Manipulating Medical Devices

The Federal Office for Information Security (BSI) aims to sensitize manufacturers and the public regarding security risks of networked medical devices in Germany. In response to the often fatal security reports and press releases of networked medical devices, the BSI initiated the project Manipulation of Medical Devices (ManiMed) in 2019. In this project, a security analysis of selected products is carried out through security assessments followed by Coordinated Vulnerability Diclosure (CVD) processes. The project report was published on December 31, 2020, and can be accessed on the BSI website [1].

Scope

This blog post explains the security assessment of the IntelliVue system from Philips Medizinsysteme Böblingen GmbH (hereafter referred to as Philips), a German subsidiary of the Dutch manufacturer Koninklijke Philips N.V.

Philips IntelliVue patient monitors are intended to be used for monitoring and recording of, and to generate alarms for, multiple physiological parameters of adults, pediatrics, and neonates. Philips Patient Information Center iX (PIC iX) is a real-time patient monitoring solution that consolidates physiological data from patient monitors and clinical information systems. This monitoring system is intended for use in professional healthcare facilities by trained healthcare professionals. They are not intended for home use. The IntelliVue system not only allows communication between monitors and the Patient Information Center iX but as well communication between individual monitors.

In scope of the security assessment were the communication between one Patient Information Center iX surveillance station and two IntelliVue MX850 patient monitors along with network infrastructure components. The operating system hardening of the PIC iX server host as well as the provided network infrastructure were out of scope of this assessment.

A Philips IntelliVue MX850 patient monitor (left) and PIC iX Surveillance Station (middle + right).
A Philips IntelliVue MX850 patient monitor (left) and PIC iX Surveillance Station (middle + right). [1, p. 49]

Results

During the security assessment of the Patient Information Center iX application, multiple Cross Site- Scripting (XSS) vulnerabilities (CVE-2020-16218) and a CSV injection (CVE-2020-16214) could be identified . Beyond that a kiosk breakout could be observed (CVE-2020-16212). From a network perspective, the application could be crashed via a single specially crafted packet to a network-facing service (CVE-2020-16224). The crash lead to a reboot of the application. An additional persistent crash could be observed in the certificate enrollment service via SCEP by providing tampered certificate signing requests (CVE-2020-16220). This crash only impacts the certificate enrollment service, which runs only when enrolling new devices. While running, this certificate enrollment service is vulnerable to a practical brute-forcing attack, which enables attackers to obtain trusted certificates to connect to patient monitors (CVE-2020-16222).

The IntelliVue MX850 patient monitor improperly checks for certificate revocations, which enables attackers with access to a trusted certificate to obtain a Man-in-the-Middle (MitM) position between the patient monitor and the server application (CVE-2020-16228). This position could be used to crash the patient monitor or potentially modify transmitted data (CVE-2020-16216). The monitor reboots after crashing, which takes about 20 seconds. In this time no vital signs are measured and transmitted to the Patient Information Center iX application.

An ICS Medical Advisory (ICSMA-20-254-01) was published on September 10, 2020 [2].

Impact

Chaining the crash of the Patient Information Center iX application, improper certificate revocation check of the patient monitor, as well as the crash of the monitor, an attacker in possession of a valid client certificate can cause a sustained Denial of Service (DoS) of the IntelliVue monitoring system. To date, Philips has not received any reports of exploitation of these issues or of incidents from clinical use that have been associated with this issue. The manufacturer identified no reports of patient harm. In the event of monitoring interruption, there is a possibility of delayed patient treatment, however, to successfully exploit these vulnerabilities, an attacker would need to gain either physical access to surveillance stations and patient monitors, or access to the medical device network. The manufacturer is preparing to release an update to fix the vulnerabilities.

References

[1] Bundesamt für Sicherheit in der Informationstechnik (BSI). Veröffentlichungen. Online (accessed January 12, 2021): https://www.bsi.bund.de/DE/Themen/DigitaleGesellschaft/eHealth/Medizintechnik/Veroeffentlichungen/cybermed_node.html

[2] ICS Medical Advisory (ICSMA-20-254-01). Philips Patient Monitoring Devices. September 10, 2020. Online (accessed January 12, 2021): https://us-cert.cisa.gov/ics/advisories/icsma-20-254-01