AliveCor KardiaMobile

Monitor5.2ICS-CERT ICSMA-22-298-01Oct 25, 2022

Attack VectorPhysical

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

AliveCor KardiaMobile and the associated Kardia App contain vulnerabilities in their data-over-sound communication protocol. The protocol lacks encryption, allowing attackers within close physical range to intercept, eavesdrop on, or modify cardiogram data transmitted between the KardiaMobile device and the Kardia smartphone app. Successful exploitation could lead to theft of personal health information, creation of fake cardiogram readings, or denial-of-service attacks. However, exploitation requires close physical proximity and the vendor has acknowledged the unencrypted protocol but states the circumstances necessary for exploitation are unlikely.

What this means

What could happen

An attacker with physical proximity could intercept unencrypted heart rhythm data transmitted over sound between the KardiaMobile device and the Kardia app, stealing personal health information or faking cardiogram readings. In a medical setting where these readings inform treatment decisions, false data could lead to inappropriate clinical actions.

Who's at risk

Healthcare facilities, cardiology clinics, and individual patients using AliveCor KardiaMobile for remote cardiac monitoring are affected. The KardiaMobile is a portable single-lead ECG (electrocardiogram) device used for detecting atrial fibrillation and other arrhythmias. Patients in home care settings and clinical staff relying on accurate cardiogram data are the primary concern.

How it could be exploited

The KardiaMobile device communicates with the Kardia app using an unencrypted data-over-sound protocol. An attacker within close physical range of the device and smartphone can intercept, eavesdrop on, or modify the acoustic signals carrying cardiogram data. No network access is required; the attack is purely physical and acoustic.

Prerequisites

Close physical proximity to both the KardiaMobile device and the smartphone running the Kardia app during data transmission
No authentication required; the data-over-sound protocol lacks encryption

no authentication requiredno patch availableunencrypted data transmissionaffects health/safety-critical data

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (2)

2 EOL

ProductAffected VersionsFix Status

Kardia App Android application: <=5.17.1-754993421≤ 5.17.1-754993421No fix (EOL)

KardiaMobile IoT device: vers:all/*All versionsNo fix (EOL)

Remediation & Mitigation

0/3

Do now

0/1

HARDENINGEnable PIN or biometric authentication on the smartphone running the Kardia app to prevent unauthorized app access if the phone is compromised

Mitigations - no patch available

0/2

The following products have reached End of Life with no planned fix: Kardia App Android application: <=5.17.1-754993421, KardiaMobile IoT device: vers:all/*. Apply the following compensating controls:

HARDENINGRestrict physical access to areas where KardiaMobile devices are in use during data transmission with the smartphone

HARDENINGMonitor for suspicious cardiogram readings or unexpected data transmission interruptions that may indicate interference

CVEs (2)

CVE-2022-40703 CVE-2022-41627

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/ccc5d480-999f-4159-85ca-5c22a90c97df