CVE-2022-41627

The physical IoT device of the AliveCor's KardiaMobile, a smartphone-based personal electrocardiogram (EKG) has no encryption for its data-over-sound protocols. Exploiting this vulnerability could allow an attacker to read patient EKG results or create a denial-of-service condition by emitting sounds at similar frequencies as the device, disrupting the smartphone microphone’s ability to accurately read the data. To carry out this attack, the attacker must be close (less than 5 feet) to pick up and emit sound waves.

CVSS v3 4.8 MEDIUM

4.8^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 0.5 / Impact : 4.2

Attack Vector PHYSICAL

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://www.cisa.gov/uscert/ics/advisories/icsma-22-298-01	Third Party Advisory US Government Resource
https://www.cisa.gov/uscert/ics/advisories/icsma-22-298-01	Third Party Advisory US Government Resource

Configurations

Configuration 1 (hide)

AND

cpe:2.3:o:alivecor:kardiamobile_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:alivecor:kardiamobile:-:*:*:*:*:*:*:*

Configuration 2 (hide)

AND

cpe:2.3:o:alivecor:kardiamobile_6l_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:alivecor:kardiamobile_6l:-:*:*:*:*:*:*:*

Configuration 3 (hide)

AND

cpe:2.3:o:alivecor:kardiamobile_card_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:alivecor:kardiamobile_card:-:*:*:*:*:*:*:*

History

No history.

Information

Published : 2022-10-27 21:15

Updated : 2024-11-21 07:23

NVD link : CVE-2022-41627

Mitre link : CVE-2022-41627

CVE.ORG link : CVE-2022-41627

JSON object : View

Products Affected

alivecor

kardiamobile
kardiamobile_6l
kardiamobile_card_firmware
kardiamobile_firmware
kardiamobile_card
kardiamobile_6l_firmware

CWE

CWE-311

Missing Encryption of Sensitive Data

CWE-319

Cleartext Transmission of Sensitive Information

{"id": "CVE-2022-41627", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "ics-cert@hq.dhs.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.8, "attackVector": "PHYSICAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 4.2, "exploitabilityScore": 0.5}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.6, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 4.7, "exploitabilityScore": 2.8}]}, "published": "2022-10-27T21:15:15.573", "references": [{"url": "https://www.cisa.gov/uscert/ics/advisories/icsma-22-298-01", "tags": ["Third Party Advisory", "US Government Resource"], "source": "ics-cert@hq.dhs.gov"}, {"url": "https://www.cisa.gov/uscert/ics/advisories/icsma-22-298-01", "tags": ["Third Party Advisory", "US Government Resource"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "ics-cert@hq.dhs.gov", "description": [{"lang": "en", "value": "CWE-311"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-319"}]}], "descriptions": [{"lang": "en", "value": "\nThe physical IoT device of the AliveCor's KardiaMobile, a smartphone-based personal electrocardiogram (EKG) has no encryption for its data-over-sound protocols. Exploiting this vulnerability could allow an attacker to read patient EKG results or create a denial-of-service condition by emitting sounds at similar frequencies as the device, disrupting the smartphone microphone\u2019s ability to accurately read the data. To carry out this attack, the attacker must be close (less than 5 feet) to pick up and emit sound waves.\n\n"}, {"lang": "es", "value": "El dispositivo f\u00edsico IoT de AliveCor's KardiaMobile, basado en un tel\u00e9fono inteligente de electrocardiograma personal (EKG), no tiene cifrado para sus protocolos de datos sobre sonido. Explotar esta vulnerabilidad podr\u00eda permitir a un atacante leer los resultados del EKG del paciente o crear una condici\u00f3n de Denegaci\u00f3n de Servicio al emitir sonidos en frecuencias similares a las del dispositivo, interrumpiendo la capacidad del micr\u00f3fono del tel\u00e9fono inteligente para leer los datos con precisi\u00f3n. Para llevar a cabo este ataque, el atacante debe estar cerca (a menos de 5 pies) para captar y emitir ondas sonoras."}], "lastModified": "2024-11-21T07:23:31.537", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:alivecor:kardiamobile_firmware:-:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6EADECC1-EF47-43B5-9213-CA92945DE4A8"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:alivecor:kardiamobile:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "C5ED3887-643F-430C-B2A1-CCEDBE71F2B6"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:alivecor:kardiamobile_6l_firmware:-:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "37A5B811-EFDF-4497-9E4C-D2D663C5A15B"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:alivecor:kardiamobile_6l:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "EB03F4F8-687B-493D-BBEA-553831EBBA43"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:alivecor:kardiamobile_card_firmware:-:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7FF05B50-32FB-4BCE-9C84-BDB46CDAC1D8"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:alivecor:kardiamobile_card:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "18DF9CF0-6D64-474C-A65C-5003893A5C79"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "ics-cert@hq.dhs.gov"}