ICSMA-21-196-01_Ypsomed mylife

MonitorCVSS 6.3ICS-CERT ICSMA-21-196-01Jul 15, 2021

Healthcare

Attack path

Attack VectorNetwork

Auth RequiredLow

ComplexityLow

User InteractionRequired

Summary

Ypsomed mylife App and mylife Cloud contain insufficient access control vulnerabilities (CWE-798). An authenticated user can access or modify medical data and device configurations belonging to other patients due to missing or weak authorization checks. These vulnerabilities affect mylife App versions prior to 1.7.5 and mylife Cloud versions prior to 1.7.2. The vendor has released a mitigation update for the mylife Cloud backend (version 1.7.2) and an updated App version (1.7.5), but security researchers have identified that fixes may not fully address the underlying access control weaknesses.

What this means

What could happen

An authenticated attacker with access to a patient's mylife App or Cloud account could view sensitive medical data (insulin therapy information, glucose readings) or make unauthorized configuration changes to treatment parameters. This could compromise patient privacy and potentially affect insulin pump settings.

Who's at risk

Healthcare organizations and patients using Ypsomed mylife insulin pump management systems. Medical staff and patients who rely on the mylife App for insulin therapy management and glucose monitoring are affected. This includes hospitals, clinics, and home-care settings managing diabetes patients.

How it could be exploited

An attacker with valid credentials to the mylife App or Cloud platform (obtained via credential theft, social engineering, or network eavesdropping) can exploit insufficient access controls to view or modify medical data and device configurations belonging to other patients. The attack requires user interaction (clicking a link or accepting a prompt) but does not require administrative privileges.

Prerequisites

Valid mylife App or Cloud account credentials (standard user, not admin)
Network access to mylife Cloud backend or App (internet-accessible)
User interaction (UI action by the authenticated user)

remotely exploitablerequires valid credentialsaffects medical device cloud platformno patch available for mylife Clouduser interaction required

Exploitability

Unlikely to be exploited — EPSS score 0.2%

Affected products (2)

2 with fix

ProductAffected VersionsFix Status

mylife App: All< 1.7.51.7.5

mylife Cloud: All< 1.7.21.7.2

Remediation & Mitigation

0/4

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate mylife App to version 1.7.5 or later

Long-term hardening

0/3

HARDENINGRestrict system access to authorized personnel only; implement least privilege access controls for medical device cloud accounts

HARDENINGDisable unnecessary accounts and services on mylife Cloud infrastructure

HARDENINGApply defense-in-depth strategies including network segmentation and additional authentication checks for sensitive operations

CVEs (4)

CVE-2021-27491 CVE-2021-27495 CVE-2021-27499 CVE-2021-27503

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/cb859c25-95ec-4703-ab6e-6cb698f4609a

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.