Lucene search

IcscertCVE-2022-41627

HistoryOct 27, 2022 - 9:15 p.m.

CVE-2022-41627

2022-10-2721:15:15

CWE-311

CWE-319

icscert

web.nvd.nist.gov

iot

device security

encryption

patient data

vulnerability

data-over-sound

ekg

denial-of-service

nvd

cve-2022-41627

CVSS3

7.6

Attack Vector

ADJACENT

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

HIGH

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H

AI Score

7.2

Confidence

High

EPSS

0.001

Percentile

18.0%

JSON

The physical IoT device of the AliveCor’s KardiaMobile, a smartphone-based personal electrocardiogram (EKG) has no encryption for its data-over-sound protocols. Exploiting this vulnerability could allow an attacker to read patient EKG results or create a denial-of-service condition by emitting sounds at similar frequencies as the device, disrupting the smartphone microphone’s ability to accurately read the data. To carry out this attack, the attacker must be close (less than 5 feet) to pick up and emit sound waves.

Affected configurations

Nvd

Node

alivecorkardiamobileMatch-

AND

alivecorkardiamobile_firmwareMatch-

Node

alivecorkardiamobile_6lMatch-

AND

alivecorkardiamobile_6l_firmwareMatch-

Node

alivecorkardiamobile_cardMatch-

AND

alivecorkardiamobile_card_firmwareMatch-

VendorProductVersionCPE
alivecorkardiamobile-cpe:2.3:h:alivecor:kardiamobile:-:*:*:*:*:*:*:*
alivecorkardiamobile_firmware-cpe:2.3:o:alivecor:kardiamobile_firmware:-:*:*:*:*:*:*:*
alivecorkardiamobile_6l-cpe:2.3:h:alivecor:kardiamobile_6l:-:*:*:*:*:*:*:*
alivecorkardiamobile_6l_firmware-cpe:2.3:o:alivecor:kardiamobile_6l_firmware:-:*:*:*:*:*:*:*
alivecorkardiamobile_card-cpe:2.3:h:alivecor:kardiamobile_card:-:*:*:*:*:*:*:*
alivecorkardiamobile_card_firmware-cpe:2.3:o:alivecor:kardiamobile_card_firmware:-:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
alivecor	kardiamobile	-	cpe:2.3:h:alivecor:kardiamobile:-:::::::*
alivecor	kardiamobile_firmware	-	cpe:2.3:o:alivecor:kardiamobile_firmware:-:::::::*
alivecor	kardiamobile_6l	-	cpe:2.3:h:alivecor:kardiamobile_6l:-:::::::*
alivecor	kardiamobile_6l_firmware	-	cpe:2.3:o:alivecor:kardiamobile_6l_firmware:-:::::::*
alivecor	kardiamobile_card	-	cpe:2.3:h:alivecor:kardiamobile_card:-:::::::*
alivecor	kardiamobile_card_firmware	-	cpe:2.3:o:alivecor:kardiamobile_card_firmware:-:::::::*

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "KardiaMobile",
    "vendor": "AliveCor",
    "versions": [
      {
        "status": "affected",
        "version": "All"
      }
    ]
  }
]

References

www.cisa.gov/uscert/ics/advisories/icsma-22-298-01

CVSS3

7.6

Attack Vector

ADJACENT

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

HIGH

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H

AI Score

7.2

Confidence

High

EPSS

0.001

Percentile

18.0%

JSON

Related for CVE-2022-41627