Bluetooth security analysis of general and intimate health IoT devices and apps: the case of FemTech

IF 2.4 4区计算机科学 Q3 COMPUTER SCIENCE, INFORMATION SYSTEMS

International Journal of Information Security Pub Date : 2024-08-16 DOI:10.1007/s10207-024-00883-3

Stephen Cook, Maryam Mehrnezhad, Ehsan Toreini

{"title":"Bluetooth security analysis of general and intimate health IoT devices and apps: the case of FemTech","authors":"Stephen Cook, Maryam Mehrnezhad, Ehsan Toreini","doi":"10.1007/s10207-024-00883-3","DOIUrl":null,"url":null,"abstract":"<p>The number of digital health products is increasing faster than ever. These technologies (e.g. mobile apps and connected devices) collect massive amounts of data about their users, including health, medical, sex life, and other intimate data. In this paper, we study a set of 21 Internet of Things (IoT) devices advertised for general and intimate health purposes of female bodies (aka female-oriented technologies or FemTech). We focus on the security of the Bluetooth connection and communications between the IoT device and the mobile app. Our results highlight serious security issues in the current off-the-shelf FemTech devices. These include unencrypted Bluetooth traffic, unknown Bluetooth services and insecure Bluetooth authentication when connecting to the app. We implement Bluetooth attacks on the communication between these devices and apps, resulting in malfunctioning of the device and app. We discuss our results and provide recommendations for different stakeholders to improve the security practices of Bluetooth-enabled IoT devices in such a sensitive and intimate domain.\n</p>","PeriodicalId":50316,"journal":{"name":"International Journal of Information Security","volume":"6 1","pages":""},"PeriodicalIF":2.4000,"publicationDate":"2024-08-16","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"International Journal of Information Security","FirstCategoryId":"94","ListUrlMain":"https://doi.org/10.1007/s10207-024-00883-3","RegionNum":4,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q3","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}

引用次数: 0

Abstract

The number of digital health products is increasing faster than ever. These technologies (e.g. mobile apps and connected devices) collect massive amounts of data about their users, including health, medical, sex life, and other intimate data. In this paper, we study a set of 21 Internet of Things (IoT) devices advertised for general and intimate health purposes of female bodies (aka female-oriented technologies or FemTech). We focus on the security of the Bluetooth connection and communications between the IoT device and the mobile app. Our results highlight serious security issues in the current off-the-shelf FemTech devices. These include unencrypted Bluetooth traffic, unknown Bluetooth services and insecure Bluetooth authentication when connecting to the app. We implement Bluetooth attacks on the communication between these devices and apps, resulting in malfunctioning of the device and app. We discuss our results and provide recommendations for different stakeholders to improve the security practices of Bluetooth-enabled IoT devices in such a sensitive and intimate domain.

Abstract Image

查看原文本刊更多论文

普通和私密健康物联网设备及应用程序的蓝牙安全分析：FemTech 案例

数字健康产品的数量正以前所未有的速度增长。这些技术（如移动应用程序和联网设备）收集了用户的大量数据，包括健康、医疗、性生活和其他私密数据。在本文中，我们研究了一组 21 个物联网（IoT）设备，这些设备主要用于女性身体的一般和私密健康用途（又称女性导向技术或 FemTech）。我们重点关注物联网设备与移动应用程序之间的蓝牙连接和通信的安全性。我们的研究结果凸显了当前现成的 FemTech 设备存在的严重安全问题。这些问题包括未加密的蓝牙流量、未知的蓝牙服务以及连接到应用程序时不安全的蓝牙验证。我们对这些设备和应用程序之间的通信实施了蓝牙攻击，导致设备和应用程序出现故障。我们将讨论我们的研究结果，并为不同的利益相关者提供建议，以改进在如此敏感和私密的领域中启用蓝牙的物联网设备的安全实践。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

International Journal of Information Security 工程技术-计算机：理论方法

CiteScore

6.30

自引率

3.10%

发文量

审稿时长

12 months

期刊介绍： The International Journal of Information Security is an English language periodical on research in information security which offers prompt publication of important technical work, whether theoretical, applicable, or related to implementation. Coverage includes system security: intrusion detection, secure end systems, secure operating systems, database security, security infrastructures, security evaluation; network security: Internet security, firewalls, mobile security, security agents, protocols, anti-virus and anti-hacker measures; content protection: watermarking, software protection, tamper resistant software; applications: electronic commerce, government, health, telecommunications, mobility.