The compact Bluetooth blood pressure monitor Braun iCheck® 7 does not only offer a direct evaluation of the blood pressure values but also a history of the last measurements in the app.
Especially in the eHealth area, a lot of sensitive data is recorded, which has to be protected according with state of the art security. For this reason, we are all the more critical about the security of the device and its app, as well as the privacy policy of Braun iCheck® 7.

The former Braun GmbH was already sold in 1967 to The Gilette Company in the USA, which was taken over in 2005 by another US company, Procter & Gamble. Today, the Braun brand is used by various companies. In the case of the iCheck® 7 blood pressure monitor by the US company Helen of Troy.

Features / Specifications

The Braun Healthy Heart app (Android 4.4+, iOS 10+) offers a history of blood pressure measurements as well as a direct evaluation in the categories normal and mild, moderate or severe hypertension. However, too low blood pressure is classified as “normal” by the app.
Furthermore, it allows the input of information on sleep, sport, nutrition, mood as well as medication intake and creates an analysis accordingly. Blood pressure data can be exported and shared by email. Also, there is the option of an integration with Apple Health on Apple devices as well as reminders of measuring blood pressure or taking medication.

Braun Healthy Heart app history
  • Model: BPW4500
  • Measurement method: Oscillometric
  • Display: OLED display
  • Blood pressure measurement range: 40 ~ 255mmHg
  • Pulse measurement range: 40 ~ 199 beats/minute
  • Calibration accuracy: Blood pressure: +/- 3 mmHg
  • Pulse rate: +/- 4% of reading
  • Inflation/Deflation: Automatic
  • Sets of memory: Up to 100 readings
  • Cuff size: Fits wrist circumference: 12.5 – 21 cm (4.9 – 8.3 inch) min/max
  • Operating temperature: +10 °C ~ + 40 °C, less than 85 % R.H. non-condensing
  • Storage temperature: -20 °C ~ +55 °C, less than 85 % R.H. non-condensing
  • Unit weight: Approximately 125g (excluding batteries)
  • Power source: Alkaline battery: 2 x AAA (LR3) 1.5V
  • Auto power off: Approx. 60 seconds
  • Service life: 5 years
  • Wireless communication: Bluetooth® Smart
  • Frequency Range: 2.4GHz ISM Band (2400 – 2483.5 MHz)
  • Modulation: GFSK
  • Effective radiated power: <20dBm

Source: Braun

Local communication

The communication between App and iCheck® 7 takes place via Bluetooth LE. After registration and subsequent pairing with the device, existing measurements are transferred to the smartphone.

The Bluetooth transmission itself is unencrypted. Furthermore, the measurement device is visible to other Bluetooth devices during operation and does not require authentication to read out any values. These do not only contain the firmware version or serial number of the device, but also the measured values, as shown in the following screenshot.

Left: Reading the data via a second Smartphone. Right: Official app

Due to the short range of Bluetooth, however, the unencrypted transmission carries a rather low risk of attack, since attackers must be in the immediate vicinity (2-3 meters radius) at the time of measurement. Nevertheless, we recommend the manufacturer implementing an authentication between the app and the device and to switch it to invisible mode after pairing, so that third-party devices cannot detect the iCheck® 7 in the first place.

Online communication

Internet communication takes place exclusively to the USA, is always TLS1.2 encrypted and thus protected against simple attacks. For the registration and upload of current measurements the app uses the Web-API https://api.kaz.com which provides an expired certificate (April 2019, as of July 8th, 2019) and is also issued to a totally different domain (*.pur.com). The communication should therefore consequently be cancelled by the app instead of continuing the connection with the server without any consideration.

From a technical point of view, this type of solution is at least surprising, but encrypts the communication effectively. In our test, a man-in-the-middle attack was only possible after we installed the proxy’s CA certificate on the smartphone. For this the attacker needs direct access to the device, so this is not considered negatively in the test.

Furthermore, certificates installed by the user as of Android 7.0 are only considered by apps if the app developer explicitly specifies this (entry in the manifest file). As a result, man-in-the-middle attacks are effectively made more difficult. However, since more than 40% of all devices still use an Android version older than 7.0 (source: Statista, July 8th, 2019), we recommend the implementation of certificate pinning as an optional security measure.

App

The static analysis of the Braun Healthy Heart Android app (version 2.1.4) did not reveal any obvious vulnerabilities. Curiously, it is not signed by Helen of Troy/KAZ, but by New Potato Technologies, USA. This creates the impression of a somewhat heterogeneous solution.

App certificate

The data of the app is stored in the Android app data folder, in an unencrypted SQLite database. On rooted smartphones this data can be read, but normally this location is secure and not readable by other apps. Since the stored data can provide a very detailed insight into the user’s health, we recommend that the manufacturer implements encrypted storage as an additional security measure.

In addition to the communication to Google Firebase and Crashlytics, there could only be determined communication to the domain api.kaz.com. The latter is used to register and upload measurements, but the app has no way of downloading data stored in the cloud. In this case, changing the smartphone means loss of data or manual effort (backup via e-mail, manual adding in the new app).

As already mentioned in the previous test part, the app accepts the actually invalid API certificate. The manufacturer should solve this issue and renew the certificate as well as revise its validation in the app.

Privacy

Since the app records sensitive health data, which in its entirety not only provides an insight into the user’s lifestyle, but also into his or her history of illness and medication, greater attention must be paid to privacy and the correct handling of this data. In the following section, we refer to the Braun Healthy Heart App’s privacy statement as of February 12th, 2018.

When the app is opened for the first time, an AccessToken is generated via the API that will be used to authenticate every communication to the server in the future. There is no possibility to log in with a password, but the full name, gender, date of birth and e-mail address will still be requested.
An age check does not take place during registration, birth dates <1 year can also be specified. Since the data of children, for example in the context of the GDPR (see article 8) are especially worth being protected, we recommend the implementation of an age check and the refusal of the operation with too young age.

Registration in the app

The data entered during the registration will not be used for blood pressure measurement or health data analysis, but will be shared with other partners, for example for advertising purposes, if permitted during the registration process. A later objection is not possible in the app itself.

The data recorded by the app will be used anonymously by the manufacturer for administration, improvement and further development of the products, services etc.. It does not become clear why the transfer of health data is nevertheless linked to a registration and thus to a person. The GDPR requires data storage to be limited to a necessary level (cf. Art. 5, keyword data minimisation). We therefore recommend the manufacturer allowing the use of the app without registration or by entering only absolutely necessary information.

All data is stored and processed in the USA, amongst others on Amazon servers. Amazon participates in the EU-US Privacy Shield, but this shield does not necessarily guarantee the treatment of data according to current EU law (see europa.eu). For this reason, we recommend that the manufacturer stores the data on the user’s continent, which is quite common with other eHealth products. In reference to data retention, we would also like to see a more specific statement than “not […] longer than necessary”, especially regarding health data.

Even before accepting the terms of use and privacy policy, we identified a data communication with Crashlytics (USA). This should be remedied as soon as possible, otherwise personal data will be shared with other companies without consent, which may result in legal consequences. Furthermore, the privacy policy can only be found in the app, but not on the manufacturer’s website itself, where only its own privacy statement is given.

Conclusion

The Braun iCheck® 7 Bluetooth blood pressure monitor has weaknesses in Bluetooth communication. For a successful attack, however, an attacker would have to be within a few meters of the device during the measurement, so the risk for the owner is rather low. However, we recommend that the manufacturer closes these gaps as soon as possible. In terms of Internet communication and privacy, there are also some issues that should be revised.

For this reason, we rate this device in combination with the Braun Healthy Heart App with two out of three possible stars.