Philips HealthSuite Health Android App

Low Risk3.5ICS-CERT ICSMA-18-340-01Dec 6, 2018

Attack VectorPhysical

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

HealthSuite Health Android App contains a cryptographic weakness (CWE-326) that allows an attacker with physical access to the device to read or modify application data without authentication. This impacts the confidentiality and integrity of patient information stored in the app. Philips announced a fix for Q1 2019.

What this means

What could happen

An attacker with physical access to an unattended device running HealthSuite Health could read or modify app data without authentication, potentially affecting patient information confidentiality and app integrity.

Who's at risk

Healthcare IT staff and clinical mobile device managers should care about this advisory. It affects the HealthSuite Health Android application used on clinical and administrative mobile devices that handle patient health data.

How it could be exploited

An attacker gains physical access to a mobile device running the HealthSuite Health app and exploits weak cryptographic protections to read or modify stored app data, including patient records or settings.

Prerequisites

Physical access to the mobile device running HealthSuite Health Android App
Device must not have a strong passcode or device-level encryption enabled

Physical access requiredWeak cryptographic protectionsAffects confidentiality and integrity of health data

Exploitability

Low exploit probability (EPSS 0.0%)

Affected products (1)

ProductAffected VersionsFix Status

HealthSuite Health Android App: All VersionsAll versionsNo fix yet

Remediation & Mitigation

0/3

Do now

0/2

HARDENINGEnsure mobile devices running HealthSuite Health have device-level encryption enabled and a strong passcode

HARDENINGDo not jailbreak or root mobile devices running HealthSuite Health, as this weakens security and may allow unauthorized app data access

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate HealthSuite Health Android App to the patched version when available (expected Q1 2019)

CVEs (1)

CVE-2018-19001

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/88e246c2-6825-4958-a1f1-37dacf5e294c