Bryan Riggins

Name of the Vulnerable Software and Affected Versions: Qardio Arm for iOS (affected versions not specified) Description: The Qardio Arm iOS application exposes sensitive data, such as usernames and passwords, in a plist file. This allows an attacker to log in to production-level development accounts and access an engineering backdoor in the application. The engineering backdoor enables the attacker to send hex-based commands over a UI-based terminal. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Qardio (affected versions not specified) Description: The issue allows an attacker to obtain firmware files and reverse engineer their intended use, leading to loss of confidentiality and integrity of the hardware devices enabled by the Qardio iOS and Android applications. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Qardio - Heart Health IOS Mobile Application version 2.7.4 Description: The issue allows an attacker to send continuous `startMeasurement` commands over an unencrypted Bluetooth connection to the affected device, preventing it from connecting to a clinician's app to take patient readings and potentially flooding it with requests, resulting in a denial-of-service condition. Recommendations: For Qardio - Heart Health IOS Mobile Application version 2.7.4, consider disabling the `startMeasurement` command functionality until a patch is available to prevent exploitation. Restrict access to the device over Bluetooth connections to minimize the risk of denial-of-service attacks.

Name of the Vulnerable Software and Affected Versions: Ossur Mobile Logic Application versions up to 1.5.4 Description: Hard-coded credentials were included as part of the application binary, serving as part of the application authentication flow and communication with the mobile application. This could allow an attacker to access unauthorized information. Recommendations: For Ossur Mobile Logic Application versions up to 1.5.4, update to a version that removes the hard-coded credentials to prevent unauthorized access. As a temporary workaround, consider restricting access to sensitive information until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Affected software (affected versions not specified) **Description** A valid set of credentials in a .js file and a static token for communication were obtained from the decompiled IPA. An attacker could use the information to disrupt normal use of the application by changing the translation files and thus weaken the integrity of normal use. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Application (affected versions not specified) **Description** The issue concerns the presence of multiple bash files in the application's private directory. These bash files can potentially be used by an attacker with full access to the mobile platform to compromise the translations for the application. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.