Qardio Heart Health IOS and Android Application and QardioARM A100

MonitorCVSS 7.1ICS-CERT ICSMA-25-044-01Feb 13, 2025

Attack path

Attack VectorAdjacent

Auth RequiredNone

ComplexityHigh

User InteractionNone needed

Summary

Qardio Heart Health iOS and Android applications (versions 2.7.4 and 2.5.1 respectively) and QardioARM A100 blood pressure monitors contain vulnerabilities in data protection and file access controls. These allow an attacker within Bluetooth range to obtain sensitive patient health information, disrupt device operation, and extract firmware files. Vulnerabilities stem from improper information exposure (CWE-359), missing encryption (CWE-248), and insecure file permissions (CWE-552). Qardio has not responded to CISA coordination efforts and no vendor patch is available.

What this means

What could happen

An attacker within Bluetooth range of the QardioARM A100 blood pressure monitor or mobile app could extract sensitive health information from the device, disrupt its operation, or retrieve firmware files.

Who's at risk

Healthcare facilities, clinics, home healthcare providers, and individual patients using QardioARM A100 blood pressure monitors or the Qardio Heart Health mobile application should consider this risk, especially in shared or public settings where Bluetooth attacks are feasible. Medical staff managing remote patient monitoring programs may be affected if data confidentiality is critical for compliance or patient privacy.

How it could be exploited

An attacker must be within Bluetooth range of the vulnerable device or mobile application. They would initiate a Bluetooth connection and exploit improper data protection (CWE-359, CWE-248) or file permissions (CWE-552) to access sensitive health data, cause service interruptions, or download firmware.

Prerequisites

Bluetooth enabled on the QardioARM A100 or mobile device
Attacker physically located within Bluetooth transmission range (typically 30-100 feet depending on environment)

No patch availableLow Bluetooth range limits exposure but increases risk in clinical/public environmentsAffects sensitive health data (CWE-359, CWE-248)Improper file permissions on firmware (CWE-552)Vendor non-responsive to mitigation requests

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (3)

3 EOL

ProductAffected VersionsFix Status

Qardio Heart Health IOS Mobile Application: 2.7.42.7.4No fix (EOL)

Qardio Heart Health Android Mobile Application: 2.5.12.5.1No fix (EOL)

QardioARM A100: vers:all/*All versionsNo fix (EOL)

Remediation & Mitigation

0/4

Do now

0/3

WORKAROUNDDisable Bluetooth on QardioARM A100 and mobile apps when not actively monitoring blood pressure

HARDENINGRestrict use of QardioARM A100 and associated apps to controlled, secure locations away from untrusted individuals

HARDENINGOnly download Qardio Heart Health app from official app stores (Apple App Store, Google Play Store)

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXContact Qardio customer support to request security updates or replacement devices with patched firmware

CVEs (3)

CVE-2025-24836 CVE-2025-23421 CVE-2025-20615

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/a292b66d-5d8c-4be2-85f1-c14ab49c3f50

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.