Technical
Advisory

Through sharp, technical and insightful analysis, the Payatu Team is constantly on the lookout for vulnerabilities and threats. This section exhibits a few of our findings.

...
...

Lack of Bluetooth LE pairing and access control in Dr.Trust ECG/EKG Pen

Vulnerability

Lack of Bluetooth LE pairing and access control on internal data.

Vulnerability Description

An issue was discovered on Dr Trust ECG Pen 2.00.08 devices. Because the Bluetooth LE support is implemented without a requirement for pairing or security, any attacker can access the GATT server of the device and can sniff the data being broadcasted while a measurement is being done. Also, saved data can also be extracted over a Bluetooth connection. In addition, an attacker can launch a man-in-the-middle attack against data integrity.

CVE-ID

CVE-2020-15486

Vendor

Dr.Trust

Product

ECG EKG Electrocardiogram Pen

Disclosure Timeline

22 June 2020 reported to the vendor

22 July 2020 No response from the vendor and Public disclosure.

Credit

Arun Magesh