CVE-2022-41627

Published Oct 27, 2022

Last updated a year ago

CVSS high 7.6

Overview

Description: The physical IoT device of the AliveCor's KardiaMobile, a smartphone-based personal electrocardiogram (EKG) has no encryption for its data-over-sound protocols. Exploiting this vulnerability could allow an attacker to read patient EKG results or create a denial-of-service condition by emitting sounds at similar frequencies as the device, disrupting the smartphone microphone’s ability to accurately read the data. To carry out this attack, the attacker must be close (less than 5 feet) to pick up and emit sound waves.
Source: ics-cert@hq.dhs.gov
NVD status: Modified

Risk scores

CVSS 3.1

Type: Primary
Base score: 7.6
Impact score: 4.7
Exploitability score: 2.8
Vector string: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H
Severity: HIGH

Weaknesses

nvd@nist.gov: CWE-319
ics-cert@hq.dhs.gov: CWE-311

Hype score: Not currently trending

Configurations

[
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:h:alivecor:kardiamobile:-:*:*:*:*:*:*:*",
            "vulnerable": false,
            "matchCriteriaId": "C5ED3887-643F-430C-B2A1-CCEDBE71F2B6"
          }
        ],
        "operator": "OR"
      },
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:o:alivecor:kardiamobile_firmware:-:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "6EADECC1-EF47-43B5-9213-CA92945DE4A8"
          }
        ],
        "operator": "OR"
      }
    ],
    "operator": "AND"
  },
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:h:alivecor:kardiamobile_6l:-:*:*:*:*:*:*:*",
            "vulnerable": false,
            "matchCriteriaId": "EB03F4F8-687B-493D-BBEA-553831EBBA43"
          }
        ],
        "operator": "OR"
      },
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:o:alivecor:kardiamobile_6l_firmware:-:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "37A5B811-EFDF-4497-9E4C-D2D663C5A15B"
          }
        ],
        "operator": "OR"
      }
    ],
    "operator": "AND"
  },
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:h:alivecor:kardiamobile_card:-:*:*:*:*:*:*:*",
            "vulnerable": false,
            "matchCriteriaId": "18DF9CF0-6D64-474C-A65C-5003893A5C79"
          }
        ],
        "operator": "OR"
      },
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:o:alivecor:kardiamobile_card_firmware:-:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "7FF05B50-32FB-4BCE-9C84-BDB46CDAC1D8"
          }
        ],
        "operator": "OR"
      }
    ],
    "operator": "AND"
  }
]

Overview

Risk scores

CVSS 3.1

Weaknesses

Social media

Configurations

References