Philips Unveils Vulnerability Affecting Ultrasound Medical Devices

A vulnerability was identified in six different Philips Ultrasound medical systems, which would allow an attacker to view or modify information.

Medical IoT devices are an essential part of the IoT ecosystem, but they are more sensitive to vulnerabilities than regular devices. Vulnerabilities in medial IoT could literally make the difference between life and death, so they are treated with the utmost care.

A vulnerability (CWE-288) was identified in Ultrasound ClearVue, Ultrasound CX, Ultrasound EPIQ/Affiniti, Ultrasound Sparq and Ultrasound Xperius devices, and its successful exploitation may have allowed a non-authenticated attacker to view or modify information.

Philips reported the vulnerability and its currently developing patches for a few of the devices, with a scheduled release in Q4 2020. Because of the nature of the devices, the healthcare institutions that are operating the affected hardware won’t be able to apply the patches themselves and need to contact the Philips support team.

In the meantime, the healthcare organizations should take special measures to minimize the risk of exploitation, such as implementing security measures to limit or control the access to critical systems, to restrict system access to authorized personnel only and follow the least privilege approach, and to disable unnecessary accounts and services.

Fortunately, there are no known exploits for this particular vulnerability, and, more importantly, it can’t be used remotely. An attacker would need direct access to the machine, which significantly limits the interactions with sensitive data. Moreover, a high skill level is required to exploit the vulnerability.

IoT medical systems often receive patches and security fixes due to their sensitive nature. For example, just this week, The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) issued an advisory regarding four medical IoT devices from Baxter.

Add Comment

Your email address will not be published. Required fields are marked *