Hundreds Of Thousands Of Medical Devices Exposed To Cyber Threats Following Critical Bugs
Myriad healthcare devices, such as tools like CT scanners and diagnostic lab equipment, are frequently inadequately protected within hospital networks, and new findings regarding 7 vulnerabilities in an IoT (Internet of Things0 remote management tool have underscored interconnected exposures in medical devices, as well as the broader IoT ecosystem.
Researchers from the healthcare-specific security firm CyberMDX, acquired by the IoT security firm Forescout last month, have discovered 7 easily exploited vulnerabilities. These have been collectively dubbed Access:7, through an IoT remote access tool known as PTC Axeda.
“You can imagine the type of impact an attacker could have when they can either exfiltrate data from medical equipment or other sensitive devices, potentially tamper with lab results, make critical devices unavailable, or take them over entirely,” says Daniel dos Santos, head of security research at Forescout.
The researchers have worked on co-ordinated disclosure with PTC, who have now released patches for the flaws.
“This disclosure is the culmination of a cooperative effort between PTC, CyberMDX, and CISA,” PTC said a statement. “PTC and CyberMDX collaborated to thoroughly investigate and implement appropriate remediations for the vulnerabilities. PTC then notified customers and guided their remediations ahead of disclosure … The result is greater awareness for users and the opportunity to resolve a potential threat to their systems and data.”
One of the main challenges facing any IoT disclosure is the necessity to notify current or former customers, and ensuring they update their software or take alternative steps in mitigating their exposure. Users of Axeda who don’t wish to risk causing a disruption to critical systems through patching are still able to take preventative measures, such as blocking specific network ports or adjusting configurations. Dos Santos notes that an advantage of the situation is that most vulnerable devices are not exposed through the open internet, therefore it is impossible to be directly hacked remotely. However, he still cautions that an attacker who has compromised a hospital network through other means would still be able to remotely access the vulnerable systems.
“It will take time for the downstream vendors to identify which devices are vulnerable on their networks and actually apply the patches on their products, so that’s why it’s important to raise awareness,” dos Santo says. “Remote management tools work to address some real problems for IoT, but the way this was deployed and configured also leads to problems.”
This conundrum has dogged the IoT for years. Devices need to be easily patchable, especially sensitive health-care-related ones. However, flaws in the mechanisms which enable remote management open up a whole new area of cyber-security risk.