BPL Medical Technologies PWS-01-BT and BPL Be Well Android Application

MonitorCVSS 4.6ICS-CERT ICSMA-24-254-01Sep 10, 2024

Healthcare

Attack path

Attack VectorAdjacent

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

BPL Medical Technologies PWS-01-BT device and Be Well Android Application (version 3.64 and earlier) contain a vulnerability (CWE-319: Cleartext Transmission of Sensitive Information) that allows an attacker on the same network to intercept and modify data transmitted between the device and application. The vulnerability exists because sensitive information is transmitted without encryption. An attacker with network access can modify patient data, device configuration, or other transmitted information during transit. BPL Medical Technologies has not provided a patch and has not responded to CISA requests for mitigation.

What this means

What could happen

An attacker with network access to the PWS-01-BT device or Be Well Android app could intercept and modify data in transit, potentially altering patient information or device configuration without authentication.

Who's at risk

Healthcare organizations using BPL Medical Technologies PWS-01-BT devices (wearable or portable patient monitoring equipment) and the Be Well Android application for patient data collection and transmission should be concerned. This affects clinical staff who use the app to collect vital signs or patient information that may be intercepted and modified by an attacker on the same network.

How it could be exploited

An attacker must be on the same network as the PWS-01-BT device or connected to the same network as a Be Well Android application user. The attacker can intercept unencrypted communications between the app and device, modify the data, and send it to the destination without the user's knowledge.

Prerequisites

Network access to the same local network segment as the PWS-01-BT device or Be Well Android application user
No authentication required to intercept communications
User interaction required (user must trigger a data transfer)

no patch availableno authentication requiredaffects safety systemsvulnerable communications channel for patient data

Exploitability

Some exploitation risk — EPSS score 3.1%

Public Proof-of-Concept (PoC) on GitHub (1 repository)

Affected products (2)

2 EOL

ProductAffected VersionsFix Status

Be Well Android Application: <=3.64≤ 3.64No fix (EOL)

PWS-01-BT: vers:all/*All versionsNo fix (EOL)

Remediation & Mitigation

0/5

Do now

0/2

HARDENINGRestrict network access to PWS-01-BT devices using a firewall, allowing only necessary communication from authorized medical equipment and staff networks

HARDENINGFor remote access to PWS-01-BT or Be Well Android app, use a VPN with current security patches and require multi-factor authentication

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

WORKAROUNDContact BPL Medical Technologies support to inquire about a security update or workaround; document vendor response for compliance records

Mitigations - no patch available

0/2

The following products have reached End of Life with no planned fix: Be Well Android Application: <=3.64, PWS-01-BT: vers:all/*. Apply the following compensating controls:

HARDENINGIsolate PWS-01-BT devices and systems running Be Well Android application on a dedicated network segment separate from general business networks

HARDENINGMonitor network traffic to and from PWS-01-BT devices for unauthorized access attempts; report suspicious activity to CISA

CVEs (1)

CVE-2024-34463

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/6f97821e-a65b-4743-b5e9-13b6c5b600cc

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.