← Back

CVE-2022-41627

nvd nist
Published: Oct 27, 2022Modified: Nov 21, 2024

JSON object

Loading...
7.6
Vector
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H
Exploitability: 2.8 / Impact: 4.7
Source: NVD

Description

The physical IoT device of the AliveCor's KardiaMobile, a smartphone-based personal electrocardiogram (EKG) has no encryption for its data-over-sound protocols. Exploiting this vulnerability could allow an attacker to read patient EKG results or create a denial-of-service condition by emitting sounds at similar frequencies as the device, disrupting the smartphone microphone’s ability to accurately read the data. To carry out this attack, the attacker must be close (less than 5 feet) to pick up and emit sound waves.

Affected (3)

Alivecor
3 products
Kardiamobile Firmware
Kardiamobile 6l Firmware
Kardiamobile Card Firmware
Configuration A
1 vulnerable · 1 platform
Vulnerable SoftwareAffected Versions
Kardiamobile Firmware
All versions
Running on/withPlatform Versions
Alivecor
Kardiamobile
All versions
Configuration B
1 vulnerable · 1 platform
Vulnerable SoftwareAffected Versions
Kardiamobile 6l Firmware
All versions
Running on/withPlatform Versions
Alivecor
Kardiamobile 6l
All versions
Configuration C
1 vulnerable · 1 platform
Vulnerable SoftwareAffected Versions
Kardiamobile Card Firmware
All versions
Running on/withPlatform Versions
Alivecor
Kardiamobile Card
All versions

Related CWEs

CWE-311
Missing Encryption of Sensitive Data
The product does not encrypt sensitive or critical information before storage or transmission.
CWE-319
Cleartext Transmission of Sensitive Information
The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.

References (2)

Source: ics-cert@hq.dhs.gov
Third Party AdvisoryUS Government Resource
Source: af854a3a-2127-422b-91ae-364da2661108
Third Party AdvisoryUS Government Resource

Timeline

No history available yet.