Philips Discloses Vulnerability in DreamMapper Mobile App Software

July 31, 2020 - The Department of Homeland Security Cybersecurity and Infrastructure Security Agency released an advisory on a medium-severity vulnerability found in Philips’ DreamMapper software. A successful exploit could allow an attacker to access log file information containing descriptive error messages. 

The DreamMapper mobile app is a personalized therapy adherence tool used to manage sleep apnea. 

Security researchers Lutz Weimann, Tim Hirschberg, Issam Hbib, and Florian Mommertz of SRC Security Research & Consulting GmbH first reported the vulnerability to CISA. 

The vulnerability is found in versions 2.24 and earlier and could be exploited remotely with low-level skill. If exploited, an attacker could access log files to insert sensitive information and gain guidance from the information written to those files. 

“This potential vulnerability does not impact patient safety,” Philips officials explained. “[DreamMapper] does not directly provide therapy or diagnosis to patients. To date, Philips has not received any reports of exploitation of this vulnerability.” 

Philips intends to release a new version of the DreamMapper app by June 30, 2021, which will remediate the vulnerability. In the interim, CISA provided organizations with defensive measures that could minimize the risk of exploitation. 

Administrators will need to implement physical security measures to limit or control access to critical systems, along with restricting system access to authorized personnel and following a least privilege approach. 

Organizations should also apply defense-in-depth strategies and disable unnecessary accounts and services. Prior to deploying any defensive measures, organizations will need to perform a proper impact analysis and risk assessment. 

If more support and guidance is needed, leaders should refer to existing medical device cybersecurity insights from the Food and Drug Administration. CISA also shared its recommended practices for control systems security, which includes updating antivirus, creating cyber forensics plans, developing cybersecurity incident response plans, and a host of other valuable insights. 

There are currently no public exploits against the DreamMapper vulnerability. But suspected malicious activity should be reported to CISA for analysis and tracking. 

Philips preemptively disclosed the flaw prior to the DHS CISA alert, as part of its Coordinated Vulnerability Disclosure Policy, which is designed to drive awareness and remediation of potential security vulnerabilities. 

Since the FDA released its medical device guidance in 2016, there has been a significant increase in vulnerability disclosures. Industry stakeholders have noted that this increase is a sign of growing compliance and maturing risk assessments across the healthcare sector.

As noted by several security leaders, this type of collaboration is crucial to moving the needle on medical device security.