Medical devices under hack threat | Information Age

Cybercriminals can control and disable devices anywhere in the world. Photo: Shutterstock

Businesses are already ducking and covering as the invasion of Ukraine drives a surge of cybercriminal attacks, but the publication of yet another severe security vulnerability has given malicious actors new ways to attack medical and other devices anywhere in the world.

The vulnerabilities – which were revealed and documented by security firm Forescout and have collectively been dubbed Access:7 – are found in a library called PTC Axeda, and its companion Axeda Desktop Server application.

Axeda is used by many Internet of Things (IoT) manufacturers to enable the remote management of devices – but its poorly-designed authentication, including use of hardcoded credentials and unauthenticated services, means that attackers can easily access and control connected devices.

Six other vulnerabilities enable cybercriminals to access devices, reconfigure them, control them remotely, disconnect them, and more.

That’s a major problem for the healthcare environments that make up around 55 per cent of Axeda’s user base – where the software powers systems administering life-sustaining medical care including imaging, laboratory, ventilation, infusion, ventilation, implantables, and surgery.

Over 150 potentially affected devices, from over 100 vendors, have already been identified – from vendors like Abbott, Acuo, Carestream, GE Healthcare, Varian, and Bayer – and Axeda is also used in ATMs, industrial, and other settings.

PTC paid $235m for Axeda back in 2018, integrating the remote management tool into its broader ThingWorx IoT platform and then ending support for Axeda at the end of 2020.

With so many installed devices still so easily exploitable, the vulnerabilities were given CVSS scores as high as 9.8 out of 10 – motivating the US Cybersecurity & Infrastructure Security Agency (CISA) to publish an Industrial Control System (ICS) Advisory warning of the low-complexity attack.

Affected devices should, CISA advised, be disconnected from the Internet, isolated from business networks, and patched with the latest software versions.

New fears in a climate of unrest

Coming on…