CVE-2018-18979
Description
An issue was discovered in the Ascensia Contour NEXT ONE application for Android before 2019-01-15. It has a statically coded initialization vector. Extraction of the initialization vector is necessary for deciphering communications between this application and the backend server. This, in combination with retrieving any user's encrypted data from the Ascensia cloud through another vulnerability, allows an attacker to obtain and modify any patient's medical information.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A statically coded initialization vector in Ascensia Contour NEXT ONE app allows attackers to decrypt communications and, combined with another issue, access and modify patient medical data.
Vulnerability
The Ascensia Contour NEXT ONE Android application prior to the 2019-01-15 update contains a statically coded initialization vector (IV) used for encrypting communications with the backend server. This static IV, combined with the ability to intercept traffic (e.g., bypassing certificate pinning as described in [1]), allows an attacker to decrypt sensitive data transmitted between the app and the server.
Exploitation
An attacker must first extract the static initialization vector from the application binary (e.g., via reverse engineering). Then, by intercepting network traffic (after bypassing certificate pinning), they can capture encrypted communications. Using the known IV, they can decrypt the traffic. However, to obtain specific patient data, they must also exploit another vulnerability to retrieve encrypted data from the Ascensia cloud. The Depth Security article [1] demonstrates a chain of five vulnerabilities achieving this.
Impact
Successful exploitation enables an attacker to obtain and modify any patient's medical information stored in the Ascensia cloud. This includes glucose readings and personal data, which could lead to incorrect medical treatment if relied upon by healthcare providers. The attacker can tamper with data without any authentication beyond the extracted IV and cloud access vulnerability.
Mitigation
Ascensia released an update before 2019-01-15 that addresses this vulnerability. Users should ensure their Contour NEXT ONE app is updated to the latest version. No specific version number is provided in the available references [1]. If no update is possible, users should monitor for any unusual activity and consider the device's data as potentially compromised.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Ascensia/Contour NEXT ONE applicationdescription
- Range: unspecified (before 2019-01-15)
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Statically coded initialization vector in the Android application's AES-CBC encryption implementation."
Attack vector
An attacker first extracts the statically coded initialization vector (CVE-2018-18979) and the statically coded encryption key (CVE-2018-18978) from the Android application binary by reverse engineering the obfuscated Java code [ref_id=1]. With these cryptographic materials, the attacker can then decrypt any encrypted data retrieved from the Ascensia cloud backend (obtained through another vulnerability). This allows the attacker to read and modify any patient's medical information [ref_id=1]. The attack requires network access to the Ascensia cloud and the ability to extract encrypted patient data from it.
Affected code
The vulnerability exists in the Ascensia Contour NEXT ONE Android application (before 2019-01-15). The researcher discovered a class containing two methods related to decryption, and found two strings used as an AES-CBC-PKCS5Padding key and initialization vector, both statically coded in the application binary [ref_id=1].
What the fix does
The advisory does not specify a patch; it only notes that the issue was discovered in versions before 2019-01-15 [ref_id=1]. The remediation would require the vendor to stop using statically coded cryptographic keys and initialization vectors, and instead derive them dynamically per session or per user. Without a patch description, the exact fix applied by Ascensia is unknown.
Preconditions
- inputAttacker must have access to the Ascensia Contour NEXT ONE Android application binary (e.g., by installing on a rooted device and extracting the APK)
- networkAttacker must be able to retrieve encrypted patient data from the Ascensia cloud backend (through a separate vulnerability)
- networkAttacker must have network access to communicate with the Ascensia backend server
Reproduction
The researcher extracted the Android application package on a rooted device, decompiled the obfuscated Java code, and searched for the string "decrypt" to locate the cryptographic class [ref_id=1]. Two strings found in the code were identified as the AES-CBC-PKCS5Padding key and initialization vector, both statically coded. The researcher then wrote a Java/Python PoC that uses these values with UTF-16LE encoding to decrypt and encrypt data from the Contour web server [ref_id=1].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- depthsecurity.com/blog/medical-exploitation-you-are-now-diabeticmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.