Carlos Cilleruelo Rodríguez

**Name of the Vulnerable Software and Affected Versions** KardiaMobile (affected versions not specified) **Description** The physical IoT device of the AliveCor's KardiaMobile has no encryption for its data-over-sound protocols. This issue could allow an attacker to read patient EKG results or create a denial-of-service condition by emitting sounds at similar frequencies as the device, disrupting the smartphone microphone’s ability to accurately read the data. The attacker must be close (less than 5 feet) to pick up and emit sound waves. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** AliveCor Kardia App versions 5.17.1-754993421 and prior **Description** The issue allows an unauthenticated attacker with physical access to the Android device containing the app to bypass application authentication and alter information in the app. This is due to authentication bypass by assumed-immutable data. **Recommendations** For AliveCor Kardia App versions 5.17.1-754993421 and prior, at the moment, there is no information about a newer version that contains a fix for this vulnerability.