Share this article on:
A vulnerability has been identified in Philips DreamMapper software, a mobile app that is used to monitor and manage sleep apnea. The app is not used to provide therapy to patients, so exploitation of the flaw does not place patient safety at risk, but the vulnerability could be exploited to gain access to log files, obtain guidance from the information in the log files, and insert additional data.
The vulnerability was identified by Lutz Weimann, Tim Hirschberg, Issam Hbib, and Florian Mommertz of SRC Security Research & Consulting GmbH. The flaw was reported to the Federal Office for Information Security (BSI) in Germany, who alerted Philips to the vulnerability. Philips alerted the Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) about the flaw under its responsible disclosure policy, and CISA issued an advisory about the flaw on July 30, 2020.
The vulnerability affects version 2.24 and prior versions of the software and is being tracked as CVE-2020-14518. The flaw has been assigned a CVSS v3 base score of 5.3 out of 10 – Medium severity. The flaw requires a low level of skill to exploit and can be exploited remotely. There have been no reported cases of the flaw being exploited to date.
Philips will be releasing a patch to correct the flaw but does not plan to do so until June 30, 2021. In the meantime, individuals with any questions about the vulnerability have been advised to contact the Philips service support team.
CISA has suggested a range of defensive measures that can be implemented to reduce the risk of the vulnerability being exploited. Those measures include implementing physical security measures to limit access to critical systems, using the principle of least privilege, restricting access to authorized personnel only, disabling unnecessary accounts and services, and applying a defense-in-depth approach. CISA has also suggested reading the guidance on medical device security released by the Food and Drug Administration (FDA) in 2016.