Ypsomed ‘MyLife’ App Vulnerable to Low-Complexity Remote Attacks
- MyLife from Ypsomed was found to be vulnerable to risky man-in-the-middle attacks.
- These attacks could result in the disclosure of sensitive information or the alteration of communications.
- The vulnerabilities have been addressed via a fixing update, so all users of the app are urged to apply the patch.
CISA warns about a set of vulnerabilities in the Ypsomed ‘MyLife’ app and cloud product which could enable a remote actor to obtain sensitive information or modify the integrity of the data that is being transmitted. When considering that ‘MyLife’ is a medical app created as an accompanying tool for YpsoPump, the implications of the problem become potentially severe. MyLife is meant to help people who have diabetes to manage their substance and food intake, monitor and control their glucose levels, and generally stay safe and healthy.
The four problems found on the app by a team of researchers in Germany are the following:
- CVE-2021-27491: Insufficiently protected credentials on Ypsomed MyLife Cloud, where the product discloses the password hashes during the registration process. (CVSS v3 score: 5.8)
- CVE-2021-27495: Insufficiently protected credentials on Ypsomed MyLife Cloud, which reflects the user password during the login process during a redirection from an HTTPS to an HTTP endpoint. (CVSS v3 score: 6.3)
- CVE-2021-27499: Ypsomed MyLife app and Cloud use no random IVs on its encryption layer, so the communications can be cracked and read in man-in-the-middle attacks. (CVSS v3 score: 5.4)
- CVE-2021-27503: Ypsomed MyLife app and Cloud relies on hard-coded credentials which allow man-in-the-middle actors to tamper with messages. (CVSS v3 score: 5.4).
The Swiss medical device maker has released a fixing update for the app, which came with version 1.7.5. If you’re running anything older than that, go ahead and update your app immediately. As for the Cloud product, version 1.7.2 fixes the above issues, and users of it shouldn’t have to do anything to jump to it.
Unfortunately, using the MyLife YpsoPump insulin pump without the accompanying app is impossible, so if you rely on medical products and the software that comes with it, you should always keep an eye for security issues and also remain vigilant against unexpected data or setting changes. The manipulation of medical devices is a serious problem with potentially catastrophic implications, so users of smart and connected medical devices should be aware of the dangers.