Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

ICS/OT

Flaws in Roche Medical Devices Can Put Patients at Risk

Vulnerabilities discovered in several medical devices made by the diagnostics division of Swiss-based healthcare company Roche can put patients at risk, a cybersecurity firm has warned.

Vulnerabilities discovered in several medical devices made by the diagnostics division of Swiss-based healthcare company Roche can put patients at risk, a cybersecurity firm has warned.

Researchers at Medigate, a company specializing in securing connected medical devices, identified five vulnerabilities in three types of products from Roche. The flaws impact Accu-Chek glucose testing devices, CoaguChek devices used by healthcare professionals in anticoagulation therapy, and Cobas portable point-of-care systems.

A detailed list of vulnerable products and versions is available in an advisory published recently by ICS-CERT. It’s worth noting that each vulnerability impacts certain models and versions of the Roche devices.

The affected products consist of a base unit and a handheld device that communicates wirelessly – including over Wi-Fi if an optional module is available – with the base unit. Medigate researchers discovered that an attacker with access to the local network can hack the base station and from there target the handheld devices.

Serious vulnerabilities discovered in Roche medical devicesThe flaws, with CVSSv3 scores ranging between 6.5 and 8.3, can be exploited by a network attacker to bypass authentication to an advanced interface, execute code on the device using specific medical protocols, and place arbitrary files on the filesystem.

One of the command execution flaws requires authentication, but the ICS-CERT advisory shows that the affected products use weak access credentials, which suggests that it may be easy for an attacker to authenticate on the system.

“The vulnerabilities are easy to exploit once known, but are very hard to discover and research,” Medigate told SecurityWeek.

According to the company, the vulnerabilities can pose a threat to patients using the impacted devices.

“These vulnerabilities allow complete control of the base station and hand-held device including all generated network traffic. This means the medical protocol used by the device can be altered and the medical data can be changed. In the case of a blood glucose meter, this can put a patient at risk. If the device it altered, it could affect the readings or data transfer which could lead to incorrect treatment,” the company explained.

Advertisement. Scroll to continue reading.

According to ICS-CERT, Roche is preparing patches for the vulnerabilities found by Medigate and they should be available sometime this month. In the meantime, the company has advised customers to restrict network and physical access to affected devices, protect connected endpoints from malicious software and unauthorized access, and monitor the network for suspicious activity.

Related: NIST’s New Advice on Medical IoT Devices

Related: St. Jude Medical Recalls 465,000 Pacemakers Over Security Vulnerabilities

Related: Philips Working on Patches for 35 Flaws in Healthcare Product

Related: FDA Reveals New Plans for Medical Device Security

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.