Lack of Bluetooth LE pairing and access control on internal data.
An issue was discovered on Dr Trust ECG Pen 2.00.08 devices. Because the Bluetooth LE support is implemented without a requirement for pairing or security, any attacker can access the GATT server of the device and can sniff the data being broadcasted while a measurement is being done. Also, saved data can also be extracted over a Bluetooth connection. In addition, an attacker can launch a man-in-the-middle attack against data integrity.
ECG EKG Electrocardiogram Pen
22 June 2020 reported to the vendor
22 July 2020 No response from the vendor and Public disclosure.