Smart fever thermometers, scales, blood prere and pulse measuring apparatus you get now even at the discounter for a few euros. So also by Silvercrest, a house brand of Lidl. The activity sensor “SAS 88” for 27.99 euros as well as the thermometer “SFT 81” for 24.99 euros give your measurement data for example to the free app “Healthforeou”. She was developed by Hans Dinslage GmbH, a subsidiary of Beurer GmbH from Ulm.
In addition to HealthForyou, Hans Dinslage also offers the app “Sanitas Health Coach” for Android and iOS, which collects, for example, data from the Bluetooth scale SBF 70. Both apps are overhaul: according to Google Play Store alone the Android versions were downloaded together over 1.5 million times.
Health apps with many data
Users can create user accounts in both apps and provide a series of personal data, including name, date of birth, rough, gender and mail address. Combined are the info with measurement protocols of the solutions coupled by Bluetooth: weight, blood prere, pulse, oxygen content in the blood, body temperature, sleep duration, steps and drunk water. The apps invite the information to the Server Cloud of Hans Dinslage GmbH. They are stored according to the manufacturer in two German data centers of the service provider Dynamic 1001. If you log in with the account from another smartphone or browser, you can download the data and play new readings.
This is practical to watch his fitness and weight progress on a longest period of time. Unfortunately, third parties were also able to retrieve the data. To do this, you had to know or guess the mail address of the user and make a targeted request at the server (HTTPS Post Request). The chatted, without a password indicated by the user to check. More: The server also revealed the hash value and saint of the real user password. With e-mail address and password hash, an attacker was able to exhibit an API token that allows unrestricted access to the account.
Safety Challenge since 2015
The critical safety chuck Nick Decker has found from Trovent Security GmbH in Bochum. For four days, he analyzed the Android apps and their traffic with the backend servers before recognizing the incorrect information from the server and struck alarm. Trovent put Hans Dinslage and Beurer on 28. April informs, whereupon the app manufacturer the servers took the following day from the network to repair the error. On the 30th. April Beurer informed the state-owned data protection officers of Baden-Wurttemberg.
On demand from C’t, Beurer gave the safety chucks unarms. According to the company, the server chute has been with “Sanitas Health Coach” since September 2015 and “Healthforyou” since November 2017. However, according to our own statements, there was no evidence that the safety chucks of attackers was exploited. For the number of user accounts affected by the LUCKE, Beurer did not want to be.
The affected app “Healthforyou” is often coupled with Silvercrest’s Silvercrest’s Silvercrest Health Gadgets of the Discounter Lidl brand.
Users of the App “Sanitas Health Coach” can not be checked if your account was compromised. Users of the HealthForyou app should check according to Trovent at least their mailbox: the servers send an e-mail when a user logs off from a new device to the online account. If you discovered and not assign such notifications, you have become victim of an attack.
Since potential attackers were also able to capture password-hashes, including sensitive health data, Beurer called Velvet registered users of both apps to Pentecost by mail to change their passwords. With the appearance of this article, all the above-mentioned passwords are automatically reduced and need to be re-elected by users. Since the manufacturer for the hashes and salts has used the largely secure procedure “bcrypt”, a reconstruction of passwords is almost excluded – at least as long as users have not used too short or sub-complex passwords.