Blog: Android

Why you’re better off buying expensive smart scales

James Mace 15 Jun 2015

smartscales

Having just shown some relatively tame security bugs in the lovely Fitbit Aria scales, here’s why we think you’re actually better off spending your money on more expensive IoT devices and smart gear.

Very broadly, one seems to get better security the more you spend. No surprise there then!

It’s not just IoT devices that have security problems, it’s the ‘cloud’ services that they consume and send your data to that are often the source of data leakage.

 

We started off by buying some cheap tech gear from our local Aldi supermarket to see what we could find.

That included

Cheap scales = cheap security

The first issue we found was really quite surprising. After setting up the scales + wrist monitor with an account on their site, dealing with mistyping an email address for forgotten password etc. we noticed that it was possible to enumerate users owing to the error message.

enumeration

But that wasn’t the worst of it

A form on their public web site, accessible without authentication, allowed any user account to be deleted. Yes really.

deleteacc

So we deleted our own account, as we didn’t want our data on this site any more.

How they hadn’t had their entire customer database deleted already by a script kiddie must be down to pure luck!

Now to the mobile app

It took seconds to establish that the mobile app through which personal data is sent to the Crane Sports ‘cloudy’ thing doesn’t offer SSL.

MissingSSLproof

Oh dear.

So you could intercept anyone’s activity details and a fair bit of personal data. If I wanted to cause issues, one might change heart rate and add a bit of weight, to really screw with someone’s mind.

A quick look at the app also revealed some hard coded credentials for an FTP server. Likely for firmware updates.

We didn’t look at those in any detail, but other pointers suggested that http://www.longitudewatch.com/ were responsible for the firmware & related software. Interestingly, their site points to the FILA, Solus and New Balance fitness tracking apps too.

A series of fails then…

We put all of this to Crane Sports Connect a couple of months ago; we had quite an odd dialogue with them.

The nasty ‘delete any account’ issue was fixed pretty quickly, which is why we feel able to mention it publicly now.

The unencrypted traffic issue looks to have been fixed on 6th June (iOS) and 8th June (Android) and to our surprise, SSL certificate pinning has also been implemented! We were a little disappointed that the SSL issue was not noted as resolved in the update notes, nor that we were credited.

Conclusion

How long would it have taken for Crane to fix these bugs if we hadn’t spent some of our own time investigating? Maybe the first they would know about it would be someone rather less ethical exploiting the ‘delete account’ form and wiping their customer database. Nice…

We haven’t gone in to any detail with the device or app, so we’ve no idea what else there is to find in the hardware, software or firmware. That task is for another day.

Maybe we should take it to the IoT workshop at Defcon23. Something else to play with, at the same time as the Aria scales!