Attack surfaces exposed by the “main” application
The IntelliVue iX Information Center (PIIC iX) is a complex patient monitoring solution developed by Philips that provides bedside and central unit monitoring as well as a smartphone app for caregivers .1 To integrate third-party patient care devices, Philips also provides Intellibridge, a device that converts data produced by third-party monitors into a format compatible with the PIIC iX solution.
The PIIC iX workstation has several features. In addition to collecting the data produced by the patient monitors, the workstation makes it possible to consult the data and manage the devices. This concentration of services within a single target can sometimes be exploited by attackers to cause larger problems by finding a single vulnerability.
This is exactly the case with CVE-2021-43548, a denial of service (DoS) affecting a service exposed to the network. The vulnerable service is written in managed language, and the remote vulnerability cannot do much more than stop the service. However, the PIIC iX workstation implements a system-wide watchdog that monitors a set of services and if any of these services stops, a workstation restart is triggered.
In a threat scenario where an attacker could send a single packet each time network service becomes available, we could have continued loss of data produced by patient monitors, as well as the inability of caregivers to view patient data. previously stored patients.
Attack surfaces exposed by device management interfaces
A patient monitoring solution comprises, by definition, at least one device, the patient monitor itself. The Philips-designed solution, however, is also capable of ingesting data generated by third-party patient monitors. This is achieved through additional devices such as IntelliBridge EC 40 and EC 80, a family of networked devices that are managed through a web interface.
Vulnerabilities CVE-2021-32993 and CVE-2021-33017 are two problems concerning the management interfaces of the affected targets, allowing an external attacker to take over the administration of the devices.
While in this specific case, device management is done through a web interface, similar devices may rely on proprietary protocols. In these situations, asset owners should ask vendors to properly document the security posture of these mechanisms.
Attack surfaces exposed by data in transit
The data produced and managed by a patient tracking solution is sensitive by nature. Any vulnerability affecting the confidentiality of patient data, as it circulates in networks, must be treated with care.
CVE-2021-43550 identifies a vulnerability in a set of patient monitors manufactured by Philips, where the confidentiality of communication between a device and the PIIC iX workstation could be compromised by an attacker with access to network traffic.
Attack surfaces exposed by data at rest
Similar confidentiality concerns regarding patient data in transit should apply to such data at rest. When developing a solution, backup security can sometimes be overlooked. Vulnerability CVE-2021-43552 refers to the use of a cryptographic key for backing up patient data, which has been found to be hard-coded in the PIIC iX workstation software.
An attacker who can recover a backup of patient data and then can use the hard-coded key to access the information in the clear.
This blog presents a set of five vulnerabilities that Nozomi Networks Labs has identified in a patient monitoring solution. The main goal, however, is to take advantage of these vulnerabilities to introduce a more structured discussion of the attack surfaces exposed by these systems and to help asset owners understand their security posture.