Zoll Defibrillator Dashboard would execute contents of random Excel files ordinary users could import
Medical device cybersecurity raises its head in CISA warning
A defibrillator management platform was riddled with vulnerabilities including a remote command execution flaw that could seemingly be invoked by uploading an Excel spreadsheet to the platform.
Or so warned the US's Cybersecurity and Infrastructure Security Agency, which said the Defibrillator Dashboard software, made by medical devices firm Zoll, contained six flaws in total, the combined effect of which could present an infosec Swiss cheese for malicious people to exploit.
As well as allowing low-privileged users to upload files that the dashboard software would then execute, it was saving user credentials in plaintext, stored passwords in "a recoverable format" permitting their extraction from web browsers, and was also vulnerable to cross-site scripting (XSS) attacks.
Rated at 9.9 on the CVSS v3.0 severity scale, the file upload vuln (CVE-2021-27489) could be invoked by an ordinary user. Further details have not yet been made public. Another vuln, CVE-2021-27481, was described as the dashboard using a hardcoded encryption key "in the data exchange process."
Zoll's product is used to manage fleets of defibrillators, life-saving electric shock devices used to detect the irregular heart rhythm (arrhythmia) when people are suffering a cardiac arrest and shock them back to a normal rhythm. According to the company's website, its defibrillators carry out daily self-tests and report the result to the central dashboard software: "If the state of readiness of any R Series is compromised, email notifications are automatically sent to appropriate personnel – as many people as you choose. And you can view the status of the fleet at any time, from any mobile device anywhere."
- Feds seize two domains used by SolarWinds intruders for malware spear-phishing op
- Have I Been Pwned goes open source, bags help from FBI
- Russian gang behind SolarWinds hack returns with phishing attack disguised as mail from US aid agency
- SAP: It takes exploit devs about 72 hours to turn one of our security patches into a weapon against customers
The dashboard accepts uploads of Excel spreadsheets ("Save time by importing defibrillator fleet information with Microsoft® Excel files") and can export data in the same format. CISA listed the vulns in an advisory note setting out the six flaws along with brief details.
Zoll had not responded to a request for comment from The Register by the time of publication. NHS Digital said it was investigating how many instances of Zoll Defibrillator Dashboard had been deployed across the British state-run health service's estate. Zoll has an active sales presence in the UK and its defibrillator products are listed on several online medical device shops.
Ian Thornton-Trump, CISO of threat intel firm Cyjax, told The Register: "The major point of this announcement is in my mind to bring attention to the nexus of medical IoT technology and human safety. It confirms Josh Corman's work and the I am the Cavalry organization's mission," referring to a US-based medical IoT security advocacy group.
A decade ago infosec bod Barnaby Jack, of ATM jackpotting fame, warned that wireless attacks against implanted defibrillators could potentially kill their human hosts. In 2019, a CVE was issued for a vuln that potentially allowed tampering with wireless data flowing between pacemakers and their external controllers.
While the impact of the Zoll vulnerabilities is far from lethal, medical cybersecurity is an under-scrutinised field that has plenty of opportunities for criminals people to exploit. For example, compromising Zoll's software could provide a foothold into the victim's network allowing further exploitation in a supply-chain attack. Those are a real and growing threat, as the SolarWinds and Microsoft Exchange Server compromises showed. ®