Two Valleylab Electrosurgical Medical Devices Can Be Compromised Remotely by Low-Skill Attacker

US-CERT (United States Computer Emergency Readiness Team) has disclosed vulnerabilities in the Valleylab FX8 and Valleylab FT10 Energy Platforms from Medtronic, saying they could let remote attackers compromise surgical equipment.

The Valleylab FX8 and Valleylab FT10 Energy Platforms are electrosurgical solutions that feature tissue-sensing technology and other important features. The vulnerabilities identified in both of these devices could be exploited remotely and by hackers with little skill.

“Successful exploitation of these vulnerabilities may allow an attacker to overwrite files or remotely execute code, resulting in a remote, non-root shell on the affected products. By default, the network connections on these devices are disabled,” reads the advisory from US-CERT. “Additionally, the Ethernet port is disabled upon reboot. However, it is known that network connectivity is often enabled.”

Medtronic already issued patches for these vulnerabilities, but they have to be manually applied. Until that happens, the company advises hospitals and practices to disconnect the devices from the Internet or segregate the networks wherever possible.

Healthcare is the most targeted industry because the attackers can inflict serious damage, either by blocking the activity in a hospital or by stealing private medical information. The biggest security problem is the aging IT infrastructure and the lack of support for many of the devices, which also happens to include installing patches from vendors.

When we say the Internet of Things, people think about smart speakers, thermostats, vacuum cleaners, and so on. But the IoT umbrella gathers all Internet-connected devices, including medical infrastructure, which poses a much greater risk than a compromised smart speaker.