CVE-2017-11578
Description
It was discovered as a part of the research on IoT devices in the most recent firmware for Blipcare device that the device allows to connect to web management interface on a non-SSL connection using plain text HTTP protocol. The user uses the web management interface of the device to provide the user's Wi-Fi credentials so that the device can connect to it and have Internet access. This device acts as a Wireless Blood pressure monitor and is used to measure blood pressure levels of a person. This allows an attacker who is connected to the Blipcare's device wireless network to easily sniff these values using a MITM attack.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Blipcare blood pressure monitor web management interface transmits Wi-Fi credentials in plain HTTP, enabling MITM credential sniffing.
Vulnerability
The Blipcare Wireless Blood Pressure Monitor, in the most recent firmware at the time of discovery, exposes its web management interface over unencrypted HTTP. This interface is used to configure the device's Wi-Fi connection by supplying the user's network credentials. The use of plaintext HTTP allows any network traffic to be intercepted. Affected versions include the firmware analyzed in the research, as documented in the advisory [1].
Exploitation
An attacker who is connected to the same wireless network as the Blipcare device can perform a man-in-the-middle (MITM) attack. By positioning themselves between the user and the device's web interface, they can sniff the HTTP traffic and capture the Wi-Fi credentials as they are transmitted in cleartext. No authentication is required beyond network proximity [1].
Impact
Successful exploitation allows the attacker to obtain the user's Wi-Fi network credentials. With these credentials, the attacker can gain unauthorized access to the victim's Wi-Fi network, potentially compromising other devices and data on that network. The confidentiality of the Wi-Fi credentials is directly compromised [1].
Mitigation
As of the publication date (2019-07-02), no official firmware update or patch has been released by Blipcare to address this vulnerability. Users should avoid using the web management interface over untrusted networks and consider using a separate, isolated network for IoT devices if possible. The device remains unpatched as per the available reference [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Blipcare/Blipcaredescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- packetstormsecurity.com/files/153225/Blipcare-Clear-Text-Communication-Memory-Corruption.htmlmitrex_refsource_MISC
- github.com/ethanhunnt/IoT_vulnerabilities/blob/master/Blipcare_sec_issues.pdfmitrex_refsource_MISC
- seclists.org/bugtraq/2019/Jun/8mitremailing-listx_refsource_BUGTRAQ
News mentions
0No linked articles in our index yet.