The Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) published a medical bulletin concerning a vulnerability which was discovered in the Philips HealthSuite Health Android Application.
The Philips HealthSuite Health Android App records users’ body measurements and health information to allow them to monitor their activities and help them attain their wellness goals. Users of the app are mostly located in the United States, Germany, Netherlands and the United Kingdom.
The app encrypts user data to protect against unauthorized access; however, a security researcher discovered the encryption method used was too simple and, as a result, did not provide the necessary level of protection.
Because of this vulnerability, a hacker with physical access to the app could exploit the weakness and gain access to the data of the app user. Because it is not possible for a hacker to exploit the vulnerability remotely, the risk of data exposure/theft is minimal. The vulnerability is being tracked as CVE-2018-19001 and has a CVSS v3 base rating of 3.5.
Philips is going to release a new version of the application in Q1, 2019. The new version use a more powerful method of encrypting user data. For the time being, Philips’ recommendation is not to use the app on mobile devices that are rooted or jail-broken because they have weakened security and thus the risk is greater.