CVE-2022-41627 - OpenCVE

The physical IoT device of the AliveCor's KardiaMobile, a smartphone-based personal electrocardiogram (EKG) has no encryption for its data-over-sound protocols. Exploiting this vulnerability could allow an attacker to read patient EKG results or create a denial-of-service condition by emitting sounds at similar frequencies as the device, disrupting the smartphone microphone’s ability to accurately read the data. To carry out this attack, the attacker must be close (less than 5 feet) to pick up and emit sound waves.

Attack Vector Adjacent Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Alivecor	Kardiamobile 6l Kardiamobile Kardiamobile Card Kardiamobile 6l Firmware Kardiamobile Card Firmware Kardiamobile Firmware

Configuration 1 [-]

AND

cpe:2.3:h:alivecor:kardiamobile:-:*:*:*:*:*:*:*

cpe:2.3:o:alivecor:kardiamobile_firmware:-:*:*:*:*:*:*:*

Configuration 2 [-]

AND

cpe:2.3:h:alivecor:kardiamobile_6l:-:*:*:*:*:*:*:*

cpe:2.3:o:alivecor:kardiamobile_6l_firmware:-:*:*:*:*:*:*:*

Configuration 3 [-]

AND

cpe:2.3:h:alivecor:kardiamobile_card:-:*:*:*:*:*:*:*

cpe:2.3:o:alivecor:kardiamobile_card_firmware:-:*:*:*:*:*:*:*

References

Link	Resource
https://www.cisa.gov/uscert/ics/advisories/icsma-22-298-01	Third Party Advisory US Government Resource

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: icscert

Published: 2022-10-27T20:04:06.498Z

Updated: 2022-11-01T15:57:59.910Z

Reserved: 2022-09-29T14:09:27.495Z

Link: CVE-2022-41627

JSON object: View

NVD Information

Status : Modified

Published: 2022-10-27T21:15:15.573

Modified: 2023-11-07T03:52:51.250

Link: CVE-2022-41627

JSON object: View

Redhat Information

No data.

CWE

{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"cveId": "CVE-2022-41627", "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "state": "PUBLISHED", "assignerShortName": "icscert", "requesterUserId": "bc31a57b-b1a5-40e2-9263-67c0ae8a3b8a", "dateReserved": "2022-09-29T14:09:27.495Z", "datePublished": "2022-10-27T20:04:06.498Z", "dateUpdated": "2022-11-01T15:57:59.910Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "KardiaMobile", "vendor": "AliveCor", "versions": [{"status": "affected", "version": "All"}]}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Carlos Cilleruelo Rodr\u00edguez"}, {"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Javier Junquera S\u00e1nchez"}], "datePublic": "2022-10-25T18:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "\n\n<span style=\"background-color: rgb(255, 255, 255);\">The physical IoT device of the AliveCor's KardiaMobile, a smartphone-based personal electrocardiogram (EKG) has no encryption for its data-over-sound protocols. Exploiting this vulnerability could allow an attacker to read patient EKG results or create a denial-of-service condition by emitting sounds at similar frequencies as the device, disrupting the smartphone microphone\u2019s ability to accurately read the data. To carry out this attack, the attacker must be close (less than 5 feet) to pick up and emit sound waves.</span>\n\n"}], "value": "\nThe physical IoT device of the AliveCor's KardiaMobile, a smartphone-based personal electrocardiogram (EKG) has no encryption for its data-over-sound protocols. Exploiting this vulnerability could allow an attacker to read patient EKG results or create a denial-of-service condition by emitting sounds at similar frequencies as the device, disrupting the smartphone microphone\u2019s ability to accurately read the data. To carry out this attack, the attacker must be close (less than 5 feet) to pick up and emit sound waves.\n\n"}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "PHYSICAL", "availabilityImpact": "HIGH", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-311", "description": "CWE-311 Missing Encryption of Sensitive Data", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert", "dateUpdated": "2022-11-01T15:57:59.910Z"}, "references": [{"tags": ["government-resource"], "url": "https://www.cisa.gov/uscert/ics/advisories/icsma-22-298-01"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "cveClient/1.0.13"}}}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:h:alivecor:kardiamobile:-:*:*:*:*:*:*:*", "matchCriteriaId": "C5ED3887-643F-430C-B2A1-CCEDBE71F2B6", "vulnerable": false}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:alivecor:kardiamobile_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "6EADECC1-EF47-43B5-9213-CA92945DE4A8", "vulnerable": true}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:h:alivecor:kardiamobile_6l:-:*:*:*:*:*:*:*", "matchCriteriaId": "EB03F4F8-687B-493D-BBEA-553831EBBA43", "vulnerable": false}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:alivecor:kardiamobile_6l_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "37A5B811-EFDF-4497-9E4C-D2D663C5A15B", "vulnerable": true}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:h:alivecor:kardiamobile_card:-:*:*:*:*:*:*:*", "matchCriteriaId": "18DF9CF0-6D64-474C-A65C-5003893A5C79", "vulnerable": false}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:alivecor:kardiamobile_card_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "7FF05B50-32FB-4BCE-9C84-BDB46CDAC1D8", "vulnerable": true}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "\nThe physical IoT device of the AliveCor's KardiaMobile, a smartphone-based personal electrocardiogram (EKG) has no encryption for its data-over-sound protocols. Exploiting this vulnerability could allow an attacker to read patient EKG results or create a denial-of-service condition by emitting sounds at similar frequencies as the device, disrupting the smartphone microphone\u2019s ability to accurately read the data. To carry out this attack, the attacker must be close (less than 5 feet) to pick up and emit sound waves.\n\n"}, {"lang": "es", "value": "El dispositivo f\u00edsico IoT de AliveCor's KardiaMobile, basado en un tel\u00e9fono inteligente de electrocardiograma personal (EKG), no tiene cifrado para sus protocolos de datos sobre sonido. Explotar esta vulnerabilidad podr\u00eda permitir a un atacante leer los resultados del EKG del paciente o crear una condici\u00f3n de Denegaci\u00f3n de Servicio al emitir sonidos en frecuencias similares a las del dispositivo, interrumpiendo la capacidad del micr\u00f3fono del tel\u00e9fono inteligente para leer los datos con precisi\u00f3n. Para llevar a cabo este ataque, el atacante debe estar cerca (a menos de 5 pies) para captar y emitir ondas sonoras."}], "id": "CVE-2022-41627", "lastModified": "2023-11-07T03:52:51.250", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.6, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 4.7, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "PHYSICAL", "availabilityImpact": "HIGH", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H", "version": "3.1"}, "exploitabilityScore": 0.5, "impactScore": 4.2, "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}]}, "published": "2022-10-27T21:15:15.573", "references": [{"source": "ics-cert@hq.dhs.gov", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://www.cisa.gov/uscert/ics/advisories/icsma-22-298-01"}], "sourceIdentifier": "ics-cert@hq.dhs.gov", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-319"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-311"}], "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}]}