Researchers at two UK universities have found security flaws in IoT devices for general and health use by women.

The researchers from the University of London and the University of Surrey tested 21 devices ranging from fertility trackers to connected vibrators and found them vulnerable to a range of cyber attacks.

Such apps and connected devices collect data about the users including health, medical, sex life and other intimate information. The researchers studied a set of IoT devices advertised for general and/or intimate health purposes of female bodies. They focused particularly on the security and privacy of the Bluetooth connection between the IoT device and the mobile app.

The results highlight serious vulnerabilities present in the off-the-shelf femtech devices. These vulnerabilities include unencrypted Bluetooth traffic, insecure Bluetooth authentication and undocumented Bluetooth services.

They implemented Bluetooth attacks to intercept and manipulate the communication between these devices and apps resulting in the malfunctioning of their corresponding Android apps.

They performed targeted BLE attacks including man in the middle (MITM), replay, connection hijack, denial of service (DoS) and denial of sleep (DoSL) to exploit vulnerabilities resulting in eavesdropping on user information and malfunctioning of the device or the app.

The findings showed a significant number of these devices did not properly secure their Bluetooth LE communications. Analysis of their companion Android apps revealed many had access to system permissions unrelated to their advertised function and that excessive personal data were collected about users, devices, the environment and beyond. The researchers are calling for better regulation and enforcement of data management and protection in digital health technologies.

To assess what Bluetooth services were running on each device, they used the Bettercap open-source network security tool that is used for network and Bluetooth monitoring, interception and manipulation.

Among the 21 devices examined, 17 of them used the JustWorks (JW) method for Bluetooth pairing, aiming to connect without user input. However, this method is considered the weakest due to its vulnerability to a MITM attack. In the researchers’ targeted attacks, they demonstrated how such inappropriate practices combined with a lack of traffic encryption can lead to a range of attacks such as MITM, replay, connection hijack, DoS and DoSL.

All the devices possessed one or more vendor-specific custom Bluetooth LE services. This significantly increases the difficulty of conducting a thorough security and privacy audit. Since the manufacturers do not provide specifications for these services, the researchers could not accurately identify the function of these services. Such unknown services can potentially introduce more vulnerabilities in these systems.

All the device vendors were informed of the results of the research last year before the paper was published.

The devices tested were: Vibease vibrator; Lioness Clara vibrator; Vibease Lipstick vibrator; Vibio Frida vibrator; Mystery Vibe Crescendo vibrator; Kgoal kegel pelvic floor trainer; Perifit kegal exerciser; We-Vibe Bloom pelvic trainer; Vibio Clara kegel balls; Elvie pelvic trainer; Vinca 2 Femometer fertility tracker; Daysy Day cycle fertility tracker; Mira fertility tracker; Clearblue ovulation test; Breath Ilo cycle tracker; Ava fertility tracker; Bellabeat Ivy bracelet; Keen 2 Habit aware bracelet; Garmin Lily smartwatch; Oura smart ring; and Hidrate Spark 3 water bottle.

The paper was written by Stephen Cook and Maryam Merhnezad from the University of London and Ehsan Toreini from the University of Surrey. Called “Bluetooth Vulnerabilities in General and Intimate Health IoT Devices and Apps: The Case of Female-oriented Technologies”, it was published last month by Research Gate and can be found at: www.researchgate.net/publication/377589671_Bluetooth_Vulnerabilities_in_General_and_Intimate_Health_IoT_Devices_and_Apps_the_Case_of_Female-oriented_Technologies.