CVE-2020-27373
📋 TL;DR
The Dr Trust USA iCheck Connect BP Monitor version 1.2.1 accepts plain text commands over Bluetooth Low Energy (BLE) without authentication or encryption. This allows attackers within BLE range to send arbitrary commands to the device, potentially manipulating blood pressure readings or device functionality. Only users of this specific blood pressure monitor model and version are affected.
💻 Affected Systems
- Dr Trust USA iCheck Connect BP Monitor
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
An attacker could manipulate blood pressure readings to provide false medical data, potentially leading to incorrect treatment decisions or hiding serious health conditions from patients and healthcare providers.
Likely Case
Attackers could disrupt device functionality, cause inaccurate readings, or perform denial-of-service attacks against the blood pressure monitor.
If Mitigated
With proper BLE security controls and physical security, the attack surface is limited to devices within close physical proximity (typically <100 meters).
🎯 Exploit Status
Exploitation requires physical proximity to the device and basic BLE communication tools. The vulnerability is well-documented in public research.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: No official vendor advisory found
Restart Required: No
Instructions:
No official patch available. Contact Dr Trust USA for firmware update information. Consider replacing the device if security is critical.
🔧 Temporary Workarounds
Disable BLE when not in use
allTurn off Bluetooth on the blood pressure monitor when not actively syncing with mobile apps
Refer to device manual for Bluetooth disable procedure
Physical security controls
allRestrict physical access to the device and use it in controlled environments only
🧯 If You Can't Patch
- Use the device in physically secure locations away from untrusted individuals
- Verify blood pressure readings through manual validation or secondary measurement devices
🔍 How to Verify
Check if Vulnerable:
Check device firmware version in companion mobile app or device settings. If version is 1.2.1, the device is vulnerable.Check Version:
Check through companion mobile app or device display settingsVerify Fix Applied:
Update to a firmware version later than 1.2.1 if available from the manufacturer📡 Detection & Monitoring
Log Indicators:
- Unusual BLE connection attempts in mobile app logs
- Unexpected device behavior or reading anomalies
Network Indicators:
- Unusual BLE traffic patterns near medical devices
- Multiple failed or suspicious BLE connection attempts
SIEM Query:
Not applicable for standalone medical IoT devices without network logging capabilities🔗 References
- http://dr.com
- https://drtrust.in/collections/dr-trust-blood-pressure-testing/products/dr-trust-usa-icheck-connect-bp-monitor
- https://nvermaa.medium.com/cve-on-radio-technology-d-4b65efa1ba5c
- http://dr.com
- https://drtrust.in/collections/dr-trust-blood-pressure-testing/products/dr-trust-usa-icheck-connect-bp-monitor
- https://nvermaa.medium.com/cve-on-radio-technology-d-4b65efa1ba5c
