Thomson TBS705

The Thomson solution exhibits several severe security and privacy issues. The overall performance was the worst in our test set. Yet we have not been able to discuss any of these issues with developers or the vendor.

Considerations

The scale collects and transfers data (unencrypted) to a web server. The user however is neither notified of this data transfer nor would a user be able to manage that data after it was transferred.

• unencrypted data transmission data exchanged between your mobile application and web servers is not properly encrypted
• web server doesn't support SSL connections
• password policy missing your applications don’t enforce any kind of password policy; allowing the user to choose very easy passwords (e.g. one character) puts their data at risk
• (over)privileged android app your Android mobile application appears to be highly overprivileged; general recommendation is to use the minimum permissions required to run your services only
• account management as your privacy policy indicates users can request the deletion of their data with your company; this deletion request requires integrity, that is to authenticate a deletion request by, e.g. the email address the request is send from matches the account which is to be deleted; emails send from other accounts should not be authenticated successfully for account deletion requests

Remarks

We wish to discuss the mentioned issues and more with Thomson. At this point in time we are waiting for any response, but will be happy to help on request.