There was a vulnerability discovered in the Philips DreamMapper software program, which is a mobile application used to keep track of and take care of sleep apnea. The application is not for providing treatment to patients, hence there is no risk to patient safety if the vulnerability is exploited. However, exploiting the vulnerability could give the hacker access to log files, get instruction from the data in the log files, and put more information.
Lutz Weimann, Issam Habib, Florian Mommertz, and Tim Hirschberg of SRC Security Research & Consulting GmbH identified the vulnerability and reported it to the Federal Office for Information Security (BSI) in Germany. BSI notified Philips about the vulnerability. Philips informed the Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) regarding the vulnerability as per the required disclosure policy, and then CISA issued an advisory concerning the vulnerability on July 30, 2020.
The vulnerability impacts the Philips DreamMapper software version 2.24 and earlier versions. This medium severity vulnerability is being monitored as CVE-2020-14518 with an assigned CVSS v3 base rating of 5.3 out of 10. A threat actor with a low level of skill could exploit the vulnerability remotely. To date, there is no case report of vulnerability exploitation.
Philips is going to release a patch to fix the vulnerability, however, it won’t be out until June 30, 2021. Meanwhile, people who have any concerns regarding the vulnerability could contact the Philips service support team for advice.
CISA has recommended a variety of defensive procedures that could be enforced to lower the possibility of attackers taking advantage of the vulnerability. Those security measures include imposing physical security procedures to restrict access to crucial systems, following the least privilege principle, limiting device access to authorized staff only, turning off not needed accounts and services, and using a defense-in-depth strategy. CISA has likewise proposed reviewing the guidance on medical device security, which the Food and Drug Administration (FDA) published in 2016.