Vulnerabilities Found in Philips IntelliBridge, Patient Information Center and Efficia Patient Monitors

Five vulnerabilities were discovered that can impact these medical devices:

the IntelliBridge EC 80 and EC 40 Hub, Efficia CM Series, and Philips Patient Information Center iX Patient Monitors.

IntelliBride EC 40 and EC 80 Hub
Two vulnerabilities were discovered that have an effect on C.00.04 and previous models of the IntelliBridge EC 40 and EC 80 Hub. An unauthorized person could profitably manipulate the vulnerabilities with success and manage to execute software programs, alter system settings, and update/look at files that could contain unidentifiable patient information.

CVE-2021-32993 – The first vulnerability is caused by the usage of hard-coded credentials inside the applications for its own incoming authentication, outgoing communication to exterior components, or the encryption of internal information.

CVE-2021-33017 – The second vulnerability involves a problem with authentication bypass. Although the normal access path of the device demands authentication, another path was found that doesn’t call for authentication.

The two vulnerabilities were given a CVSS v3 severity rating of 8.1 of 10.

Philips hasn’t given a patch to resolve the vulnerabilities, nevertheless wants to resolve the vulnerabilities before the year ends. Meanwhile, Philips suggests simply utilizing the products within Philips authorized descriptions, and merely making use of Philips-permitted application, software arrangement, security configurations, and system services. The products must be physically singled out from the hospital system.

Efficia CM Series and Patient Information Center iX Patient Monitors

Three vulnerabilities were found to impact the Philips Patient Information Center iX and Efficia CM series patient monitors. The vulnerabilities can be exploited to acquire access to patient files and to carry out a denial-of-service attack. Though exploitation has a low attack complexity, the vulnerabilities may basically be exploited by way of an adjacent network.

The vulnerabilities impact the following Philips devices:

  • Efficia CM Series: Revisions A.01 to C.0x and 4.0
  • Patient Information Center iX (PIC iX): Versions B.02, C.02, C.03

Vulnerable models of the PIC iX don’t effectively verify input to decide whether or not the input has the components to be processed carefully and accurately. The vulnerability is tagged as CVE-2021-43548 and was given a CVSS severity rating of 6.5 out of 10.

A hard-coded cryptographic key was utilized which suggests encrypted data can be restored from vulnerable versions of the PIC iX. The vulnerability is monitored as CVE-2021-43552 and was assigned a 6.1 CVSS score.

A broken or risky cryptographic algorithm signifies sensitive records can be exposed in communications between PIC iX and Efficia CM Series patient monitors. The vulnerability is tagged as CVE-2-21-43550 with a CVSS rating of 5.9.

CVE-2021-43548 has been resolved in PIC iX C.03.06 and updates to correct the other two vulnerabilities will be released before 2022 ends.

To decrease the probability for exploitation of the flaws, the products must only be employed as per Philips authorized requirements, which involve physically or logically distancing the gadgets from the hospital’s local area network, and employing a firewall or router that can easily use access control lists restraining access in and out of the patient monitoring network for only important IP addresses and ports.

Philips-introduced hardware has Bitlocker Drive Encryption enabled automatically and this should never be disabled. If disposing of, NIST SP 800-88 media sanitization instructions need to be observed. Patient files are not contained in archives by default, and so in case archives are exported that have patient files, the data must be kept safely with tough access controls.