Publication Date: March 24, 2020
Update Date: March 24, 2020
Philips produces and sells connected air purifier that provide healthy air to consumers. The connected air purifier can be controlled by an app, Philips has partnered with Air Matters, a world-leading air quality app. It monitors in- and outdoor air quality, offers insights, controls your Philips connected Air device, shows its filter status, and gives you advice how to manage exposure to air pollution and allergens. An independent security researcher submitted three vulnerabilities that can be mitigated regarding communications, key length and de-compilation of the mobile app.
Philips reports that these vulnerabilities affect Air Matters Android version 4.2.9 and below.
An attacker connected to an unprotected WiFi local network could compromise the encryption protocol to start and/or stop the air purifier.
An attacker connected to the WiFi local network can connect to the device. Subsequently the device can remotely be controlled. This impact is similar to downloading the Airmatters App and in a local network connect to the Airpurifier device. Which is standard behavior part of the functionality advertised to the customer.
An independent security researcher reported the local network communication between the app and the Air Purifier has been reverse engineered. The three main vulnerabilities identified are 1) No use of https/tls encryption in the local network. 2) Diffie Hellman key length, and 3) de-compilation of Android mobile app. 4) through scripting from the local network a connection with the device can be setup.
These vulnerabilities do not impact confidentiality or integrity of data. The vulnerabilities could potentially impact availability.
Once notified, Philips analyzed the extent and started the containment and resolution actions.
The vulnerabilities are due to the use of a outdate chip version. This chip is not used in the production of new devices anymore. Newer versions of the device use a chip without these vulnerabilities.
CWE-319: Cleartext Transmission of Information
The software transmits data in cleartext in a communications channel that can be sniffed by unauthorized actors. Many communication channels can be sniffed by attackers during data transmission.
CVSS v3 base scores for this vulnerability is rated as 5.3 (Medium) with the vector string of: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
CWE-327: INSUFFICIENT DIFFIE HELLMAN STRENGTH
The use of a broken or risky cryptographic algorithm is an unnecessary risk that may result in the exposure of information.
CVSS v3 base scores for this vulnerability is rated as 4.3 (Medium) with the vector string of: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
Through Scripting in the local network a connection with the device can be setup. Subsequently this connection can be used to control the device remote.
Existence of Exploit
Public exploits exist for some of these vulnerabilities, however, none are specifically targeted for Philips Air Purifier.
An attacker with medium to high skill in would be able to exploit these vulnerabilities
For the old infrastructure of Philips Air Purifiers products:
- Philips has recommended customers of this current infrastructure to always utilize secure wireless connection by enabling the WiFi Protected Access (WPA2) for IEEE 802.11 technology
- Only let persons that are trusted into the local network.
- There will be no update for the old infrastructure.
The improved infrastructure of new launched Air Purifiers will not have these issues anymore as they have been solved. The new products have been introduced from mid 2019 onwards.
Philips recommends consumers to use the new devices with the new infrastructure.
Please see the Philips product security web site for the latest security information for Philips products: https://www.philips.com/productsecurity