| Título | Mendi Innovation AB Mendi V4 Cleartext Transmission of Sensitive Information |
|---|
| Descripción | RESERVED IDENTIFIER: CVE-2026-2671
This vulnerability in the Mendi neurofeedback headset allows an attacker to perform unauthorized interception of functional near-infrared spectroscopy (fNIRS) sensor data by exploiting the failure to enforce secure BLE pairing mechanisms or implement application-layer encryption during data transmission.
The issue stems from the device's neural activity data being sent over the air in cleartext, with no encryption applied at any layer of the communication stack. Because no pairing, authentication, or active probing is necessary, an attacker positioned within Bluetooth Low Energy (BLE) radio reception range can passively sniff the device's data streams using widely available wireless analysis hardware, such as the Nordic nRF Sniffer application or a modified smartphone. Subsequently, the captured data streams can be decoded to reconstruct the user's hemodynamic response signals. This allows for an observer to visualize prefrontal cortex activity in real time without the user's consent or knowledge, leaving no forensic artifacts or evidence of data exfiltration on the device or its associated software.
|
|---|
| Fuente | ⚠️ https://ab3j.radio/mendi.pdf |
|---|
| Usuario | drewbug (UID 92544) |
|---|
| Sumisión | 2026-02-24 14:36 (hace 1 mes) |
|---|
| Moderación | 2026-03-07 18:39 (11 days later) |
|---|
| Estado | Aceptado |
|---|
| Entrada de VulDB | 349702 [Mendi Neurofeedback Headset V4 Bluetooth Low Energy cifrado débil] |
|---|
| Puntos | 17 |
|---|