- Ivy Health Kids Thermometer, a smart and portable arm thermometer for babies and small children that connects over Bluetooth to a mobile device app, failed to protect sensitive digital health data of children from hackers, according to testing by CI4S Ltd. on behalf of security firm vpnMentor.
Researchers found that hackers could easily break into the thermometer and identify the children who use the device and track their location using Facebook analytics. Hackers could access users' names, dates of birth, gender, location, ad other personal details.
“The IvyHealth Kids app boasts a wide array of required permissions: read and write access to external storage, camera, location and more,” the report observed.
Attacker could also find out about the relationship of the children and other users of the device, potentially exposing the entire family structure.
In addition, the thermometer’s application programming interface (API) and portal are served over insecure HTTP, revealing the user’s username and password to any eavesdropper.
“Personal user data is sent to Ivy Health’s servers over insecure HTTP, once when the user registers and whenever any new data is entered or updated, while temperature measurements are sent to the servers every time a measurement occurs,” the report noted.
The report gave the Ivy Health Kids Thermometer app and device a 2 out of 5 privacy score and a 2 out of 5 security score.
“Security is rated according to how easily an attacker can achieve control of the wearable device or its companion application and alter their behavior to their needs (the easier it is, the lower the score), while privacy is rated according to the volume and types of data that the application collects about its users (the more data, the lower the core),” the report explained.
CI4S also tested the Modius Headband and Digitsole Warm Insoles, which also failed to protect digital health data.
For all three wearables, the testers downloaded and installed the latest Play Store versions of the associated apps on an Android 8.0 device. They intercepted and scanned the relevant information from the smartphone’s WiFi and Bluetooth traffic.
Modius Headband is a weight loss device intended to change the user’s body weight and appetite by sending electric signals to the brain.
This wearable was also vulnerable to hacking, enabling an attacker to gain information from coarse location, personal details, and tracking using Facebook analytics. The device also collects highly personal information such as weight, height, and body fat percentage, which can easily be accessed by hackers.
The Modius application requires fingerprint access, meaning that every user’s fingerprints can be exposed by hackers. With individuals relying on fingerprints to access their phones or even bank accounts, this privacy failure can result in serious risks to the biometric security of users.
The report gave the Modius Headband app and device a privacy score of 3 out of 5 and a security score of 4 out of 5.
Digitsole Warm Insoles are bluetooth-enabled shoe soles that allow users to track their day-to-day and sports activities and to warm their feet for comfort.
Hackers could increase the temperature of the Digitsole Warm Insoles to its maximum of 113°F (45°C), possibly causing personal injury.
The app also collects specific location information, which continues to track the user’s location even when it is not actively being used but is running in the background. The report found that Digitsole collects Facebook data not directly provided by users.
“In addition to its privacy issues, the Digitsole app also leaves its users susceptible to additional security risks by exposing many unauthenticated services, including a location service and a firmware update service for its insoles. Any application installed on the user’s phone can abuse these services to gain access to the user’s location and install rogue firmware on the insoles, without needing any permissions,” the report observed.
The report gave Digitsole Warm Insoles app and device a privacy score of 2 out of 5 and a security score of 2 out of 5.