Qardio Arm iOS Application Sensitive Data Exposure Vulnerability

A vulnerability in the Qardio Arm iOS application allows for the exposure of sensitive data, including usernames and passwords, in a plist file. This data leakage enables an attacker to log into production-level development accounts and access an engineering backdoor within the application. The backdoor permits the execution of hex-based commands through a user interface terminal. This vulnerability affects Qardio Heart Health iOS Mobile Application version 2.7.4, Qardio Heart Health Android Mobile Application version 2.5.1, and all versions of the QardioARM A100.

Impact

Exploitation of this vulnerability could lead to unauthorized access to sensitive personal information, such as usernames and passwords, allowing attackers to log into development accounts and access engineering backdoors in the application. Additionally, an uncaught exception vulnerability could be exploited to cause a denial-of-service condition on the QardioARM A100 device by flooding it with continuous measurement requests over an unencrypted Bluetooth connection, disrupting its ability to connect with clinician apps for patient readings.

Remediation

Qardio has not responded to requests to collaborate with CISA on mitigating these vulnerabilities. Users are encouraged to contact Qardio customer support for more information. To reduce risk, Bluetooth should be disabled when not in use, and the device should not be used in public or within Bluetooth range of potential threats. Only trusted mobile apps from reliable providers should be used.