CVE-2022-41627

MEDIUM

AliveCor's KardiaMobile - Info Disclosure

Title source: llm

Description

The physical IoT device of the AliveCor's KardiaMobile, a smartphone-based personal electrocardiogram (EKG) has no encryption for its data-over-sound protocols. Exploiting this vulnerability could allow an attacker to read patient EKG results or create a denial-of-service condition by emitting sounds at similar frequencies as the device, disrupting the smartphone microphone’s ability to accurately read the data. To carry out this attack, the attacker must be close (less than 5 feet) to pick up and emit sound waves.

References (1)

[Third Party Advisory, US Government Resource] https://www.cisa.gov/uscert/ics/advisories/icsma-22-298-01

Scores

CVSS v3 4.8

EPSS 0.0001

EPSS Percentile 3.0%

Attack Vector PHYSICAL

CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-319 CWE-311

Status published

Products (3)

alivecor/kardiamobile_6l_firmware

alivecor/kardiamobile_card_firmware

alivecor/kardiamobile_firmware

Published Oct 27, 2022

Tracked Since Feb 18, 2026