Flaws in Roche Medical Devices Can Put Patients at Risk

Vulnerabilities discovered in several medical devices made by the diagnostics division of Swiss-based healthcare company Roche can put patients at risk, a cybersecurity firm has warned.

Researchers at Medigate, a company specializing in securing connected medical devices, identified five vulnerabilities in three types of products from Roche. The flaws impact Accu-Chek glucose testing devices, CoaguChek devices used by healthcare professionals in anticoagulation therapy, and Cobas portable point-of-care systems.

A detailed list of vulnerable products and versions is available in an advisory published recently by ICS-CERT. It’s worth noting that each vulnerability impacts certain models and versions of the Roche devices.

The affected products consist of a base unit and a handheld device that communicates wirelessly – including over Wi-Fi if an optional module is available – with the base unit. Medigate researchers discovered that an attacker with access to the local network can hack the base station and from there target the handheld devices.

The flaws, with CVSSv3 scores ranging between 6.5 and 8.3, can be exploited by a network attacker to bypass authentication to an advanced interface, execute code on the device using specific medical protocols, and place arbitrary files on the filesystem.

One of the command execution flaws requires authentication, but the ICS-CERT advisory shows that the affected products use weak access credentials, which suggests that it may be easy for an attacker to authenticate on the system.

“The vulnerabilities are easy to exploit once known, but are very hard to discover and research,” Medigate told SecurityWeek.

According to the company, the vulnerabilities can pose a threat to patients using the impacted devices.

“These vulnerabilities allow complete control of the base station and hand-held device including all generated network traffic. This means the medical protocol used by the device can be altered and the medical data can be changed. In the case of a blood glucose meter, this can put a patient at risk. If the device it altered, it could affect the readings or data transfer which could lead to incorrect treatment,” the company explained.

According to ICS-CERT, Roche is preparing patches for the vulnerabilities found by Medigate and they should be available sometime this month. In the meantime, the company has advised customers to restrict network and physical access to affected devices, protect connected endpoints from malicious software and unauthorized access, and monitor the network for suspicious activity.

Related: NIST’s New Advice on Medical IoT Devices

Related: St. Jude Medical Recalls 465,000 Pacemakers Over Security Vulnerabilities

Related: Philips Working on Patches for 35 Flaws in Healthcare Product

Related: FDA Reveals New Plans for Medical Device Security