The Medion Life S3600 is a fitness tracker bracelet that can track the sleep of the user in addition to various sport modes including pedometer and heart rate measurement. We had already put the S2000 fitness tracker on the security test bench in 2018. Time to take a closer look at the current model of the German electronics company.
Medion, one of the largest PC manufacturers in Europe, is not only active in the computer and consumer electronics sector. The company, which is closely associated with ALDI, has also been present in the eHealth sector for several years and sells inexpensive wearables in this area, which, at least in our comparative test, did not have to hide from more expensive competitors.
When opening the app for the first time, the user can choose whether or not to create a Medion user account. If he decides against it, all data recorded by the device will remain on the owner’s smartphone.
If no smartphone is connected, the S3600 is automatically ready for pairing. After it is found by the app, the touch button must be pressed for several seconds during the pairing process.
Despite the numerous third-party modules, no noteworthy weaknesses could be found in the static analysis. In the dynamic analysis, the communication to the Internet and to the fitness tracker was examined more closely.
The online communication of the Medion Fitness App was encrypted throughout the test. Most of the communication goes through Microsoft Azure Germany, but there is also regular communication with Facebook servers.
The Bluetooth communication is protected from prying eyes, the fitness bracelet is switched invisible while it is connected to the smartphone. When the smartphone is out of range, the wristband is visible to any device.
In the test, we recorded the Bluetooth communication between the app and the fitness tracker and subsequently reproduced it from another device. The communication doesn’t seem to be encrypted and always follows fixed patterns. In parts it is protected by the above mentioned authentication, but it was easily possible to reset the pedometer to zero from another smartphone. This was achieved by a replay of recorded values. Furthermore, a connection attempt via a Bluetooth LE scanner was sufficient to break the link between the Medion Fitness app and the tracker. Afterwards, the fitness tracker had to be deleted from the app and reconnected.
The data storage takes place almost exclusively on servers in Germany (Microsoft Azure Germany). If it is necessary to carry out other orders, e.g. registration via Facebook, the necessary data will also be transferred to other countries, possibly outside the European Union.
|Google Firebase Analytics
The Medion Life S3600 fitness tracker was able to score many points in our test. In the area of privacy, Medion acts exemplary for the most part, but lacks information about integrated trackers. The app’s data transfer to the internet was encrypted at all times, but the Bluetooth communication between app and fitness tracker still offers potential for improvement – Authentication is not fully implemented, and the link between the app and the S3600 can be removed relatively easily.