Status: FDA cleared
An unauthenticated remote attacker in BLE proximity can remotely aggregate unencrypted diabetic data from the Pops Rebel Bluetooth Glucose Monitoring System for users of Pops Rebel version 5.0 for Android. This vulnerability is classified as CWE-319: Cleartext Transmission of Sensitive Information.
Here are some images and details related to the vulnerability:
The static code analysis below depicts the correlation between the app source code and an actual BLE capture in Wireshark:
This issue was reported to the vendor, POPS! Diabetes Care Inc., in April 2023.
The vulnerability was discovered by Edward Warren.