c’t reveals: Health data from popular apps have been available for years

    Spread the love

    Sensible thermometers, scales, blood strain and pulse screens are actually out there even at low cost shops for a number of euros. That is additionally the case with Silvercrest, a Lidl home model. The exercise sensor “SAS 88” for 27.99 euros and the thermometer “SFT 81” for 24.99 euros, for instance, go their measurement information on to the free “HealthForYou” app. It was developed by Hans Dinslage GmbH, a subsidiary of Beurer GmbH from Ulm.

    More from c't magazine

    Along with HealthForYou, Hans Dinslage additionally presents the “Sanitas Well being Coach” app for Android and iOS which, for instance, collects information from the SBF 70 Bluetooth scales. Each apps are extraordinarily in style: In accordance with Google’s Play Retailer, the Android variations alone have been downloaded over 1.5 million occasions.

    With each apps, customers can create consumer accounts and transmit a spread of non-public information, together with title, date of delivery, top, gender and e mail deal with. The knowledge is mixed with measurement logs from the units linked through Bluetooth: weight, blood strain, pulse, oxygen content material within the blood, physique temperature, length of sleep, steps taken and quantity of water consumed. The apps load the data into the server cloud of Hans Dinslage GmbH. In accordance with the producer, they’re saved in two German information facilities operated by the service supplier Dynamic 1001. Anybody who logs in with the account from one other smartphone or browser can obtain the information and add new measured values.

    That is helpful for observing your health and weight progress over an extended time period. Sadly, third events have been additionally in a position to entry the information for years. To do that, they needed to know or guess the e-mail deal with of the consumer and submit a particular request to the server (HTTPS POST request). He chatted away with out checking a password offered by the consumer. Much more: the server additionally revealed the hash worth and salt of the true consumer password. An attacker may then use an e mail deal with and password hash to challenge an API token that enabled unrestricted entry to the account.

    Nick Decker discovered the essential vulnerability from the Trovent Security GmbH in Bochum. For 4 days he analyzed the Android apps and their information site visitors with the backend servers earlier than he acknowledged the server’s incorrect info output and raised the alarm. Trovent knowledgeable Hans Dinslage and Beurer on April 28th, whereupon the app producer took the server offline the next day as a way to restore the error. On April 30th, Beurer knowledgeable the accountable information safety officer of Baden-Württemberg.

    When requested by c’t, Beurer overtly admitted the vulnerability. In accordance with the corporate, the server hole had existed at “Sanitas Well being Coach” since September 2015 and at “HealthForYou” since November 2017. Nevertheless, in line with its personal statements, the corporate discovered no proof that the safety hole was being exploited by attackers. Beurer didn’t need to touch upon the variety of consumer accounts affected by the vulnerability.

    The affected app “HealthForYou” is usually coupled with good well being devices from the Silvercrest model from the discounter Lidl.

    (Picture: Beurer)

    Customers of the “Sanitas Well being Coach” app can not examine whether or not their account has been compromised. In accordance with Trovent, customers of the HealthForYou app ought to no less than examine their mailbox: The servers ship an e mail when a consumer logs on to the net account from a brand new system. Anybody who discovers such notifications and is unable to assign them might have been the sufferer of an assault.

    Since potential attackers have been in a position to steal each delicate well being information and password hashes and salts, Beurer despatched an e mail to all registered customers of each apps after Whitsun to vary their passwords. With the publication of this text, all different passwords are routinely reset and have to be re-selected by customers. Because the producer used the largely safe “bcrypt” technique for the hashes and salts, reconstruction of the passwords is sort of not possible – no less than so long as customers haven’t used excessively brief or under-complex passwords.

    Many c’t investigative searches are solely doable due to nameless info from whistleblowers.

    When you’ve got information of a difficulty that the general public ought to pay attention to, you’ll be able to ship us recommendation and materials. Please use our nameless and safe mailbox for this.


    Home windows customers know the admonition to make use of the Microsoft account. We illuminate the curse and blessings of this account in c’t 13/2021. We present you the way to bridge Web failures, have examined mini PCs for the house workplace, mainboards for Ryzen CPUs, instruments for digital group chats and varied Android smartphones and have compiled info sources for securities buyers. You can see challenge 13/2021 from June 4th in Heise shop and on the well-stocked newspaper kiosk.




    Please enter your comment!
    Please enter your name here