More Devices Affected by ‘Ripple20’ Vulnerabilities
Federal regulators have issued another round of security alerts about vulnerabilities in medical device products from several manufacturers.
An advisory from the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency offers an update to earlier alerts issued last month pertaining to the so-called “Ripple-20” vulnerabilities found in the Treck TCP/IP stack, which potentially impact components of medical devices as well as certain industrial connected devices (see: Alerts: Vulnerabilities in 6 Medical Devices).
Some medical device manufacturers – including Becton, Dickinson and Co. – whose products are impacted by the latest Treck TCP/IP stack advisory also issued their own alerts.
Meanwhile, DHS and Philips issued an alert pertaining to security vulnerabilities that could potentially allow a low-skilled attacker to access log file information in certain Philips sleep apnea software products.
A July 21 CISA advisory updates a list of products potentially impacted by “Ripple20” vulnerabilities; an earlier alert had listed six devices.
“Successful exploitation of these vulnerabilities may allow remote code execution or exposure of sensitive information,” the advisory notes.
In its own July 30 advisory related to the Ripple20 update, BD says it has assessed how the vulnerabilities potentially affect third-party embedded components.
“Everyone has been talking about medical device security for several years now. It is time to stop talking about the problem and start doing something about it.”
— Emily Dillon, CynergisTek
“These vulnerabilities are not exclusive to BD or medical devices that use Treck TCP/IP networking stack,” BD notes.
Affected BD Products
BD has discovered that products in two of its suites include third-party components that utilize the Treck TCP/IP networking stack that’s potentially affected by a variety of the identified vulnerabilities.
Affected products in the BD Kiestra suite contain a third-party Schneider Electric APC uninterruptible power supply for backup battery power that uses the Treck TCP/IP stack. Those products include:
- BD Kiestra Total Lab Automation with a system control unit;
- BD Kiestra Work Cell Automation with an SCU;
- BD Kiestra ReadA standalone with an SCU.
“The BD Kiestra Systems are affected by four of the 19 Treck TCP/IP networking stack vulnerabilities,” BD notes. “If these vulnerabilities were exploited, the APC UPS would disconnect and not provide electrical power to the BD Kiestra System in the event of a power outage.”
BD warns that if a customer has a power outage and the BD Kiestra System has no battery power left from the affected APC UPS, the system will perform a hard shutdown, which will cause the system to forcibly power off.
In addition, BD says two peripheral technologies used with BD’s Rowa Vmax medication handling products contain third-party Beck PLC controllers for control functionality, which also use the Treck TCP/IP stack. Those products are:
- BD Rowa conveyor technology;
- BD Rowa label printer
These products are affected by 11 of the 19 Treck TCP/IP networking stack vulnerabilities, BD notes.
“If exploited an unauthorized user could potentially cause a denial-of-service attack on the BD Rowa conveyor technology and BD Rowa label printer rendering the systems inoperable,” BD says.
“An unauthorized user would not be able to perform remote commands on the systems or have access to the connected BD Rowa Vmax,” BD adds.
BD says it hasn’t received any reports of these third-party vulnerabilities being exploited on any of those BD products.
In its advisory, BD recommends a number of mitigations and compensating controls to reduce risks, including minimizing network exposure to devices and ensuring devices are not accessible from the internet unless essential.
Other Impacted Products
In its own alert, Smiths Medical notes the Treck TCP/IP stack “has been implemented in a wide range of industries and products, including the Digi Net+OS operating system used in the CADD®-Solis Wireless Communication Module Model 2130.”
Smiths Medical says it has not received any reports of these vulnerabilities impacting clinical use of its affected products. The company says it has received a patch from Digi, its third-party software vendor, and will release additional information on the issue when it becomes available.
An unrelated Philips alert regarding certain versions of the company’s DreamMapper mobile app that is used to help manage sleep apnea notes that a vulnerability identified by an independent security researcher could allow an attacker to gain access to log file information containing descriptive error messages.
“This potential vulnerability does not impact patient safety,” Philips says in a statement provided to Information Security Media Group. “The Philips DreamMapper software is a personalized therapy adherence tool for sleep apnea patients, and is not a clinical application – it does not directly provide therapy or diagnosis to patients.”
Philips says it has not received any reports of exploitation of this vulnerability.
“Philips plans a new release for DreamMapper by June 30, 2021, that remediates the identified security vulnerability. Philips has reported this potential vulnerability and its mitigation to customers and the appropriate government agencies, including CISA,” which also issued an advisory, Philips notes.
Progress, But Long Way to Go
These latest advisories from device manufacturers and regulators are among a “wave” of other medical device security alerts issued in recent months, notes Emily Dillon, medical device security consultant at consulting firm CynergisTek.
Some of the advisories being issued by regulators are the result of “coordinated vulnerability disclosure” programs by companies, including BD and Philips.
“We have certainly seen an astounding number of ICS-CERT advisories and alerts around medical devices in the past six weeks,” Dillon says. “I applaud the manufacturers for stepping up and sharing the vulnerabilities and their efforts to address them timely. This, though, is only the first wave.”
The number of unsupported devices and end-of-life devices deployed in the U.S. is “staggering,” she says. “Everyone has been talking about medical device security for several years now. It is time to stop talking about the problem and start doing something about it.”