PatchSiren cyber security CVE debrief
CVE-2024-34463 BPL Medical Technologies CVE debrief
BPL Medical Technologies PWS-01-BT personal weighing scales transmit sensitive data via unencrypted Bluetooth Low Energy (BLE) packets, exposing user information to nearby eavesdroppers. The BLE communications lack encryption, authentication, and integrity protection, allowing passive interception and potential data manipulation within physical proximity. The vulnerability affects all firmware versions of the PWS-01-BT hardware (model IND/09/18/599) and the companion Be Well Android application through version 3.64. CISA published this advisory on September 10, 2024, after BPL Medical Technologies failed to respond to coordination requests. No patch is available; users must rely on physical proximity controls and contact vendor support for guidance.
- Vendor
- BPL Medical Technologies
- Product
- PWS-01-BT personal weighing scale (all firmware versions)
- CVSS
- MEDIUM 4.6
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-09-10
- Original CVE updated
- 2024-09-10
- Advisory published
- 2024-09-10
- Advisory updated
- 2024-09-10
Who should care
Healthcare facilities using BPL PWS-01-BT scales for patient monitoring, individuals using these devices for personal health tracking, and organizations with Bring Your Own Device (BYOD) policies allowing personal health devices on corporate networks.
Technical summary
The PWS-01-BT personal weighing scale broadcasts sensitive user data via BLE without encryption, authentication, or integrity checks. An attacker with physical proximity can passively capture weight measurements and potentially associated user identifiers. The adjacent network attack vector (AV:A) requires the attacker to be within Bluetooth radio range. No authentication is required for packet capture. The vulnerability stems from missing cryptographic protections in the BLE protocol implementation rather than a protocol-level BLE weakness.
Defensive priority
medium
Recommended defensive actions
- Minimize use of affected weighing scales in public or semi-public spaces where unauthorized individuals may be within Bluetooth range (typically 10-100 meters)
- Disable Bluetooth on mobile devices when not actively using the Be Well application to reduce exposure window
- Contact BPL Medical Technologies customer support to request security updates or replacement guidance for affected devices
- Monitor for unusual Bluetooth activity in environments where these devices are deployed
- Consider alternative personal health devices with encrypted wireless communications for sensitive use cases
Evidence notes
CISA CSAF advisory ICSMA-24-254-01 documents unencrypted BLE transmission of sensitive data without authentication or integrity mechanisms. CVSS 3.1 score of 4.6 reflects adjacent network attack vector with low confidentiality and integrity impact.
Official resources
-
CVE-2024-34463 CVE record
CVE.org
-
CVE-2024-34463 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
CISA published ICSMA-24-254-01 on September 10, 2024, following unsuccessful vendor coordination attempts.