Publication Date: March 24, 2020

Update Date: March 24, 2020
 

Overview

Philips produces and sells connected air purifier that provide healthy air to consumers. The connected air purifier can be controlled by an app, Philips has partnered with Air Matters, a world-leading air quality app. It monitors in- and outdoor air quality, offers insights, controls your Philips connected Air device, shows its filter status, and gives you advice how to manage exposure to air pollution and allergens. An independent security researcher submitted three vulnerabilities that can be mitigated regarding communications, key length and de-compilation of the mobile app.
 

Affected Products:

Philips reports that these vulnerabilities affect Air Matters Android version 4.2.9 and below.
 

Impact:

An attacker connected to an unprotected WiFi local network could compromise the encryption protocol to start and/or stop the air purifier.

An attacker connected to the WiFi local network can connect to the device. Subsequently the device can remotely be controlled. This impact is similar to downloading the Airmatters App and in a local network connect to the Airpurifier device. Which is standard behavior part of the functionality advertised to the customer.
 

Background

An independent security researcher reported the local network communication between the app and the Air Purifier has been reverse engineered. The three main vulnerabilities identified are 1) No use of https/tls encryption in the local network. 2) Diffie Hellman key length, and 3) de-compilation of Android mobile app. 4) through scripting from the local network a connection with the device can be setup.

These vulnerabilities do not impact confidentiality or integrity of data. The vulnerabilities could potentially impact availability.

Once notified, Philips analyzed the extent and started the containment and resolution actions.

The vulnerabilities are due to the use of a outdate chip version. This chip is not used in the production of new devices anymore. Newer versions of the device use a chip without these vulnerabilities.


Vulnerability Overview

CWE-319: Cleartext Transmission of Information

The software transmits data in cleartext in a communications channel that can be sniffed by unauthorized actors. Many communication channels can be sniffed by attackers during data transmission.

CVSS v3 base scores for this vulnerability is rated as 5.3 (Medium) with the vector string of: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CWE-327: INSUFFICIENT DIFFIE HELLMAN STRENGTH

The use of a broken or risky cryptographic algorithm is an unnecessary risk that may result in the exposure of information.

CVSS v3 base scores for this vulnerability is rated as 4.3 (Medium) with the vector string of: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L

Through Scripting in the local network a connection with the device can be setup. Subsequently this connection can be used to control the device remote.
 

Existence of Exploit

Public exploits exist for some of these vulnerabilities, however, none are specifically targeted for Philips Air Purifier.
 

Difficulty

An attacker with medium to high skill in would be able to exploit these vulnerabilities
  

Mitigation

For the old infrastructure of Philips Air Purifiers products:

  • Philips has recommended customers of this current infrastructure to always utilize secure wireless connection by enabling the WiFi Protected Access (WPA2) for IEEE 802.11 technology
  • Only let persons that are trusted into the local network.
  • There will be no update for the old infrastructure.

The improved infrastructure of new launched Air Purifiers will not have these issues anymore as they have been solved. The new products have been introduced from mid 2019 onwards.

Philips recommends consumers to use the new devices with the new infrastructure.
 

Please see the Philips product security web site for the latest security information for Philips products: https://www.philips.com/productsecurity