the safety of fitness bands and the information they collect about you.

Security of local communication (band <-> smartphone) and external (application-> manufacturer's cloud) and data protection were checked for devices:

  •     Apple - Watch Series 3
  •     Fitbit - Fee 2
  •     Garmin - vívofit 3
  •     Huawei - Band 2 Pro
  •     Jawbone - UP3
  •     Lenovo - HW01
  •     Medion - Life S2000
  •     Moov - now
  •     Nokia - Steel HR
  •     Polar - A370
  •     Samsung - Fit2 Pro
  •     TomTom - Spark 3
  •     Xiaomi - Mi Band 2

Fitness band is packed with sensors. Thanks to them, it is possible to collect detailed data about the person who wears it. Electronics integrated with the GPS module gives consideration to image data about the location and the distance covered. Movement patterns such as swimming, skiing, running or resting are also identified. Devices can record inactivity during the day and night, and determine the phase of sleep. In fact, the bands know more about their owner than a family doctor. Their producers are certainly happy about it, because on the basis of such data the amount of premium for private health insurance is already determined in the United States - a user who actively cares for his health will pay less than his peer who uses the armband for activities other than analyzing sports results and breaking new records.

RODO obrazek

The disclosure of such medical data can cost a lot. All information is sent to the servers of the producers, where they are stored, analyzed and sometimes sold to insurers or marketing companies. It is for this reason that there is a risk that the data will be misused if it is combined with other information (eg from social media portals), which will allow to create a private profile of a person about their health and lifestyle. Such data are interested employers, leasing companies and, above all, insurance companies. The data obtained can be used to assess risk when signing long-term contracts.

Unfortunately, the future looks like that. As an example, let us list the American private insurance company John Hancock. For $ 25 they offer customers an Apple Watch Series 3 (worth $ 329) in exchange for transmitting readings about the condition of the insured. People who, for some reason, become ill and do not comply with the "limits" can be penalized financially, and the amount may well exceed the standard price of Apple's wristband. It also works the other way - in exchange for maintaining good condition and, for example, making 60000 steps a week, customers can count on points that can be exchanged for lower or free services.

The RODO Act coming into force on May 25 may be a salvation for Europeans. We have met with various opinions, eg that the GDP will not bring anything new to data security, because there were already regulations allowing to enforce data breach incidents, or that the GDP has introduced such a great revolution that it will take several more years for every entrepreneur to be able to fully adapt. The fact is that some companies from the rest of Europe are withdrawing from Europe or are closing in front of EU citizens in fear for GDPR, which obliges even the smallest entrepreneur to comply with European personal data protection regulations. The Act applies to literally all entities operating in the European Union. Anyone who wants to acquire the data of people living in the Old Continent must adapt to new requirements or become accustomed to horrendously high financial penalties. We will see.

Fitness bands: Safety

The test consisted in checking the security of data transmitted between the bands and smartphone applications and verifying that data from the device to the producer's servers is sent via an encrypted channel.

Test opasek fitness

Security of data transmission between the wristband and the smartphone

Data transmission between bands and smartphones is via Bluetooth. In the test only 9 out of 13 manufacturers use encryption of transmitted data. The ideal situation was when the authentication was carried out using the username and password. An important aspect was also whether the band sends the collected data only to an authenticated smartphone.

In a few cases, the connection between the band and the smartphone was not encrypted or / and was carried out without prior authentication. The bands to be replaced here are: Medion Life S2000, Xiaomi Mi Band 2, Moov Now and Lenovo HW01, which was characterized by the worst security of data transmission.

Security of data transmission to the manufacturer's server

Almost all devices were immune to man in the middle attacks. Almost, because it does not apply to Garmin and Lenovo. For the first manufacturer, a simple firmware upgrade is enough. Lenovo did not show up again because the online account was registered and logged in with an unencrypted protocol - although the password and account login were encrypted, the remaining statistics were not encrypted and allowed access to the actual account.

Lenovo fitness wyciek danych

Privacy of data

If user data is saved and processed outside of the European Union, information on this subject can be found in most privacy policies. Garmin, Huawei, Nokia and Samsung completely exclude the disclosure of such data to third parties without the user's consent.

An unfavorable impression was caused by Moov's ambiguous privacy policy, which did not even reveal which user data are tracked by the supplier. The Lenovo company is even worse. Lenovo's privacy policy does not provide too much information, in addition as described by testers - the company's device communicated with a huge number of third-party web addresses.

It's important to whom we pass the data

People who use a fitness band must remember the Cambridge Analytica scandal. It is estimated that 80 million users of the Facebook social network have been sold. For this reason, the buyer of such a band should consider whether he definitely wants to pair the device with Facebook or other social media portal. Of course - encouraging to boast of "successes" can be tempting, but on the other hand Facebook can share such data with unspecified companies. Let's hope that the RODO will be useful for something.

Add new comment

The content of this field is kept private and will not be shown publicly.

Learn more about our offer

If you sell security solutions, are a distributor, authorized partner or developer and would like to share your portfolio with a group of potential customers, advertise an event, software, hardware or other services on AVLab - simply write to us. Or maybe you had to deal with ransomware? We can also help you decrypt your files.
Read more

We use Google Cloud Translation and Gengo API’s to translate articles with exception of our comparative tests.