Encryption & Key Management , Mobility , Security Operations
DHS, Philips Issue Advisories for HealthSuite Android Health App(HealthInfoSec) • December 11, 2018The lack of strong encryption in the Philips HealthSuite Health Android app leaves the consumer mobile health software vulnerable to hacking, according to a new advisory issued by the medical device manufacturer and an alert from the Department of Homeland Security.
See Also: Five Steps to Masterminding an Effective Security Awareness Program
The alert from the DHS Industrial Control Systems' Cyber Emergency Response Team and the Philips advisory warn users of a vulnerability - "inadequate encryption strength" - that affects all versions of the Philips HealthSuite Health Android application. DHS notes the weakness was identified by a researcher.
The Android app enables patients to monitor and track their health habits with various connected Philips devices that measure heart rate activity, sleep, blood pressure, weight and body composition analysis.
"Successful exploitation of this vulnerability may allow an attacker with physical access to impact confidentiality and integrity of the product," DHS notes in its alert. "The software uses simple encryption that is not strong enough for the level of protection required."
A Philips spokesman says the vulnerability only affects data at rest within the app.
Philips notes on its website, however, that the HealthSuite App "enables the transmission of data from your connected Philips' personal measurement devices to us, which we will use to provide you with virtual motivational coaching and with publicly available information for lifestyle improvement."
The app itself is not a medical device, according to the manufacturer. "The app is not intended to diagnose, examine, treat or manage medical conditions of any kind. The app is an information tool only and not a substitute for professional judgement by any healthcare provider," Philips notes on its website.
The advisory from Philips was issued as part of the company's Coordinated Vulnerability Disclosure Policy "for the awareness and remediation of possible system security vulnerabilities," the company says in a statement provided to Information Security Media Group. "As part of our global product security policy, the company conducts extensive ongoing analysis of our products, often in collaboration with customers and researchers, to identify and address potential vulnerabilities."
No Reported Exploitation
Philips in its advisory notes that it has not received any reports of exploitation of the vulnerability or security issues tied to clinical use. "Philips' analysis indicates that there is no expectation of patient hazard due to this issue," the company says in its advisory.
The company says it plans to address the vulnerability in a new software release scheduled for the first quarter of 2019.
—Ben Ransford, Virta Labs
"Philips advises users against jail-breaking or rooting their mobile device," the company warns. "A jail broken or rooted device means one that is modified outside the mobile device or operating system vendor supported or warranted configurations. Such devices have been freed from the limitations imposed on it by mobile service providers and the phone manufacturers without their approval. This may affect the performance of the app, weaken the security of devices and expose users to additional risks."
Safety, Privacy Risks
Whether it's a mobile app that works with medical devices, or software that's part of a medical device itself, vulnerabilities in these products can pose potential risks to patient safety, as well as to data security and privacy.
"Virtually all of the security issues connected with medical devices are software related," notes Bill Aerts, executive director at the Archimedes Center for Medical Device Security at the University of Michigan. "I don't see any real difference in risk between a device and a software product that acts like a device, in general."
But based on the information provided by DHS and Philips, Aerts says, "it's hard to compare how significant this risk is."
While these new advisories involve a consumer-oriented health app, Philips also has been among a handful of manufacturers that have issued other security alerts concerning various medical devices used by healthcare entities to treat, diagnosis or monitor patients.
For instance, in August, DHS and Philips each issued alerts about vulnerabilities involving "improper privilege management" and "unquoted search path or element" that pose risk in certain versions of Philips' IntelliSpace Cardiovascular cardiac image and information management software (see: Cyber Warnings About Certain Philips Medical Devices).
In addition, to the vulnerabilities in those cardiac imaging management products, DHS and Philips also each issued alerts about vulnerabilities in certain Philips PageWriter Cardiographs products, which are used for diagnostic electrocardiogram testing. Those issues include improper input validation and use of hard-coded credentials, which, if exploited, "could allow buffer overflows, or allow an attacker to access and modify settings on the device," DHS noted.
Cause for Concern?
So how big a concern is the new vulnerability revealed in the Philips HealthSuite app?
"By itself, inadequate encryption won't usually pose safety risks, so I wouldn't worry about this if I were a patient using the app," says Ben Ransford, president of healthcare cybersecurity firm Virta Labs.
"Encryption is 'rocket science' that even experts screw up all the time," he says. "You're almost certainly using several weak systems right now. I don't know how this [HealthSuite] app was designed, but the general design principle is to assume your system going to be compromised and figure out how to limit the scope of an attack."
One good strategy, Ransford says, is to use different encryption keys for each copy of the app or each user so that a single compromise won't expose everyone. "Unlike encryption, threat modeling is not rocket science, but it requires humility and creativity, which is why it's so hard to find great product-security people. Engineers prefer to be correct," he says.
Encryption issues are more likely to be identified in legacy products, Aerts says. "It should not be that common. Most development is done with standardized encryption methodology," he contends. "Most exceptions will likely be with older products."