OmniPEMF NeoRhythm Missing Authentication Vulnerability in BLE Interface

A vulnerability exists in the OmniPEMF NeoRhythm device, specifically in versions prior to 20260308, within the Bluetooth Low Energy (BLE) interface. The issue arises from a complete lack of authentication, encryption, and access controls, allowing an attacker within BLE range to inject real-time control signals. This manipulation can alter neurostimulation session parameters, such as intensity, frequency, duration, and program modes, potentially causing direct physical harm to the user. The vulnerability exploitation is considered difficult, but the absence of authentication tokens or pairing requirements simplifies the process.

Impact

Exploitation of this vulnerability allows for unauthorized manipulation of critical therapy parameters, with the potential to induce adverse neurological effects on the user.

Remediation

Users are advised to update the device firmware to version 20260308 or later, ensuring that the BLE interface employs secure connections with authenticated pairing. If the device cannot be updated, consider replacing it with a model that includes these security features.