A patient monitoring solution, in its most basic setup, is composed of at least one device that measures a patient’s vital signs and an application that receives and stores the data. Depending on the design of choice, this application can also provide consultation features for caregivers or can forward the data to a further collector.
Nozomi Networks Labs was particularly interested in understanding what attack surfaces are exposed by this type of deployment. As a testbed to investigate the deployment, we configured a Philips Intellivue MX100 patient monitor connected to a PIIC iX workstation.
Our research uncovered a set of five vulnerabilities affecting some of the attack surfaces under analysis, which we disclosed to the vendor in a timely manner. ICS-CERT addressed these issues in advisories ICSMA-21-322-01 and ICSMA-21-322-02 released on November 18th. At the time of this writing, only one disclosed vulnerability was solved with a patch, while the remaining four can be mitigated with the guidelines provided in the preceding advisories.
This blog presents an overview of the vulnerabilities with the goal of highlighting the attack surfaces involved, as these concepts might apply to similar monitoring solutions developed by other vendors.
Attack Surfaces Exposed by the “Main” Application
The IntelliVue Information Center iX (PIIC iX) is a complex patient monitoring solution developed by Philips that provides monitoring at a patient’s bedside and at a unit’s central station along with a smartphone application for caregivers.1 To integrate third-party patient care devices, Philips also provides Intellibridge, a device that converts data produced by third-party monitors into a format compatible with the PIIC iX solution.
The PIIC iX workstation has several capabilities. In addition to collecting the data produced by the patient monitors, the workstation is used to consult the data and to manage the devices. This concentration of services within a single target can sometimes be abused by attackers to cause broader issues by finding a single vulnerability.
This is exactly the case of CVE-2021-43548, a denial of service (DoS) affecting a network exposed service. The vulnerable service is written in a managed language and the remote vulnerability cannot do much more than stop the service. However, the PIIC iX workstation implements a system-wide watchdog which monitors a set of services and if one of such services stops, a reboot of the workstation is triggered.
In a threat scenario where an attacker that can send a single packet every time the network service becomes available, we could have a continuous loss of the data produced by the patient monitors, as well as the inability for caregivers to consult previously stored patient data.
Attack Surfaces Exposed by Device Management Interfaces
A patient monitoring solution includes, by definition, at least one device, the patient monitor itself. The solution designed by Philips, though, is also capable of ingesting data generated by third-party patient monitors. This is achieved through additional devices such as IntelliBridge EC 40 and EC 80, a networked family of devices that are managed through a web interface.
Vulnerabilities CVE-2021-32993 and CVE-2021-33017 are two issues concerning the management interfaces of the affected targets, allowing an external attacker to take over administration of the devices.
While in this very case the device management is performed through a web interface, similar devices might rely on proprietary protocols. In those situations, asset owners should ask vendors to properly document the security posture of those mechanisms.
Attack Surfaces Exposed by the Data in Transit
The data produced and managed by a patient monitoring solution is sensitive by nature. Any vulnerability affecting the confidentiality of patient data, as it moves through networks, should be treated carefully.
CVE-2021-43550 identifies a vulnerability in a set of patient monitors manufactured by Philips, where the confidentiality of the communication between a device and the PIIC iX workstation could be compromised by an attacker that can access the network traffic.
Attack Surfaces Exposed by the Data at Rest
Similar confidentiality concerns regarding patient data in transit should be applied to that data at rest. When developing a solution, the security of backups can sometimes be overlooked. Vulnerability CVE-2021-43552 refers to the use of a cryptographic key for patient data backup, which was found to be hardcoded in PIIC iX workstation software.
An attacker that can retrieve a backup of the patient data and can then use the hardcoded key to access the information in cleartext.
This blog presents a set of five vulnerabilities that Nozomi Networks Labs has identified in a patient monitoring solution. The main goal, though, is to leverage these vulnerabilities to introduce a more structured discussion about the attack surfaces exposed by these systems and to help asset owners understand their security posture.
- “The Future of Patient Care is Now,” Philips, January 2020.