Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Serious Flaws Found in Philips Patient Monitoring Devices

Researchers have discovered serious vulnerabilities in patient monitoring devices from Philips. The vendor has shared some recommendations for mitigating the risks until patches are made available.

Researchers have discovered serious vulnerabilities in patient monitoring devices from Philips. The vendor has shared some recommendations for mitigating the risks until patches are made available.

A total of three flaws were identified by Medigate in Philips IntelliVue patient monitors (MP and MX series) and Avalon fetal monitoring systems (FM20, FM30, FM40 and FM50). Advisories describing the issues have been published by Medigate, Philips and ICS-CERT.

The most serious of them, based on its CVSS score of 8.3, allows an unauthenticated attacker to access memory and write to the memory of a targeted device. A similar flaw allows an unauthenticated attacker to read memory, but this issue has been assigned a severity rating of “medium.”Vulnerabilities found in Philips fetal monitoring system

Another high severity vulnerability is related to the devices exposing an “echo” service that can be leveraged by an attacker to cause a stack-based buffer overflow.

“The vulnerabilities allow a remote unauthenticated attacker to write memory on the device, which may allow remote code execution. Successful exploitation could open up a window for an attacker to read and/or write to the memory, which in turn could lead to a denial of service to the monitor, a breach of patient health information (PHI), as well as harm the integrity of the patient data,” Medigate said.

Philips expects to release patches in the second and third quarters of 2018. In the meantime, users have been advised to consult security and network configuration guides provided by the company to mitigate the risk.

“At this time, Philips has received no reports of exploitation of these vulnerabilities or incidents from clinical use that we have been able to associate with this problem, and no public exploits are known to exist that specifically target these vulnerabilities,” Philips said in its advisory.

The company also pointed out that exploiting these flaws requires “significant technical knowledge and skill,” and access to the local area network (LAN) hosting the affected devices.

Earlier this year, Philips informed customers that dozens of vulnerabilities affected the company’s IntelliSpace Portal, a visualization and analysis solution designed for healthcare organizations.

Advertisement. Scroll to continue reading.

Related: FDA Reveals New Plans for Medical Device Security

Related: Hundreds of Flaws Found in Philips Healthcare Product

Related: Healthcare Providers Warned of Flaws in Philips Product

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join SecurityWeek and Hitachi Vantara for this this webinar to gain valuable insights and actionable steps to enhance your organization's data security and resilience.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Defense contractor Nightwing has appointed Tricia Fitzmaurice as Chief Growth Officer.

Xage Security has appointed Russell McGuire as CRO and Ashraf Daqqa as VP of the META region.

Solana co-founder Stephen Akridge has been appointed the CEO of data protection firm Cyber Grant.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.