Vulnerability in Philips DreamMapper mobile App software lets hackers access the user log information files
Security researchers from SRC Security Research & Consulting GmBH have found a vulnerability in the Philips DreamMapper mobile App software. The vulnerability is critical hence the U.S. Department of Homeland Security, CISA also issued an alert about the vulnerability in Philips DreamMapper versions 2.24 and earlier.
The team of Lutz Weimann, Tim Hirschberg, Issam Hbib, and Florian Mommertz of SRC Security Research & Consulting GmbH, based in Germany, found that hackers with trivial hacking knowledge could access the user log information files of the mobile app software.
DreamMapper is a sleep monitoring system developed by Philips that serves as an assistant in the treatment of sleep apnea and saves certain log files. The researchers found the vulnerability in Philips DreamMapper versions 2.24 and earlier and said that it could be exploited remotely with low-level skills. If exploited, an attacker could access log files to insert sensitive information and gain guidance from the information written to those files.
The Philips DreamMapper vulnerability has been assigned a unique identifier, CVE-2020-14518 and has a CVSS score of 5.3/10. The researchers have informed Philips about this vulnerability and Philips has stated that, “This potential vulnerability does not impact patient safety. [DreamMapper] does not directly provide therapy or diagnosis to patients. To date, Philips has not received any reports of exploitation of this vulnerability.”
Philips intends to release a new version of the DreamMapper app by June 30, 2021, which will remediate the vulnerability. In the interim, CISA provided organizations with defensive measures that could minimize the risk of exploitation. Phillips has meanwhile advised administrators to implement following physical security measures:
- Set up physical security measures to limit access to critical systems
- Restrict access to the system only to authorized personnel, by following a minimum privilege policy
- Apply defense strategies in depth
- Disable unnecessary or high-privileged accounts and services