- Philips and the Department of Homeland Security are issuing warnings about weak security features on an mHealth app that could make it susceptible to hacking.
The company and DHS Industrial Control Systems' Cyber Emergency Response Team (ICS-CERT) say the Philips HealthSuite Health Android app - which enables users to monitor heart rate activity, sleep, blood pressure, weight and body composition analysis through Philips digital health devices – contains “inadequate encryption strength.”
“Successful exploitation of this vulnerability may allow an attacker with physical access to impact confidentiality and integrity of the product,” the federal agency reports in its alert, posted on December 6. “The software uses simple encryption that is not strong enough for the level of protection required.”
The app is part of a connected health platform designed to enable users to track their health and wellness at home and collaborate online with care providers on “virtual motivational coaching … for lifestyle improvement.”
In its alert, posted on December 5, Philips says the vulnerability only affects data at rest on the app, and the concern will be addressed in software updates scheduled for the first quarter of 2019.
“At this time, Philips has received no reports of exploitation of this vulnerability or incidents from clinical use that we have been able to associate with this vulnerability,” the company added. “Philips analysis indicates that there is no expectation of patient hazard due to this issue.”
The company also advises against modifying – also called jail-breaking or rooting – mobile health devices in an attempt to solve the security flaw.
“Such devices have been freed from the limitations imposed by the mobile service provider and the phone manufacturer,” the notice said. “This may affect the performance of the app, weaken the security of the device, and expose users to additional risks.”