The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a security alert regarding multiple vulnerabilities affecting Qardio's Heart Health mobile applications and the QardioARM A100 blood pressure monitor.
The flaws, if exploited, could allow attackers to access sensitive personal information, disrupt device functionality, and extract firmware files.
The vulnerabilities were reported to CISA by Bryan Riggins of Insulet Corporation. The affected products include the Qardio Heart Health mobile applications for iOS and Android, as well as all versions of the QardioARM A100, a wireless blood pressure monitor.
Qardio is a U.S.-based company that develops digital health monitoring solutions primarily focused on cardiovascular health. The Qardio Heart Health apps are widely used, with the iOS version alone having over 17,000 reviews, indicating a significant user base. These apps integrate with the QardioARM A100 and other Qardio devices, enabling users to track blood pressure, heart rate, and other health metrics remotely.
The CISA alert highlights three main security vulnerabilities affecting these products:
- Exposure of Private Personal Information (CVE-2025-20615) – The iOS version of the Qardio Heart Health app stores sensitive data, including usernames and passwords, in a plist file. This allows attackers to access production-level development accounts and leverage an engineering backdoor within the app. Using this backdoor, an attacker could execute hex-based commands through a UI-based terminal, potentially leading to unauthorized control of the app or device.
- Uncaught Exception Leading to Denial of Service (CVE-2025-24836) – Attackers can use a custom Python script to continuously send “startMeasurement” commands over an unencrypted Bluetooth connection. This flood of requests can prevent the QardioARM A100 from connecting to a clinician's app, disrupting its ability to take patient readings.
- Unauthorized Access to Firmware Files (CVE-2025-23421) – The Qardio mobile apps allow unauthorized access to firmware files, which could be extracted and reverse-engineered. This vulnerability threatens the confidentiality and integrity of the hardware, potentially exposing the inner workings of Qardio's devices to malicious actors.
Each of these vulnerabilities has been assigned a Common Vulnerabilities and Exposures (CVE) identifier, with severity scores ranging from 6.2 to 7.2 under the Common Vulnerability Scoring System (CVSS). While the attack complexity is low, these flaws are not exploitable remotely, requiring physical or Bluetooth proximity to the affected device.
No response from Qardio
CISA notes that Qardio has not responded to requests for collaboration in addressing these security issues. As of now, no known public exploits have been reported, but the vulnerabilities remain a significant risk, particularly for users in healthcare settings.
Since no official patches or security updates have been released by Qardio, CISA recommends the following steps to mitigate risks:
- Disable Bluetooth when not actively using the device.
- Avoid using the device in public spaces or areas where potential attackers could be within Bluetooth range.
- Only install and use mobile apps from trusted sources to minimize exposure to compromised software.
CISA also advises organizations to perform a thorough risk assessment before implementing any security measures and to refer to its industrial control systems (ICS) security resources for best practices.
Valve Removes Steam Game “PirateFi” After Malware Discovery
Leave a Reply