Security Architecture, Endpoint/Device Security, IoT, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security

Critical flaws in defibrillator management tool pose account takeover, credential risk for hospitals

A nurse cares for a coronavirus COVID-19 patient in the intensive care unit at Regional Medical Center on May 21, 2020 in San Jose, California. (Photo by Justin Sullivan/Getty Images)

Multiple remote code execution vulnerabilities found in the ZOLL Defibrillator Dashboard could allow a hacker to take control over the impacted system, according to a Department of Homeland Security Cybersecurity and Infrastructure Security Agency alert.

The dashboard is designed for the biomedical engineering departments within the hospital environment. The tool provides streamlined management of defibrillators, giving administrators real-time monitoring of devices in the enterprise environment and across multiple sites.

The half-dozen flaws are found in all versions of the dashboard prior to 2.2. It would take a low-skill level to exploit and could enable an attacker to gain access to credentials or impact the confidentiality, integrity, and availability of the application.

One flaw, which CISA warned has a high likelihood of exploit, is the dashboard’s use of hard-coded cryptographic keys that “significantly increases the possibility that encrypted data could be recovered” by an attacker.

“If hard-coded cryptographic keys are used, it is almost certain that malicious users will gain access through the account in question,” according to the alert. “The cryptographic key is within a hard-coded string value that is compared to the password. It is likely that an attacker will be able to read the key and compromise the system.”

“The main difference between the use of hard-coded passwords and the use of hard-coded cryptographic keys is the false sense of security that the former conveys,” it added. 

While there are many that believe hashing hard-coded passwords prior to storage protects data from adversaries, researchers explained that many hashes are reversible or vulnerable to brute-force attacks.

Further, many authentication protocols will simply request the hash itself, “making it no better than a password.”

If an attacker gains access to the system, they could read sensitive information due to another vulnerability that stores system data in cleartext. The flaw also maintains the account ID in a plaintext browser cookie, increasing the risk of exposure if a device is compromised.

The alert warns that even if the device is not compromised, an attacker could remotely copy the cookie by combining the vulnerability with cross-site scripting flaw. The dashboard also fails to encrypt data before writing it to a buffer, which could expose data to unauthorized actors.

The dashboard has several other flaws with a high likelihood of exploit, including storing passwords in a recoverable format and improperly or incorrectly neutralizing user-controllable input before it’s placed in a webpage output meant to serve other users.

Meanwhile, the software fails to properly assign, modify, track, or verify user privileges, “creating an unintended sphere of control.” Another flaw could enable an attacker to upload and transfer files of dangerous types, which the platform would automatically process within its environment.

CISA is urging all relevant administrators to review the medical advisory and apply the recommended mitigations, including updating the software to the latest version.

Zoll recommends that entities using affected versions should be aware that the defibrillator device should be considered a source of accurate data, if there appears to be a discrepancy within the dashboard.

In addition, administrators should also perform frequent checks to confirm device readiness, as outlined in the user manual. The password autocomplete function should be disabled in the browsers used for accessing the defibrillator dashboard.

CISA also issued several recommendations and stressed that administrators should take defensive measures to reduce the risk posed by device vulnerabilities, such as minimizing network exposure, ensuring devices aren’t accessible from the internet, and keeping remote devices behind firewalls.

In health care, where patch management continues to be a challenge for most providers, administrators should leverage NIST guidance on data integrity attacks. While not specific to patching processes, the insights support increased network visibility to identify threats and protect vulnerable assets through network segmentation and other mitigation factors.

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.