-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2023-022 Product: Zepp app, Amazfit Bip U Manufacturer: Huami Technology Affected Version(s): Zepp app 7.8.2 on Android 9, 10, 11; Amazfit Bip U v1.0.7.32 Tested Version(s): Zepp app 7.8.2 on Android 9, 10, 11; Amazfit Bip U v1.0.7.32 Vulnerability Type: Missing Encryption of Sensitive Data (CWE-311) Risk Level: Medium Solution Status: Open Manufacturer Notification: 2023-08-18 Solution Date: N/A Public Disclosure: 2023-10-09 CVE Reference: N/A Authors of Advisory: Julia Karel, Tobias Jäger, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: The Amazfit Bip U (see [1]) is a smartwatch with health functions. The Zepp app on Android (see [2]) is an app which is used to connect the watch to the smartphone and which handles the communication. Due to missing pairing of the Bluetooth Low Energy connection, it remains unencrypted. Therefore, all data transferred between the smartphone and the smartwatch can be eavesdropped. This only concerns the Android version of the app. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: When connecting an Amazfit Bip U smartwatch to the Zepp app on an Android device, the connection is established using Bluetooth Low Energy (BLE). In the BLE standard, pairing is used to negotiate a key which is used to establish an encrypted connection. Bonding is then used to store a long-term key on both devices, so they can establish encrypted connections without performing a pairing again. The Zepp app on Android is not initiating a pairing and bonding with the smartwatch. Therefore, no encryption key is negotiated and the traffic between the Amazfit Bip U and the Android smartphone remains unencrypted. There is also no self-managed encryption implemented. Thus, all health data and all messages that are transferred to and from the smartwatch can be eavesdropped if the attacker is within the BLE range of the devices. If the Zepp app is used on iOS, the pairing and bonding is performed and the connection is therefore encrypted. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): By sniffing the Bluetooth Low Energy connection between the Amazfit Bip U and the Android 11 smartphone with the Zepp app installed, messages of different messengers could be eavesdropped. The developed tool AmazfitSniffer, which is based on the tool Sniffle (see [5]), is then eavesdropping and parsing messages of different messengers. > python3 ./amazfitSniffer.py -m [MAC address of Amazfit Bip U] Connection to the smartwatch found and eavesdropping... Telegram message intercepted: Sender: John Doe Message: Very secret message WhatsApp message intercepted: Sender: Max Mustermann Message: Did you know, that John Doe... ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: - - ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2021-09-28: Vulnerability discovered 2023-08-18: Vulnerability reported to manufacturer N/A: Patch released by manufacturer 2023-10-09: Public disclosure of vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product website for the Amazfit Bip U https://de.amazfit.com/products/amazfit-bip-u [2] Google Play Store website for the Zepp app https://play.google.com/store/apps/details?id=com.huami.watch.hmwatchmanager&hl=de&gl=US [3] SySS Security Advisory SYSS-2023-022 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2023-022.txt [4] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy [5] Bluetooth Low Energy sniffer Sniffle https://github.com/nccgroup/Sniffle ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Julia Karel and published and verified by Tobias Jäger of SySS GmbH. E-Mail: tobias.jaeger@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Tobias_Jaeger.asc Key ID: 0xABF0CF2F4D0220F9 Key Fingerprint: 5C9F 5312 F37E B9AB E87B 1212 ABF0 CF2F 4D02 20F9 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS website. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEXJ9TEvN+uavoexISq/DPL00CIPkFAmUk8s8ACgkQq/DPL00C IPmFmA//TiuWGz+yHvAMJZGKPP3oILuw8oaxjVyHNTRG9X6Q5YA0JB/BplQEfMVx q3KKltBjxe3ErnRtE2jGHjAXiU6hAfyLpsxynVRlYjD49YP85Qa1Y7ge8oEsBZkK teyskQUfA5PcP52edwkIl5YywBWeni5lr1JaxXdMO+H8GWha70C/G8jzjgIPSobt n+4FzAzoeMUzAKnaJp0JweAV+GxvU+OXm7+rMKfcX9p2Oa0MRBOYoej9tIBBnUK4 7v7tsmYvH3YvT83tfHjdF2zAbp8opsVIS+kx0VK/R0b3uv/1CIaL260Byq/7yK3N r/7dDHaFGstVuKYGVoLTzX1dOJdZOepc28iUOe1h7j4psBNJkTl5+if5/Q04Uy08 aJJzrg/DTKt3Vk6+o0z0Req0hu1hANNSnYJoOcK6GjJz9LvmmlXg0wxwDF1Ks5e3 DE6yJndDR0QgOptouz+FPGQBFV4hkaHdv6aApSpryL1n06Vfi3NtyAfgmesjEs5r sGgjBvLMB9/mNvDE5ZL9+R+qvyNotjTnh3sGrkmRHqzhEdcLtXof/eiJd8lPt2is mNpecqC8aWYITmXdKEoAJvL82+eDRHHSPep5rX2B1sadpwQeGcuhtx1v8PyrqI+r XIRd37kLRlDxB2tBpk7rCzOPWkes2sjH9NfCIIQE2JsRxPX+Xxk= =b86d -----END PGP SIGNATURE-----