CVE-2020-27376 – The Dr Trust USA iCheck Connect BP Monitor vers... (How to Fix)

📋 TL;DR

The Dr Trust USA iCheck Connect BP Monitor version 1.2.1 lacks proper authentication mechanisms, allowing unauthorized access to device functions and data. This affects users of this specific blood pressure monitor model who use the vulnerable software version.

💻 Affected Systems

Products:

Dr Trust USA iCheck Connect BP Monitor

Versions: 1.2.1

Operating Systems: Not applicable - embedded device

Default Config Vulnerable: ⚠️ Yes

Notes: This is a medical device with embedded software; the vulnerability exists in the device's firmware/software version 1.2.1.

📦 What is this software?

Icheck Connect Bp Monitor Bp Testing 118 Firmware by Drtrustusa

View all CVEs affecting Icheck Connect Bp Monitor Bp Testing 118 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker could remotely access and manipulate blood pressure readings, potentially altering medical data or disrupting device functionality, which could lead to incorrect medical decisions.

🟠

Likely Case

Unauthorized users could access sensitive health data stored on the device or transmitted by it, violating privacy and potentially exposing personal health information.

🟢

If Mitigated

With proper network segmentation and access controls, the impact would be limited to isolated network segments, preventing external exploitation.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Missing authentication vulnerabilities typically require minimal technical skill to exploit once the attack vector is identified.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Not available

Restart Required: Yes

Instructions:

1. Contact Dr Trust USA for firmware update availability
2. If update available, follow manufacturer instructions to update device firmware
3. Verify the device is running a version later than 1.2.1

🔧 Temporary Workarounds

Network Isolation

all

Isolate the BP monitor on a separate network segment to prevent unauthorized access

Physical Access Control

all

Restrict physical access to the device and ensure it's only used in controlled environments

🧯 If You Can't Patch

Disconnect the device from any network when not in active use
Implement strict network access controls and monitor for unauthorized connection attempts

🔍 How to Verify

Check if Vulnerable:

Check device firmware version through device interface or manufacturer app; if version is 1.2.1, device is vulnerable

Check Version:

Not applicable - check through device interface or manufacturer application

Verify Fix Applied:

Verify firmware version is updated to a version later than 1.2.1 through device interface

📡 Detection & Monitoring

Log Indicators:

Unauthorized connection attempts to device
Unexpected data transmission from device

Network Indicators:

Unexpected network traffic to/from device IP
Connection attempts from unauthorized IP addresses

SIEM Query:

Not applicable - custom monitoring required for medical device traffic

📊 Metadata

CVE ID: CVE-2020-27376

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-306

Published: April 7, 2022

Last Updated: November 21, 2024

🔗 References

http://dr.com Product
https://drtrust.in/collections/dr-trust-blood-pressure-testing/products/dr-trust-usa-icheck-connect-bp-monitor Product
https://nvermaa.medium.com/cve-on-radio-technology-d-4b65efa1ba5c Exploit,Third Party Advisory
http://dr.com Product
https://drtrust.in/collections/dr-trust-blood-pressure-testing/products/dr-trust-usa-icheck-connect-bp-monitor Product
https://nvermaa.medium.com/cve-on-radio-technology-d-4b65efa1ba5c Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-27376, you might also want to check these: