CVE-2024-34463 identifies a security vulnerability in the BPL Personal Weighing Scale PWS-01BT, where sensitive information is transmitted over Bluetooth Low Energy (BLE) packets without encryption, authentication, or integrity checks. BLE is commonly used for short-range wireless communication in personal health devices. In this case, the device sends data such as weight measurements or possibly user identifiers in plaintext, making it susceptible to eavesdropping by any attacker within BLE range (typically up to 10 meters). The absence of authentication and integrity protection means attackers can not only intercept but potentially alter the data packets, leading to misinformation or privacy breaches. The vulnerability is classified under CWE-285 (Improper Authorization), indicating a failure to enforce proper access controls on transmitted data. The CVSS v3.1 base score of 5.1 reflects that the attack vector is local (physical proximity required), with low complexity and no privileges or user interaction needed. The impact affects confidentiality and integrity but not availability. No patches or fixes have been published yet, and no known exploits have been observed in the wild, suggesting this is a newly disclosed issue. However, the risk remains significant for users who rely on these devices for personal health monitoring, as sensitive biometric data could be exposed or manipulated.

The primary impact of this vulnerability is the compromise of user privacy and data integrity. Sensitive biometric data such as weight measurements, which may be linked to personal health profiles, can be intercepted by attackers nearby, leading to potential privacy violations. Manipulation of data packets could cause incorrect readings to be recorded or displayed, undermining trust in the device and potentially affecting health decisions based on inaccurate data. For organizations, especially healthcare providers or fitness centers using these devices, this could lead to regulatory compliance issues related to data protection laws such as GDPR or HIPAA. Although the attack requires physical proximity, the widespread use of BLE devices in homes, gyms, and clinics increases the attack surface. The lack of authentication and encryption also means that attackers can perform passive surveillance or active data tampering without alerting users. While availability is not affected, the breach of confidentiality and integrity can have reputational and operational consequences.

To mitigate this vulnerability, organizations and users should consider the following specific actions: 1) Avoid using the affected BPL PWS-01BT devices in environments where sensitive data interception is a concern until a firmware update or patch is released. 2) Contact the manufacturer to request security updates or inquire about planned fixes addressing encryption and authentication of BLE communications. 3) Employ physical security controls to limit unauthorized proximity to the devices, such as restricting access to areas where the scales are used. 4) Use network monitoring tools capable of detecting unusual BLE traffic patterns that might indicate eavesdropping or data manipulation attempts. 5) Where possible, replace vulnerable devices with alternatives that implement secure BLE protocols including encryption, authentication, and integrity checks. 6) Educate users about the risks of transmitting sensitive data over unsecured wireless channels and encourage best practices for device placement and usage. 7) For organizations, integrate this vulnerability into risk assessments and compliance audits to ensure data protection policies address BLE device security. These steps go beyond generic advice by focusing on device-specific controls, manufacturer engagement, and environmental security.