Researchers Discover 13 Medical Device Security Vulnerabilities

Researchers from Forescout Research Labs discovered a set of 13 new medical device software vulnerabilities affecting the Siemens Nucleus TCP/IP stack. The software suite is used in critical devices including patient monitors, X-ray machines, anesthesia devices, and ultrasound devices.

If exploited, the vulnerabilities may allow for denial-of-service attacks (DoS), information leaks, and remote code execution.

Thousands of healthcare devices rely on the Nucleus software, researchers found. Government, retail, and financial vendors also rely on Nucleus. The Cybersecurity and Infrastructure Security Agency (CISA) released an advisory regarding the vulnerabilities, and Siemens has since released patches for all 13 vulnerabilities.

The researchers tested each vulnerability in the Forescout laboratories. In one simulation, the researchers were able to successfully manipulate the vulnerabilities and take a mock hospital completely offline, CNN reported. The vulnerabilities allowed them to turn off the hospital’s lights and cut off its HVAC system after obtaining access to its network.

Recent research from Armis revealed that IT professionals are most concerned about the security of HVAC and electrical systems, imaging machines, check-in kiosks, medication dispensing equipment, and vital sign monitoring equipment. Despite the influx of news about ransomware and medical device vulnerabilities, hospital infrastructure risks pose significant risks to patient safety and security as well.

Forescout urged organizations to patch devices to protect against the vulnerabilities. Patching medical devices can be extremely challenging, especially since many organizations struggle to identify how many devices are on their networks. In addition, out-of-date legacy devices can be difficult or impossible to update. It is crucial that organizations maintain an accurate inventory of their connected devices to avoid negative security impacts.

Forescout recommended that organizations discover and inventory all devices running Nucleus software. Healthcare organizations should also consider enforcing “segmentation controls and proper network hygiene to mitigate the risk from vulnerable devices,” the report stated.

“Restrict external communication paths and isolate or contain vulnerable devices in zones as a mitigating control if they cannot be patched or until they can be patched.”

Impacted organizations should continuously monitor progressive patches released by impacted device vendors and create a remediation plan for vulnerable assets, as well as monitoring all network traffic for malicious packets that may attempt to exploit these vulnerabilities.

CISA urged organizations to take defensive measures, including minimizing network exposure for all control system devices to ensure that they are not accessible from the internet. CISA also recommended that organizations locate control system networks and remote devices behind firewalls and subsequently isolate them from the business network.

The agency also reminded impacted organizations to use VPNs, while recognizing that the VPNs themselves may have vulnerabilities and are only as secure as the connected devices.

“Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents,” CISA concluded. “No known public exploits specifically target these vulnerabilities.”