Here is an internet of things flaw that can tip the scales to a hacker’s advantage.
Researchers have discovered a bevy of flaws in a consumer smart scale that could allow hackers to launch a variety of attacks, from man-in-the-middle to denial of service attacks. Checkmarx researchers reported the vulnerabilities on Monday and outlined four “medium” severity bugs linked to the connected scale
The device, the Smart Scale PW 5653 BT, is made by China-based AEG and features Bluetooth for analyzing weight, body fat, and other data points. AEG is a premium brand for Chinese consumers introduced by home appliances firm Electrolux Group and Midea Group as a joint venture.
However, after testing the IoT device, its Bluetooth security, and its mobile apps (Smart Scale for Android and iOS) researchers found several security and privacy flaws.
“The Checkmarx Security Research Team found several security issues that have impact on the clients using the smart scale, its associated apps, and for the company itself,” said David Sopas, researcher with Checkmarx in a Monday report.
Researchers have advised AEG to issue a patch that fixes clients’ smart scales to prevent malicious users from damaging the hardware, but have not heard back.
Denial of Service
The most severe of the flaws discovered in the IoT device is a Denial of Service vulnerability, which allows attackers to trigger a special request via Bluetooth that crashes the smart scale. The flaw has a CVSS score of 7.1, making it a medium-severity vulnerability.
The design vulnerability exists because the Bluetooth service “Immediate Alert” – which exposes a control point that allows another peer device to cause the device to immediately alert – allowed researchers to send special requests.
When the device is in standby mode, researchers were able to send the request and crash the smart scale (see a proof of concept video below):
For the victim that means they would need to remove the batteries or wait until the batteries run out, and the device would lose most of its information during this crash, researchers said.
“Now the only way to get the smart scale working again is to remove one of the batteries or wait until they run out, because the screen is frozen with the light on,” researchers said. “We kept it for 30 minutes and the smart scale never went off. It’s also important to mention that resetting the smart scale removes information, such as other configuration steps the user took in the past.”
Another design flaw (with a CVSS score of 5.3) exists in a configuration of the Generic Attribute Profile (GATT) in the device, which establishes in detail how to exchange all profile and user data over a BLE connection. The GATT configuration keeps the MAC addressed fixed, meaning that a bad actor within Bluetooth range could track the victim.
Another vulnerability (CVSS score of 5.3) allows an attacker within Bluetooth range to “change the name of the device to something offensive or even to trick innocent users,” researchers said. “Also it can be used to better identify the specific device to aid in combining this attack with other attacks.”
Finally, some requests made by the mobile application don’t use HTTPS, which could allow bad actors to launch a man-in-the-middle attack and intercept the information sent between the mobile application and the host.
Researchers said that they also discovered issues with the mobile applications connected to the device, Smart Scale for Android and Smart Scale for iOS, which are developed by a Chinese company named VTrump.
Specifically, researchers discovered the iOS app was sending private information to a server in China associated with Lotuseed, a mobile data analysis software platform based in China.
More alarming, the data was being sent without https, meaning that the communications between the app and Chinese server are not encrypted.
“After we notified VTrump about our findings, they declined to make the changes we suggested,” researchers said. “Later, however, we tested again and found that they ‘fixed’ the app by adding encryption, however, they were still sending the same private information. I don’t believe that this type of information is necessary for a smart scale to collect, much less send to a third party for data analysis.”
IoT issues are nothing new – just on Monday, the European Commission issued a recall for a popular smartwatch for children, citing “serious” privacy issues that could allow a bad actor to track or communicate with kids remotely.
Meanwhile, in a recent report analyzing 12 different IoT devices, researchers with Dark Cubed and Pepper IoT reported security failures that ranged from a lack of encryption for data and missing encryption certificate validations.
IoT security issues are only getting worse – not better. In the first half of 2018, researchers at Kaspersky Lab said they picked up three times as many malware samples targeting IoT devices as they did for the entirety of 2017.
Yalon that IoT devices and the apps that accompany them must all be held to a higher standard.
“Consumers must require more from the vendors selling us IoT devices,” he said. “Users must demand that data is only collected if it is needed to enable the functionality of the device/app, and that the vendors encrypt any data they send and collect, and protect our privacy. If they don’t, and fail to take responsibility even when confronted with the findings, they must be held accountable.”