Zoll Defibrillator Dashboard would execute contents of random Excel files ordinary users could import

Medical device cybersecurity raises its head in CISA warning


A defibrillator management platform was riddled with vulnerabilities including a remote command execution flaw that could seemingly be invoked by uploading an Excel spreadsheet to the platform.

Or so warned the US's Cybersecurity and Infrastructure Security Agency, which said the Defibrillator Dashboard software, made by medical devices firm Zoll, contained six flaws in total, the combined effect of which could present an infosec Swiss cheese for malicious people to exploit.

As well as allowing low-privileged users to upload files that the dashboard software would then execute, it was saving user credentials in plaintext, stored passwords in "a recoverable format" permitting their extraction from web browsers, and was also vulnerable to cross-site scripting (XSS) attacks.

Rated at 9.9 on the CVSS v3.0 severity scale, the file upload vuln (CVE-2021-27489) could be invoked by an ordinary user. Further details have not yet been made public. Another vuln, CVE-2021-27481, was described as the dashboard using a hardcoded encryption key "in the data exchange process."

Zoll's product is used to manage fleets of defibrillators, life-saving electric shock devices used to detect the irregular heart rhythm (arrhythmia) when people are suffering a cardiac arrest and shock them back to a normal rhythm. According to the company's website, its defibrillators carry out daily self-tests and report the result to the central dashboard software: "If the state of readiness of any R Series is compromised, email notifications are automatically sent to appropriate personnel – as many people as you choose. And you can view the status of the fleet at any time, from any mobile device anywhere."

The dashboard accepts uploads of Excel spreadsheets ("Save time by importing defibrillator fleet information with Microsoft® Excel files") and can export data in the same format. CISA listed the vulns in an advisory note setting out the six flaws along with brief details.

Zoll had not responded to a request for comment from The Register by the time of publication. NHS Digital said it was investigating how many instances of Zoll Defibrillator Dashboard had been deployed across the British state-run health service's estate. Zoll has an active sales presence in the UK and its defibrillator products are listed on several online medical device shops.

Ian Thornton-Trump, CISO of threat intel firm Cyjax, told The Register: "The major point of this announcement is in my mind to bring attention to the nexus of medical IoT technology and human safety. It confirms Josh Corman's work and the I am the Cavalry organization's mission," referring to a US-based medical IoT security advocacy group.

A decade ago infosec bod Barnaby Jack, of ATM jackpotting fame, warned that wireless attacks against implanted defibrillators could potentially kill their human hosts. In 2019, a CVE was issued for a vuln that potentially allowed tampering with wireless data flowing between pacemakers and their external controllers.

While the impact of the Zoll vulnerabilities is far from lethal, medical cybersecurity is an under-scrutinised field that has plenty of opportunities for criminals people to exploit. For example, compromising Zoll's software could provide a foothold into the victim's network allowing further exploitation in a supply-chain attack. Those are a real and growing threat, as the SolarWinds and Microsoft Exchange Server compromises showed. ®

Similar topics

Broader topics


Other stories you might like

  • New York City rips out last city-owned public payphones
    Y'know, those large cellphones fixed in place that you share with everyone and have to put coins in. Y'know, those metal disks representing...

    New York City this week ripped out its last municipally-owned payphones from Times Square to make room for Wi-Fi kiosks from city infrastructure project LinkNYC.

    "NYC's last free-standing payphones were removed today; they'll be replaced with a Link, boosting accessibility and connectivity across the city," LinkNYC said via Twitter.

    Manhattan Borough President Mark Levine said, "Truly the end of an era but also, hopefully, the start of a new one with more equity in technology access!"

    Continue reading
  • Cheers ransomware hits VMware ESXi systems
    Now we can say extortionware has jumped the shark

    Another ransomware strain is targeting VMware ESXi servers, which have been the focus of extortionists and other miscreants in recent months.

