Ypsomed ‘MyLife’ App Vulnerable to Low-Complexity Remote Attacks

  • MyLife from Ypsomed was found to be vulnerable to risky man-in-the-middle attacks.
  • These attacks could result in the disclosure of sensitive information or the alteration of communications.
  • The vulnerabilities have been addressed via a fixing update, so all users of the app are urged to apply the patch.

CISA warns about a set of vulnerabilities in the Ypsomed ‘MyLife’ app and cloud product which could enable a remote actor to obtain sensitive information or modify the integrity of the data that is being transmitted. When considering that ‘MyLife’ is a medical app created as an accompanying tool for YpsoPump, the implications of the problem become potentially severe. MyLife is meant to help people who have diabetes to manage their substance and food intake, monitor and control their glucose levels, and generally stay safe and healthy.

Source: Ypsomed

The four problems found on the app by a team of researchers in Germany are the following:

  • CVE-2021-27491: Insufficiently protected credentials on Ypsomed MyLife Cloud, where the product discloses the password hashes during the registration process. (CVSS v3 score: 5.8)
  • CVE-2021-27495: Insufficiently protected credentials on Ypsomed MyLife Cloud, which reflects the user password during the login process during a redirection from an HTTPS to an HTTP endpoint. (CVSS v3 score: 6.3)
  • CVE-2021-27499: Ypsomed MyLife app and Cloud use no random IVs on its encryption layer, so the communications can be cracked and read in man-in-the-middle attacks. (CVSS v3 score: 5.4)
  • CVE-2021-27503: Ypsomed MyLife app and Cloud relies on hard-coded credentials which allow man-in-the-middle actors to tamper with messages. (CVSS v3 score: 5.4).

The Swiss medical device maker has released a fixing update for the app, which came with version 1.7.5. If you’re running anything older than that, go ahead and update your app immediately. As for the Cloud product, version 1.7.2 fixes the above issues, and users of it shouldn’t have to do anything to jump to it.

Unfortunately, using the MyLife YpsoPump insulin pump without the accompanying app is impossible, so if you rely on medical products and the software that comes with it, you should always keep an eye for security issues and also remain vigilant against unexpected data or setting changes. The manipulation of medical devices is a serious problem with potentially catastrophic implications, so users of smart and connected medical devices should be aware of the dangers.

REVIEW OVERVIEW

Latest

Is It Okay to Play Games While Charging iPhone 13? 

The iOS App Store offers more than one million games. Your options are practically limitless, with console-like games taking full advantage of iPhone 13’s...

Is It Bad to Use iPhone 13 While Charging? 

The latest iPhone generation comes with the longest battery life yet, managing to provide up to 2.5 extra hours of use. With that said,...

Why Are My Apps Not Downloading on My New iPhone 13? 

By default, your apps should download automatically once you set up your iPhone 13. However, in some instances, the iOS App Store might have a...
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: Chrome, Edge, Firefox, Safari