CVE-2019-18248

Vulnerability

The affected products, BIOTRONIK CardioMessenger II-S T-Line and CardioMessenger II-S GSM with firmware version T4APP 2.20, transmit credentials in cleartext prior to switching to an encrypted communication channel (CWE-319). An attacker can disclose the product's client credentials for connecting to the BIOTRONIK Remote Communication infrastructure [1].

Exploitation

An attacker with adjacent network access (e.g., within Wi-Fi range of the device) can capture the cleartext credentials during the initial connection phase before encryption is established. No authentication or user interaction is required [1].

Impact

Successful disclosure of the client credentials could allow an attacker to impersonate the CardioMessenger device, potentially gaining unauthorized access to the BIOTRONIK Remote Communication infrastructure. This could lead to further compromise of medical data or device functionality [1].

Mitigation

As of the advisory publication date (2020-06-29), no firmware update has been announced in the available reference [1]. Users should restrict physical and network access to the CardioMessenger, monitor vendor communications for updates, and consider network segmentation to limit exposure.