Critical bugs expose hundreds of thousands of medical devices and ATMs
Specialized health care Devices, from imaging tools like CT scanners to diagnostic laboratory equipment, are often insufficiently protected on hospital networks. Now, new findings on seven vulnerabilities in an Internet of Things remote management tool underscore interconnected exposures in medical devices and the broader IoT ecosystem.
Researchers from healthcare security firm CyberMDX, which was acquired last month by IoT security firm Forescout, found seven easily exploitable vulnerabilities, collectively dubbed Access:7, in the remote access tool IoT PTC Axeda. The platform can be used with any in-vehicle device, but has proven particularly popular in medical equipment. The researchers also found that some companies use it to remotely manage ATMs, vending machines, barcode scanning systems, and some industrial manufacturing equipment. Researchers estimate that Access:7 vulnerabilities are in hundreds of thousands of devices altogether. In a review of its own customers, Forescout discovered over 2,000 vulnerable systems.
“You can imagine the kind of impact an attacker could have when they can exfiltrate data from medical equipment or other sensitive devices, potentially tamper with lab results, render critical devices unavailable, or take them entirely. load,” said Daniel dos Santos, security research manager at Forescout.
Some of the vulnerabilities are related to problems processing undocumented and unauthenticated commands by Axeda, allowing attackers to manipulate the platform. Others relate to default configuration issues, such as hard-coded, guessable system passwords shared by multiple Axeda users. Three of the seven vulnerabilities are considered critical and the other four are medium to high severity bugs.
Attackers could potentially exploit bugs to capture patient data, alter test results or other medical records, launch denial of service attacks that could prevent healthcare providers from accessing patient data when they need it, disrupt industrial control systems or even gain a foothold to attack ATMs.
Vulnerabilities aren’t necessarily rare in this space, but they would be particularly easy for an attacker to exploit. If exploited, the potential damage from Access:7 bugs could be comparable to that of a recent wave of ransomware attacks, all of which came from hackers exploiting flaws in IT management software from a company called Kaseya. The products are different, but their ubiquity creates similar conditions for disruptive attacks. And Access:7 fits into a larger picture of entrenched IoT insecurity and historically unaddressed vulnerabilities.
The researchers worked on a coordinated disclosure with PTC, which released patches for the flaws, as well as the US Cybersecurity and Infrastructure Security Agency, H-ISAC, and the Food and Drug Administration.
“This disclosure is the culmination of a cooperative effort between PTC, CyberMDX and CISA,” PTC told WIRED in a statement. “PTC and CyberMDX have worked together to thoroughly investigate and implement appropriate fixes for the vulnerabilities. PTC then informed customers and guided their resolutions prior to disclosure. … The result is greater user awareness and the ability to resolve a potential threat to their systems and data.