[German]Security researchers have had a closer look at smart scales offered by the Chinese manufacturer Yunmai. These smart scales can be coupled with an app on the smartphone via Bluetooth so that the personal data of several people may be stored in personal profiles. Unfortunately, there are vulnerabilities, that allows a mass account takeover or circumvention of manufacturer restrictions via the Yunmai API.
The Yunmai smart scale
I had a quick look, on Amazon for Yunmai smart scales and found out, that these devices are still offered, although some models are now sold out. The Amazon Yunmai Store offers a model currently for 52 euros.
The Yunmai smart scales have a Bluetooth interface and an API that can be accessed from smartphones running Android and iOS apps. The mobile application allows device owners to view their weight, a graph of it over time, along with 12 other indices such as BMI, body fat percentage, visceral fat, etc. In addition, device owners can add and delete family members from their account. For each user, information such as gender, name, age, height, relationship and profile photo can be added. Profiles for up to 16 people can be created via the Android or iOS apps.
Yunmai API allows account takeover
Security researchers took a closer look at the scales' Yunmai apps for Android and iOS and conducted a pentest of the Android and iOS application as part of an internal IoT research project. In the process, they discovered serious vulnerabilities in the API, as the following tweet explains.
According to a FORTHBRIDGE report, five vulnerabilities were discovered at once and then reported to the manufacturer. Here is the list of issues:
- Bypass limit of 16 family members per primary account
- UserID Enumeration
- Ineffective authorization checks
- Information Leak
- Account takeover through 'password reset' functionality
Account takeover by the "password reset" function
If the vulnerabilities mentioned in 2, 3 and 4 are combined, mass account takeover can be achieved. The report states that via a queried "accessToken" and "refreshToken", it is possible to switch between family members' accounts and retrieve all their data. Details of the vulnerabilities can be found in the report.
Between September and October 2021, security researchers reported the found vulnerabilities to the manufacturer's support team. passed on. Regarding vulnerability number 5, a correction was tacitly made by the manufacturer. However, the security researchers assume that the required codes for the tokens, which are in the range of 165,000 and 175,000, can be cracked by brute force and then used to reset the password of an account via the "Forgot password" function. This would still allow account takeover. Vulnerabilities and 2 and 3 are still open. After an email dated May 5, 2022, went unanswered, the findings were published in the report available as a blog post with full details seven months after the initial notification to the vendor.
Cookies helps to fund this blog: Cookie settings