ICSMA-22-298-01 · Published 2022-10-25 · View on CISA ICS-CERT ↗

AliveCor KardiaMobile

CVSS 5.2 MEDIUM

Risk Summary

Successful exploitation of these vulnerabilities could lead to attackers stealing or faking personal cardiograms or enabling a denial-of-service attack. Attackers must be at close range to carry out these attacks.

CVEs (2)

CVE-2022-40703 CVE-2022-41627

Remediations

The Kardia App usage instructions include recommendations for users to use passcode (PIN) or biometric identification for their smartphone devices; such measures greatly reduce the risk of Intent Manipulation.
AliveCor has acknowledged that the data-over-sound protocol has no encryption and is vulnerable to CVE-2022-41627, but the circumstances necessary for exploitation are "unlikely."

Affected Vendors

AliveCor

Affected Products (2)

AliveCor · Kardia App Android application <=5.17.1-754993421

AliveCor · KardiaMobile IoT device vers:all/*

Affected Sectors

Healthcare and Public Health

Get alerted to advisories like this

OTWarden monitors CISA, BSI, Siemens, Rockwell and more — and emails you within 2 hours when your vendors are affected.

Start free trial Learn more