Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

IoT Security

Philips Working on Patches for Vulnerabilities Found in Medical Products

Philips is working on patches for several vulnerabilities discovered by researchers in some of the company’s medical products.

Philips is working on patches for several vulnerabilities discovered by researchers in some of the company’s medical products.

The flaws were identified by researchers at industrial cybersecurity firm Nozomi Networks in Philips IntelliBridge, Patient Information Center iX (PIC iX), and Efficia CM series products. Advisories for the vulnerabilities were published last week by Philips and the U.S. Cybersecurity and Infrastructure Security Agency (CISA).

One advisory describes two high-severity vulnerabilities found in IntelliBridge EC 40 and EC 80 Hub patient monitoring systems, which integrate point-of-care devices with hospital information systems. The flaws are related to the use of hardcoded credentials and authentication bypass.

“Successful exploitation of these issues may allow an attacker unauthorized access to the Philips IntelliBridge EC40/80 hub and may allow access to execute software, modify device configuration, or view/update files, including unidentifiable patient data,” Philips said in its advisory. “The vulnerabilities can potentially be exploited over the Philips patient monitoring network, which is required to be physically or logically isolated from the hospital local area network (LAN).”

Vulnerabilities in Efficia CM devicesIn the PIC iX patient monitoring system and the Efficia CM series patient monitors, Nozomi researchers discovered three medium-severity issues related to improper input validation, the use of weak cryptographic algorithms, and the use of hardcoded cryptographic keys.

“Successful exploitation of these vulnerabilities may allow an attacker unauthorized access to data (including patient data) and denial of service resulting in temporary interruption of viewing of physiological data at the central station. Exploitation does not enable modification or change to point of care devices,” Philips said.

Philips has only released patches for one of the vulnerabilities affecting PIC iX. For the remaining issues, the electronics giant expects to provide fixes by the end of 2021 and the end of 2022. In the meantime, the vendor has shared recommendations for reducing the risk of exploitation.

Ivan Speziale, senior security researcher at Nozomi Networks, has shared the following information with SecurityWeek regarding the vulnerabilities and the impacted products:

“In a typical deployment you have a patient monitor that sends data to a Philips PIC iX which acts as a collector, plus can be used to manage/view patient data (there’s a lot of material on Philips website)

 

Advertisement. Scroll to continue reading.

For those cases where the patient monitor is not made by Philips, but by other vendors, Philips sells IntelliBridge, which is a device that converts the data from third party patient monitor into a format that is ingestible by PIC iX

  • CVE-2021-43548 is a remote DOS affecting PIC iX, where a network attacker can cause PIC iX to reboot and thus lose any data sent by a patient monitor
  • CVE-2021-43552 concerns the format of the backups of patient data produced by PIC iX, essentially they’re encrypted with an hardcoded key
  • CVE-2021-43550 concerns the encryption algorithm used by Philips Efficia CM patient monitors, essentially the patient data sent over the network are encrypted with the serial of the device, which should also be sent in clear over the network
  • CVE-2021-32993 and CVE-2021-33017 instead affect the web management interface of Intellibridge EC40/80 devices which can be compromised (there’s also a third vuln affecting this device that should be published at some point)”

Philips pointed out in its advisories that there is no evidence of malicious exploitation or any other incidents caused by these vulnerabilities. In the case of the IntelliBridge hubs, the company says it’s “unlikely that this potential vulnerability would impact clinical use.”

Related: CISA Says Philips Vue Healthcare Products Affected by 15 Vulnerabilities

Related: Flaws in Philips Patient Monitoring Products Can Lead to Patient Data Exposure

Related: Serious Flaws Found in Philips Patient Monitoring Devices

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.