Israeli research lab JSOF has discovered multiple cybersecurity vulnerabilities impacting hundreds of millions of Internet of Things (IoT) devices across a wide range of industries, including medtech. The risks from the security loopholes, dubbed Ripple20, are high and could allow hackers to take control of infusion pumps remotely and alter medication dosages, according to an example given by the lab.
The Department of Homeland Security's Cybersecurity and Infrastructure Security Agency issued an advisory last week saying it was aware of Ripple20 and warned that "a remote attacker can exploit some of these vulnerabilities to take control of an affected system." CISA's advisory listed medtechs Baxter, B. Braun, and medical imaging company Carestream as being "affected" by the security loopholes. Medtronic and Philips appeared as "not affected" on the list.
While Carestream was not immediately available for comment, Baxter and B. Braun each shared written statements with MedTech Dive calling the vulnerabilities low risk and manageable
The Ripple20 vulnerabilities identified by JSOF were discovered in code offered by Ohio-based third party software company Treck, which serves a large number of IoT device manufacturers. The issues stem specifically from Treck's software library, which has been widely disseminated.
"Affected vendors range from one-person boutique shops to Fortune 500 multinational corporations, including HP, Schneider Electric, Intel, Rockwell Automation, Caterpillar, Baxter, as well as many other major international vendors suspected of being of vulnerable in medical, transportation, industrial control, enterprise, energy (oil/gas), telecom, retail and commerce, and other industries," according to JSOF, a cybersecurity firm that says it caters to big corporations.
Nick Yuran, CEO of cybersecurity consultancy Harbor Labs in Baltimore, says his firm is actively following the Ripple20 vulnerabilities and issued a rare security alert to all of its clients, including infusion pump customers, urging them to inspect their systems and confirm whether they employ the Treck stack.
"In the most severe cases, an attacker may perform remote code execution, which gives the attacker complete control of the device," Yuran said. "We are advising our clients to take Ripple20 very seriously."
Originally published by
Greg Slabodkin | June 24, 2020