Dario Health USB-C Blood Glucose Monitoring System Lack of Encryption Vulnerability

A vulnerability exists in the Dario Health USB-C Blood Glucose Monitoring System Starter Kit Android Application, all versions through 5.8.7.0.36, due to a lack of encryption for sensitive data in transit. This vulnerability could lead to unauthorized manipulation or exposure of private personal information, including health data, transmitted to the Android device via the Dario Health application database. The issue is compounded by the fact that the Dario Health Internet-based server infrastructure, which supports the application, is also vulnerable, creating a potential risk for data interception or alteration.

Impact

Exploitation of this vulnerability could allow an attacker to intercept and manipulate sensitive data in transit, including personal health information, leading to unauthorized access or alteration of private health records. Additionally, this vulnerability could be exploited in conjunction with other identified vulnerabilities in the Dario Health ecosystem, such as cross-site scripting, to achieve a full session compromise.

Remediation

Users are advised to update the Dario Health Android mobile application to the latest version. For more information, contact Dario Health directly. CISA recommends minimizing network exposure for all control system devices, locating control system networks behind firewalls, and using secure remote access methods, such as VPNs.