Three out of the seven flaws were rated as critical, while the remaining four were medium to high severity vulnerabilities.
The IT security researchers at CyberMDX health care security firm, acquired last month by Forescout, have identified as many as 7 easy-to-exploit vulnerabilities. These vulnerabilities are collectively dubbed Access:7.
Details of Access:7 Vulnerabilities
According to researchers, the 7 vulnerabilities were identified in the IoT remote access tool known as PTC Axeda. This platform is compatible with most embedded devices, and companies use it to remotely manage ATMs, barcode scanners, vending machines, and industrial manufacturing equipment/systems. However, lately, it has gained popularity within the health care sector.
Some of these vulnerabilities are caused by the way Axeda processes undocumented/unauthenticated commands because it lets attackers exploit the platform. Other flaws were due to default configuration errors, such as multiple Axeda users sharing hard-coded and guessable system passwords.
According to researchers, three out of the seven flaws were rated as critical, while the remaining four were medium to high severity vulnerabilities.
Around 55% of the impacted devices belong to the health care sector, 24% to IoT, 8% to IT, 5% to financial services, and 4% were linked to the manufacturing sector. Over 54% of the customers having devices running Axeda were detected in the health care sector.
More Healthcare Security News
- 75% of Tested Smart Infusion Pumps Vulnerable to Hacking
- Prominent defibrillator management tool exposed to remote attacks
- Medtronic recalls insulin pump controllers over life-threatening flaws
- Siemens medical scanner on Windows 7 vulnerable; patch coming soon
- High severity Intel chip flaw left cars, medical and IoT devices vulnerable
Possible Dangers
According to Forescout’s report , the vulnerabilities were discovered in hundreds of thousands of devices, as Forescout identified over 2,000 vulnerable systems. Access:7 allows an attacker to exfiltrate data from sensitive devices, particularly medical equipment, to potentially tamper with laboratory results.
In addition to this, attackers can make critical equipment/devices unavailable or at least inaccessible. Or else, they can completely take over the devices, explained Forescout’s head of security research Daniel dos Santos.
Furthermore, attackers can obtain patient data, modify test results or medical records, launch DoS (denial of service) attacks to prevent physicians from accessing patient data at crucial times, target ATMs and cause disruption in industrial control systems.
Researchers informed the PTC, US Cybersecurity and Infrastructure Security Agency, H-ISAC, and the Food and Drug Administration about Access:7 under coordinated disclosure policy. PTC has already released patches for these flaws.
