Specialized healthcare devices, from imaging tools such as CT scanners to diagnostic laboratory equipment, are often inadequately secured on hospital networks. Now, new findings of seven vulnerabilities in an IoT remote control tool highlight interconnected exposures in medical devices and the broader IoT ecosystem.
Researchers from healthcare security firm CyberMDX, which was acquired last month by IoT security firm Forescout, discovered the seven easily exploited vulnerabilities, collectively named Access:7, in the IoT remote access tool PTC Axeda. The platform can be used with any embedded device, but has proven particularly popular in medical equipment. The researchers also found that some companies used it to remotely control ATMs, vending machines, barcode scanning systems and some industrial manufacturing equipment. Researchers estimate that the Access:7 vulnerabilities total hundreds of thousands of devices. In reviewing its own customers, Forescout found more than 2,000 vulnerable systems.
“You can imagine the kind of impact an attacker can have when they can either extract data from medical equipment or other sensitive devices, potentially alter lab results, make critical devices inaccessible or take them over entirely,” says Daniel Doss Santos, head of security research at Forescout.
Some of the vulnerabilities are related to problems with the way Axeda handles undocumented and unauthenticated commands, allowing attackers to manipulate the platform. Others relate to default configuration issues, such as hard-coded, guessable system passwords shared by multiple Axeda users. Three of the seven vulnerabilities are rated critical, and the remaining four are medium to high bugs.
Attackers could potentially exploit the bugs to intercept patient data, alter test results or other medical records, launch denial-of-service attacks that could prevent healthcare providers from accessing patient data , when they need them, to disrupt industrial control systems or even to attach themselves to attack ATMs.
The vulnerabilities aren’t necessarily uncommon in this space, but they would be particularly easy for an attacker to exploit. If exploited, the potential damage from the Access:7 bugs could be comparable to that of a recent wave of ransomware attacks that stemmed from hackers exploiting flaws in IT management software from a company called Kaseya. The products are different, but their ubiquity creates similar conditions for destructive attacks. And Access:7 fits into a larger picture of entrenched IoT insecurity and historical, unaddressed vulnerabilities.
