Philips Working on Patches for Vulnerabilities Found in Medical Products
Philips is working on patches for several vulnerabilities discovered by researchers in some of the company’s medical products.
The flaws were identified by researchers at industrial cybersecurity firm Nozomi Networks in Philips IntelliBridge, Patient Information Center iX (PIC iX), and Efficia CM series products. Advisories for the vulnerabilities were published last week by Philips and the U.S. Cybersecurity and Infrastructure Security Agency (CISA).
One advisory describes two high-severity vulnerabilities found in IntelliBridge EC 40 and EC 80 Hub patient monitoring systems, which integrate point-of-care devices with hospital information systems. The flaws are related to the use of hardcoded credentials and authentication bypass.
“Successful exploitation of these issues may allow an attacker unauthorized access to the Philips IntelliBridge EC40/80 hub and may allow access to execute software, modify device configuration, or view/update files, including unidentifiable patient data,” Philips said in its advisory. “The vulnerabilities can potentially be exploited over the Philips patient monitoring network, which is required to be physically or logically isolated from the hospital local area network (LAN).”
In the PIC iX patient monitoring system and the Efficia CM series patient monitors, Nozomi researchers discovered three medium-severity issues related to improper input validation, the use of weak cryptographic algorithms, and the use of hardcoded cryptographic keys.
“Successful exploitation of these vulnerabilities may allow an attacker unauthorized access to data (including patient data) and denial of service resulting in temporary interruption of viewing of physiological data at the central station. Exploitation does not enable modification or change to point of care devices,” Philips said.
Philips has only released patches for one of the vulnerabilities affecting PIC iX. For the remaining issues, the electronics giant expects to provide fixes by the end of 2021 and the end of 2022. In the meantime, the vendor has shared recommendations for reducing the risk of exploitation.
Ivan Speziale, senior security researcher at Nozomi Networks, has shared the following information with SecurityWeek regarding the vulnerabilities and the impacted products:
“In a typical deployment you have a patient monitor that sends data to a Philips PIC iX which acts as a collector, plus can be used to manage/view patient data (there’s a lot of material on Philips website)
For those cases where the patient monitor is not made by Philips, but by other vendors, Philips sells IntelliBridge, which is a device that converts the data from third party patient monitor into a format that is ingestible by PIC iX
- CVE-2021-43548 is a remote DOS affecting PIC iX, where a network attacker can cause PIC iX to reboot and thus lose any data sent by a patient monitor
- CVE-2021-43552 concerns the format of the backups of patient data produced by PIC iX, essentially they’re encrypted with an hardcoded key
- CVE-2021-43550 concerns the encryption algorithm used by Philips Efficia CM patient monitors, essentially the patient data sent over the network are encrypted with the serial of the device, which should also be sent in clear over the network
- CVE-2021-32993 and CVE-2021-33017 instead affect the web management interface of Intellibridge EC40/80 devices which can be compromised (there’s also a third vuln affecting this device that should be published at some point)”
Philips pointed out in its advisories that there is no evidence of malicious exploitation or any other incidents caused by these vulnerabilities. In the case of the IntelliBridge hubs, the company says it’s “unlikely that this potential vulnerability would impact clinical use.”