    ESXi, a bare-metal hypervisor used by a broad range of organizations throughout the world, has become the target of such ransomware families as LockBit, Hive, and RansomEXX. The ubiquitous use of the technology, and the size of some companies that use it has made it an efficient way for crooks to infect large numbers of virtualized systems and connected devices and equipment, according to researchers with Trend Micro.

    "ESXi is widely used in enterprise settings for server virtualization," Trend Micro noted in a write-up this week. "It is therefore a popular target for ransomware attacks … Compromising ESXi servers has been a scheme used by some notorious cybercriminal groups because it is a means to swiftly spread the ransomware to many devices."

    Continue reading
  • Twitter founder Dorsey beats hasty retweet from the board
    We'll see you around the Block

    Twitter has officially entered the post-Dorsey age: its founder and two-time CEO's board term expired Wednesday, marking the first time the social media company hasn't had him around in some capacity.

    Jack Dorsey announced his resignation as Twitter chief exec in November 2021, and passed the baton to Parag Agrawal while remaining on the board. Now that board term has ended, and Dorsey has stepped down as expected. Agrawal has taken Dorsey's board seat; Salesforce co-CEO Bret Taylor has assumed the role of Twitter's board chair. 

    In his resignation announcement, Dorsey – who co-founded and is CEO of Block (formerly Square) – said having founders leading the companies they created can be severely limiting for an organization and can serve as a single point of failure. "I believe it's critical a company can stand on its own, free of its founder's influence or direction," Dorsey said. He didn't respond to a request for further comment today. 

    Continue reading
  • Snowflake stock drops as some top customers cut usage
    You might say its valuation is melting away

    IPO darling Snowflake's share price took a beating in an already bearish market for tech stocks after filing weaker than expected financial guidance amid a slowdown in orders from some of its largest customers.

    For its first quarter of fiscal 2023, ended April 30, Snowflake's revenue grew 85 percent year-on-year to $422.4 million. The company made an operating loss of $188.8 million, albeit down from $205.6 million a year ago.

    Although surpassing revenue expectations, the cloud-based data warehousing business saw its valuation tumble 16 percent in extended trading on Wednesday. Its stock price dived from $133 apiece to $117 in after-hours trading, and today is cruising back at $127. That stumble arrived amid a general tech stock sell-off some observers said was overdue.

    Continue reading
  • Amazon investors nuke proposed ethics overhaul and say yes to $212m CEO pay
    Workplace safety, labor organizing, sustainability and, um, wage 'fairness' all struck down in vote

    Amazon CEO Andy Jassy's first shareholder meeting was a rousing success for Amazon leadership and Jassy's bank account. But for activist investors intent on making Amazon more open and transparent, it was nothing short of a disaster.

    While actual voting results haven't been released yet, Amazon general counsel David Zapolsky told Reuters that stock owners voted down fifteen shareholder resolutions addressing topics including workplace safety, labor organizing, sustainability, and pay fairness. Amazon's board recommended voting no on all of the proposals.

    Jassy and the board scored additional victories in the form of shareholder approval for board appointments, executive compensation and a 20-for-1 stock split. Jassy's executive compensation package, which is tied to Amazon stock price and mostly delivered as stock awards over a multi-year period, was $212 million in 2021. 

    Continue reading
  • Confirmed: Broadcom, VMware agree to $61b merger
    Unless anyone out there can make a better offer. Oh, Elon?

    Broadcom has confirmed it intends to acquire VMware in a deal that looks set to be worth $61 billion, if it goes ahead: the agreement provides for a “go-shop” provision under which the virtualization giant may solicit alternative offers.

    Rumors of the proposed merger emerged earlier this week, amid much speculation, but neither of the companies was prepared to comment on the deal before today, when it was disclosed that the boards of directors of both organizations have unanimously approved the agreement.

    Michael Dell and Silver Lake investors, which own just over half of the outstanding shares in VMware between both, have apparently signed support agreements to vote in favor of the transaction, so long as the VMware board continues to recommend the proposed transaction with chip designer Broadcom.

    Continue reading

Biting the hand that feeds IT © 1998–2022