Security researcher Craig Wright has found that a smart toothbrush from Oral-B can leak sensitive information. The Oral B Triumph Toothbrush with SmartGuide ProfessionalCare 9900 i wirelessly connects to a smartphone app where it collects data on how often the user brushes his teeth, for how long and which movements are made.
The idea behind collecting the data is to show them to a dentist which can then provide tips on how to improve brushing. The toothbrush also warns when to change the brush head or when the battery is nearly empty.
The information collected by the toothbrush in combination with the smartphone app can easily be obtained by hackers. Using a simple man-in-the-middle attack hackers can get access to the data that is transferred. That's possible because the toothbrush sends data unencrypted.
When Wright called the Oral B service desk they didn't take the vulnerability serious and told him, "who the hell would want to monitor a toothbrush". Nevertheless, Wright argues that the data could be used by e.g. health insurance companies to see whether you properly brush your teeth and raise your insurance if you don't.
Obviously that isn't realistic, but Wright wants to underline that smart devices should be properly secured and that's something not all companies are aware of. They should at least encrypt the data that is transferred over public networks. The findings of Wright were already published in 2008 and still devices that aren't properly secured are sold.
