Security and Privacy Flaws Discovered on Popular Wearable Devices

We uncovered disturbing vulnerabilities in top non-watch smart wearables

Here at vpnMentor, we commissioned a report to test the security and privacy of three wearables in the health and fitness sectors.

Digitsole Warm Insoles, Modius Headband and Ivy Health Kids Thermometer were all found to be collecting and exposing personal information, putting their users’ privacy at risk. In the case of Digitsole and Modius, hackers were able to pair with a user’s device and control it, allowing them to cause physical harm to the person using it.

We describe the details of our findings below.

What is Wearable Tech?

Wearable Tech, which stands for wearable technology, are smart gadgets that you wear. These gadgets have smart sensors, web connection, and can connect wirelessly to your phone. Popular wearables include smartwatches, fitness trackers, video glasses, and more.

While these wearables are useful in many ways, they connect to the internet, which means they can be hacked.

How We Inspected These Devices

We took a look at three wearable devices all pertaining to health or fitness in some way. We downloaded the latest versions from the Google Play Store on an Android 8.0 phone and intercepted and scanned Bluetooth and WiFi traffic.

We graded each device out of 5 on both security and privacy.

Security is measured by how easily a hacker can access the user information and control the device.

Privacy is measured by what data the app collects from its users (with or without permission).

Our research found that all three of these apps connect via Bluetooth without any authentication, collect location and personal identifiers, and used Facebook or Google Analytics.

 

Digitsole Warm Insoles Collects location, age, height, gender, weight, speed, calories burned, steps taken, and Facebook information. Final security score: 2/5 Final privacy score: 2/5
Modius Headband Collects location, fingerprint, Facebook information, and unique mobile device identifiers Final security score: 4/5 Final privacy score: 3/5
Ivy Health Kids Collects location, camera, child and parent personal information, temperature measurements, Google Analytics, and unique mobile device identifiers. Final security score: 2/5 Final privacy score: 2/5

Details of Wearable Tech Vulnerabilities

Digitsole Warm Insoles

These insoles are intended and designed for avid runners in cold climates. The insoles not only warm your feet, but they track users’ day-to-day physical activities.

Our report showed that the app exposes personal information, including locations.

According to Digitsole’s privacy policy, the app collects little user information and none of it is sold or forwarded to third parties. It also states that there is a way to erase any and all user-collected data.

However, we noticed that the app accesses your location and phone storage. We also noticed that the app collects data about your Facebook profile and friends, the number of steps you take per day,  how many calories you burn, your speed, gender, weight, and height.

In addition, the app continues to access your phone’s location as long as your location is turned on and the device is running in the background, even if you toggle the tracking feature off.

By connecting to Bluetooth, which has no authentication, hackers can easily change the temperature of the insoles, sometimes raising the heat to 113°F (45°C). They are also able to collect the information the user did and did not give.

Data directly given by the user when signing up to Digitsole: Data not directly given by the user:
  • Age
  • Location with a timestamp
  • Height
  • Facebook profile and friends
  • Weight
  • Calories burned
  • Gender
  • Speed
  • Steps taken

Signup data is sent to Digitsole’s servers. Real-time data, however, is sent to the servers at a fixed interval every few seconds. All data is sent over an encrypted connected utilizing HTTPS.

The Digitsople app collects Facebook data

Modius Headband

This wearable weight loss device was found to have vulnerabilities regarding users’ information.

The Modius Headband is designed to change a user’s body weight and appetite by sending electric signals to the brain.

We tested version 1.6.0 of Modius’ Android app and found that it collects both location and fingerprint access.

It’s certainly advanced technology; however, since it connects to Bluetooth (which is not authenticated) hackers were able to gain details about a user’s body, including waist length, body fat percentage, and even fingerprints.

Penetration hackers were also able to find out the location of each user and, when physically close enough, were able to control the device. This means that they could start or stop a headband scan and alter the electric current to the highest level, which causes nausea and general sickness.

While this is dangerous, we did not find any exposure to private user information.

However, we were able to track the following:

  • Location
  • Fingerprint
  • Facebook tracking
  • Weight
  • Height
  • Waist Length
  • Body fat percentage
  • Modius device usage history
  • Personal data, Date of birth, Name, and email address.

Modius’ app both integrates with Facebook and requires location access. 

All personal data is sent to Modius’ servers after registration, while all remaining data is sent whenever the application is used in regular intervals. We also saw that all data is sent over an encrypted channel utilizing HTTPS.

Ivy Health Kid’s Thermometer

This smart and portable arm thermometer is intended for babies and small children and connects over Bluetooth to a mobile device app which controls it. This useful device allows you to monitor your baby’s temperature at all times and reports its finding to your phone via Bluetooth.

While physical damage cannot be done, we found that it exposes personal information.

Out of the three wearables tested, the amount of information collected by Ivy Health Kids was the highest.

We tested version 1.0, which requires a lot of permissions including to read and write access to external storage, camera, location, and more.

IvyHealth’s list of permissions

Hackers were able to access children’s names, date of birth, gender and more from those who used the device to monitor temperature. Attackers also found information regarding the relationship of each child’s family. This information can potentially expose an entire family’s structure, relationship, and, of course, their temperatures. and their temperature measurement history.

Perhaps the most concerning is the fact that the app’s API and portal are served over insecure HTTP. This vulnerability leaves the user’s username and password at risk.

With these vulnerabilities, it’s no wonder that the security of wearable remains questionable, and even simple devices can be compromised. Germany banned kids smartwatches last year and China banned smartwatch usage in the army a few years ago.

But the increased risk surrounding wearables is not stopping its rise. The overall wearables market is expected to grow from 113.2 million shipments in 2017 to 222.3 million in 2021 with a compound annual growth rate (CAGR) of 18.4%, according to the International Data Corporation (IDC) Worldwide Quarterly Wearable Device Tracker.

Is now the time to rethink our approach to security and privacy when it comes to wearables?

Click here to see the full report containing more details relating to the privacy and security rankings of each device.

Was this helpful? Share it!