BSI report: Significant vulnerabilities in fitness trackers & co.

Wearables, which can also be used for medical purposes such as measuring bodily functions, often have significant gaps in IT security and the protection of transmitted health data. This is the result of the final report on the project "Security of wearables with medical sub-functionalities" (SiWamed) by the German Federal Office for Information Security (BSI). According to the results, many of the devices tested are open to attack. Vulnerabilities in encryption, inadequately secured communication channels and inadequate authentication mechanisms can enable criminals to intercept or manipulate sensitive information.

At the same time, the market for such health wearables is growing rapidly, according to the study, which increases the risk of security incidents. The analysis was carried out by the cyber security company eShard and the development service Eesy-Innovation on behalf of the BSI. The first version of the report was already available to the authority at the end of November 2023, but it has only now been published. According to the report, the experts selected ten products for "a detailed security investigation". These included six connected watches such as smartwatches, three fitness trackers and a smart ring. The researchers uncovered a total of 110 vulnerabilities, which they classified as "medium" or "high". None of the devices were completely free of security vulnerabilities.

The most frequently found vulnerabilities relate to user authentication and Bluetooth communication. Many devices do not even ask for a PIN, the testers criticized. If it is checked whether an authorized user has access, there are often weaknesses in the implementation. Seven of the eight vulnerabilities classified as "high" related to the Bluetooth protocol, which is the main channel for connecting the portable device to the mobile application. Most of the apps tested also had no mechanisms for anti-debugging or detecting rooting. Such procedures could at least help to ward off advanced attackers and protect users' data if the platform is compromised or the mobile application is attacked.

Dangers from personalized cybercrime

Due to the gaps, it was sometimes possible for the researchers to intercept the firmware during the update process. This could then have been analyzed and manipulated by an attacker if it was not properly protected by signatures or checks for information leaks, for example. The testers also found that some vulnerabilities occurred repeatedly due to the use of standardized operating systems, software and shared infrastructures. This increases the risk of "large-scale attacks on many devices simultaneously". In general, the results "raise questions and concerns" in view of the sensitivity of the processed data.

On the one hand, it is conceivable that wearables could be used for targeted attacks on people who use the corresponding sensor technology, the authors explain. This could lead to misjudgements about their own state of health, which could result in potentially dangerous self-medication. This applies, for example, to manipulated measurements of blood sugar levels, blood pressure or oxygen saturation in the blood. The disclosure of sensitive information and blackmail is also conceivable. Consumers should be reminded not to trust the data and information provided by wearables without reservation. According to the Cyber Resilience Act, from the end of 2027, products "with digital elements" may only be placed on the market in the EU if they meet minimum cyber security requirements. TÜV SÜD is therefore urging manufacturers of health wearables to undergo regular testing by independent third parties.

(vbr)