Ypsomed ‘MyLife’ App Vulnerable to Low-Complexity Remote Attacks

  • MyLife from Ypsomed was found to be vulnerable to risky man-in-the-middle attacks.
  • These attacks could result in the disclosure of sensitive information or the alteration of communications.
  • The vulnerabilities have been addressed via a fixing update, so all users of the app are urged to apply the patch.

CISA warns about a set of vulnerabilities in the Ypsomed ‘MyLife’ app and cloud product which could enable a remote actor to obtain sensitive information or modify the integrity of the data that is being transmitted. When considering that ‘MyLife’ is a medical app created as an accompanying tool for YpsoPump, the implications of the problem become potentially severe. MyLife is meant to help people who have diabetes to manage their substance and food intake, monitor and control their glucose levels, and generally stay safe and healthy.

Source: Ypsomed

The four problems found on the app by a team of researchers in Germany are the following:

  • CVE-2021-27491: Insufficiently protected credentials on Ypsomed MyLife Cloud, where the product discloses the password hashes during the registration process. (CVSS v3 score: 5.8)
  • CVE-2021-27495: Insufficiently protected credentials on Ypsomed MyLife Cloud, which reflects the user password during the login process during a redirection from an HTTPS to an HTTP endpoint. (CVSS v3 score: 6.3)
  • CVE-2021-27499: Ypsomed MyLife app and Cloud use no random IVs on its encryption layer, so the communications can be cracked and read in man-in-the-middle attacks. (CVSS v3 score: 5.4)
  • CVE-2021-27503: Ypsomed MyLife app and Cloud relies on hard-coded credentials which allow man-in-the-middle actors to tamper with messages. (CVSS v3 score: 5.4).

The Swiss medical device maker has released a fixing update for the app, which came with version 1.7.5. If you’re running anything older than that, go ahead and update your app immediately. As for the Cloud product, version 1.7.2 fixes the above issues, and users of it shouldn’t have to do anything to jump to it.

Unfortunately, using the MyLife YpsoPump insulin pump without the accompanying app is impossible, so if you rely on medical products and the software that comes with it, you should always keep an eye for security issues and also remain vigilant against unexpected data or setting changes. The manipulation of medical devices is a serious problem with potentially catastrophic implications, so users of smart and connected medical devices should be aware of the dangers.

How to Watch Junior Bake Off 2023 (Season 8) Online from Anywhere
Get ready to watch juniors show off their baking skills! Junior Bake Off 2023 (Season 8) is all set to be aired!...
How to Watch How I Met Your Father Season 2 Online from Anywhere
How I Met Your Father Season 2 is set to hit the screens pretty soon. We have the premiere date, plot, cast,...
How to Watch Better Date Than Never Online: Stream the Dating Docuseries from Anywhere
Are you a docuseries lover? If so, we have a piece of exciting news! Better Date Than Never, a new six-episode series,...
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: Chrome, Edge, Firefox, Safari