Lucene search

IcscertCVELIST:CVE-2022-41627

HistoryOct 27, 2022 - 8:04 p.m.

CVE-2022-41627

2022-10-2720:04:06

CWE-311

icscert

www.cve.org

alivecor's kardiamobile

iot device

data-over-sound protocols

ekg results

denial-of-service

smartphone microphone

encryption vulnerability

CVSS3

4.8

Attack Vector

PHYSICAL

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

HIGH

CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H

AI Score

7.4

Confidence

High

EPSS

0.001

Percentile

18.0%

JSON

The physical IoT device of the AliveCor’s KardiaMobile, a smartphone-based personal electrocardiogram (EKG) has no encryption for its data-over-sound protocols. Exploiting this vulnerability could allow an attacker to read patient EKG results or create a denial-of-service condition by emitting sounds at similar frequencies as the device, disrupting the smartphone microphone’s ability to accurately read the data. To carry out this attack, the attacker must be close (less than 5 feet) to pick up and emit sound waves.

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "KardiaMobile",
    "vendor": "AliveCor",
    "versions": [
      {
        "status": "affected",
        "version": "All"
      }
    ]
  }
]

References

www.cisa.gov/uscert/ics/advisories/icsma-22-298-01

CVSS3

4.8

Attack Vector

PHYSICAL

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

HIGH

CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H

AI Score

7.4

Confidence

High

EPSS

0.001

Percentile

18.0%

JSON

Related for CVELIST:CVE-2022-41627