Philips and the US Cybersecurity Agency (CISA) have published warnings about vulnerabilities in Ioc (internet of things) devices produced by the company: the flaws have been identified by researchers from industrial cybersecurity firm Nozomi Networks at Philips IntelliBridge, on Patient Information Center iX (PIC iX) and Efficia CM series products. Philips said it is already working on patches for the vulnerabilities and has already published a solution to one of the issues affecting the PIC iX. For the remaining issues, the company expects to provide solutions by the end of 2021 and the end of 2022. To mitigate risks in that range, the vendor shared recommendations that reduce the risk of exploiting the flaws.
The CISA advisory describes two high severity vulnerabilities found in IntelliBridge EC 40 and EC 80 Hub patient monitoring systems, which integrate point-of-care devices with hospital information systems. The failures are related to the use of encrypted credentials and authentication bypass.
“Successful exploitation of these issues could allow an attacker to gain unauthorized access to the Philips IntelliBridge EC40/80 hub and could allow access to run software, modify device configuration or view/update files including unidentifiable data the patient,” says Philips in its statement. “The vulnerabilities can potentially be exploited in the Philips patient monitoring network, which must be physically or logically isolated from the hospital’s local area network (LAN).”
In the PIC iX patient monitoring system and the Efficia CM series patient monitors, Nozomi researchers discovered three medium severity issues related to inadequate input validation, the use of weak cryptographic algorithms, and the use of encrypted cryptographic keys.
“Successful exploitation of these vulnerabilities could allow an attacker to gain unauthorized access to data (including patient data) and denial of service, resulting in the temporary interruption of the visualization of physiological data at the central station. Exploration does not allow for modification or alteration of point-of-care devices,” said Philips.
For cases where the patient monitor is not manufactured by Philips but by other suppliers, Philips sells IntelliBridge, a device that converts third-party patient monitor data into a format that can be ingested by the PIC iX
Philips has pointed out in its communications that there is no evidence of malicious exploitation or any other incidents caused by these vulnerabilities. In the case of IntelliBridge hubs, the company says it is “unlikely that this potential vulnerability will impact clinical use.” The CVEs reported are as follows:
- CVE-2021-43548 is a remote DOS that affects the PIC iX, where a network attacker can cause the PIC iX to restart and thus lose all data sent by a patient monitor
- CVE-2021-43552 concerns the format of the patient data backups produced by the PIC iX, essentially they are encrypted with an encrypted key.
- CVE-2021-43550 concerns the encryption algorithm used by Philips Efficia CM patient monitors, essentially the patient data sent over the network is encrypted with the device serial, which must also be sent clear over the network
- CVE-2021-32993 and CVE-2021-33017 instead affect the web management interface of Intellibridge EC40 / 80 devices, which can be compromised (there is also a third vuln affecting this device that should be published at some point )