Security Alert: Software Vulnerabilities Expose Medical Devices, ATMs to Hackers
A recent report claims that seven newly discovered vulnerabilities in an “Internet of Things” remote management tool put a wide variety of medical devices, ATMs, and other machines connected to the internet at risk of hacking.
Wiredreports that researchers from the healthcare security firm CyberMDX which was recently acquired by the Internet of Things (IoT) security firm Forescount, discovered seven easily exploited vulnerabilities in the IoT remote access tool PTC Axeda. The vulnerabilities have been named “Access:7.”
The Axeda platform can be used with any internet-connected device but has been popularly used in medical equipment. Researchers further found that some companies have used the platform to remotely manage ATMs, vending machines, barcode scanners, and some industrial manufacturing equipment.
A member of the Philadelphia bomb squad surveys the scene after an ATM machine was blown-up at 2207 N. 2nd Street in Philadelphia, Tuesday, June 2, 2020. (David Maialetti/The Philadelphia Inquirer via AP)
(vchal /iStock / Getty Images Plus)
Researchers estimate that the Access:7 vulnerabilities are present in hundreds of thousands of devices. Daniel dos Santos, head of security research at Forescout, commented: “You can imagine the type of impact an attacker could have when they can either exfiltrate data from medical equipment or other sensitive devices, potentially tamper with lab results, make critical devices unavailable, or take them over entirely.”
Some of the vulnerabilities are related to how the Axeda system processes unauthenticated commands, meaning hackers could manipulate the platform. Others are related to default configuration issues, like guessable system passwords shared by multiple Axeda users. Three of the seven vulnerabilities are considered critical and four are medium to high severity bugs.
The researcher worked with PTC to patch many of the flaws, as well as the U.S. Cybersecurity and Infrastructure Security Agency, H-ISAC, and the Food and Drug Administration. PTC told Wired in a statement: “This disclosure is the culmination of a cooperative effort between PTC, CyberMDX, and CISA. PTC and CyberMDX collaborated to thoroughly investigate and implement appropriate remediations for the vulnerabilities. PTC then notified customers and guided their remediations ahead of disclosure. … The result is greater awareness for users and the opportunity to resolve a potential threat to their systems and data.”
Read more at Wired here.