Philips will issue a new release to mediate an inadequate encryption strength vulnerability in its HealthSuite Health Android App during the first quarter next year, according to a report with NCCIC.
Successful exploitation of this vulnerability may allow an attacker with physical access to impact confidentiality and integrity of the product.
Philips said the vulnerability, discovered by a researcher that withheld his name, affects all versions of the Philips HealthSuite Health Android App.
The software uses simple encryption that is not strong enough for the level of protection required.
CVE-2018-19001 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 3.5.
The product sees use in the healthcare and public health sectors. It also sees action mainly in the United States, Netherlands, Germany, and United Kingdom.
No known public exploits specifically target this vulnerability. This vulnerability is not exploitable remotely. An attacker with low skill level could leverage the vulnerability.
A new release to mediate this vulnerability with be available during Quarter 1 of 2019.
As an interim mitigation to this vulnerability, Netherlands-based Philips recommends the following:
Philips advises against jail-breaking or rooting mobile devices. A jail-broken or rooted device means one modified outside the mobile device or operating system vendor supported or warranted configurations. Such devices have been freed from the limitations imposed by the mobile service provider and the phone manufacturer. This may affect the performance of the app, weaken the security of the device, and expose users to additional risks.
Click on the Philips product security website for the latest security information.