New report discovers some wearables have avoidable Bluetooth risks

The wearable security debate gets another notch
Wareable is reader-powered. If you click through using links on the site, we may earn an affiliate commission. Learn more

Wearables are the most personal devices we own, and we consistently grant them access to private health information, location data and more. Sometimes we sync up our Facebook with them, and other times we give them to our kids. So naturally, we have to take privacy and security with them seriously.

vpnMentor, a website dedicated to reliable and honest tips for VPNs, has commissioned a report from CI4S Limited, which provides cyber intelligence and related tech to companies, to dig into the security and privacy levels of three wearables: the Modius Headband, Digitsole Warm Insoles and Ivy Health Kids Thermometer.

Read this: Your wearable's privacy policy, summarized

However, the report only assessed the risks of the devices and companion apps when synced to an Android phone running 8.0 Oreo. The report found that Digitsole doesn't implement authentication when pairing over Bluetooth, which it says means an attacker within range could hijack the Warm Insoles and send them commands to do things like change the temperature.

In addition, as the companion app collects age, height, weight, gender, speed, calories burned, steps taken, plus Facebook and location information, vpnMentor's report argues that should someone hack the user's Android phone, they'd also be able to access all this information.

Modius fared a little better, scoring a four out of five on the security assessment and three out of five on the privacy assessment. Similarly, the report found that should an attacker gain access to the user's phone, they'd be able to access course location, fingerprints, Facebook, biometric data, device usage history and personal data like birthdate.

For its part, Modius tells Wareable its code currently has the Facebook SDK included but that it hasn't yet implemented Facebook authentication yet, which means that Facebook tracking and a potential hacker gaining access to Facebook credentials isn't possible yet. Fingerprints are also part of an external library that Modius doesn't have access to, the company says.

Finally, the report took a look at the Ivy Health Kids Thermostat, finding that of the three wearables the Ivy Health required the largest amount of permissions. These include external storage, camera, location and more.

A potential attacker would be able to hijack the Bluetooth connection and see the measured temperature. Worse, as the app and Ivy Health's website use HTTP instead of the more secure HTTPS, it would be much easier for an attacker to access data, which includes kids names and birth dates, phone location data, and more.

New report discovers some wearables have avoidable Bluetooth risks

How we test

Husain Sumra


Husain joined Wareable in 2017 as a member of our San Fransisco based team. Husain is a movies expert, and runs his own blog, and contributes to MacRumors.

He has spent hours in the world of virtual reality, getting eyes on Oculus Rift, HTC Vive and Samsung Gear VR. 

At Wareable, Husain's role is to investigate, report and write features and news about the wearable industry – from smartwatches and fitness trackers to health devices, virtual reality, augmented reality and more.

He writes buyers guides, how-to content, hardware reviews and more.

Related stories