US-CERT Issues Advisory About Vulnerabilities in Patient Monitors
The U.S. Department of Homeland Security Industrial Control Systems Cyber Emergency Team (US-CERT) recently issued an advisory outlining three vulnerabilities of Drager Infinity Delta patient monitoring devices.
The vulnerabilities affect all versions of the Drager models—Delta, Delta XL, Kappa, and infinity Explorer C700—patient monitoring devices. According to the alert, the three security flaws include:
- Exposure of Information in Log Files—the log files are not secured and can be accessed over an unauthenticated network, which allows an attacker to gain access to the log files and view the sensitive information contained in the logs, including the location of the device, the internal information of the monitor and its network configuration
- Improper Input Validation—a flaw in the manner in which input is validated can be exploited to cause the monitor to reboot constantly until it reverts to the default configuration causing network connectivity to be lost
- Privilege Escalation Through Improper Privilege Management—this vulnerability allows the attacker to gain access to the operating system and take full control of it.
Drager issued patches for the vulnerabilities in December 2018. According to the alert, users should update the devices to the newest version which is accessible through Drager ServiceConnect, review their network segmentation configuration to affirm that devices are separated from the hospital LAN system and confirm the Windows patch level on the Infinity Explorer is up to date.