Smart scales leak personal data

Student project reveals security and privacy flaws in some eHealth devices.

MSc student Martin Kraemer found a range of security and privacy issues when he investigated some of the smart bathroom scales and companion apps that people use to measure their weight and body mass. When he analysed devices produced by different manufacturers, Martin revealed risks of data leakage which could include users’ weight and body mass measurements, and their passwords.

As Martin explains,

“Smart scales and wearable fitness trackers often combine a sensor with a mobile phone application and a web service, with links to other services eg. social media, cloud storage, data analytics. As personal devices do not adhere to strict medical advice standards, they can be vulnerable to privacy weakness and security attack.”

Martin's project was awarded a distinction and he presented a poster at one of the top security conferences, the 23rd ACM Conference on Computer and Communications Security (ACM CCS) in Vienna, 24-28 October 2016. His smart-scale security testing framework is now available for download from GitHub; instructions are on his website.

Professor David Aspinall, Martin’s supervisor, says: “Internet-of-things devices upload some of our most intimate details onto the Internet, but unfortunately don't always do it securely.”

Having recently graduated from Edinburgh, MSc Computer Science with Distinction, Martin is now a PhD student in Cyber Security at University of Oxford.

Useful links

Martin Kraemer mhealth website 

Poster 

ACM CCS 2016 

Informatics’ Security and Privacy group