CISA: Defibrillator Dashboard Security Flaws Pose RiskAgency Warns That Attackers Could Exploit Vulnerabilities, Gain Device Management Control
A half-dozen security vulnerabilities recently identified in older versions of the Zoll Defibrillator Dashboard could allow a remote attacker to take control of the device management platform, including executing arbitrary commands, as well as gain access to sensitive information and credentials, the Cybersecurity and Infrastructure Security Agency warns. It recommends upgrading to newer versions of the dashboard to mitigate the risks.
In an alert issued Monday, CISA says the successful exploitation of the vulnerabilities - which were reported anonymously - could allow remote code execution, allowing an attacker to gain access to credentials and affect confidentiality, integrity and availability of the Zoll defibrillator device management platform.
The dashboard helps hospitals and other healthcare organizations manage and track their fleets of defibrillators, including identifying devices' locations and whether any devices are missing electrodes or have failed to properly perform.
The vulnerabilities, which affect all versions of the dashboard prior to version 2.2, include unrestricted upload of files with malicious code, use of a hard-coded cryptographic key, cleartext storage of sensitive information, cross-site scripting, storing passwords in a recoverable format, and improper privilege management, CISA says.
Most of the vulnerabilities identified in the Zoll dashboard "are repeating issues for connected medical devices in general, but not only legacy ones," says Elad Luz, head of research at healthcare security firm CyberMDX.
The issues identified in the legacy Zoll product "are relatively severe and are of the type that should come up early in the process of vulnerability research and risk assessment - yet for some reason the issues remained undiscovered for a long time," Luz adds.
The most serious of the vulnerabilities identified in the Zoll product is the "unrestricted upload of file with dangerous type" flaw, Luz says. "Abusing that - a user may upload a ... malicious file and execute it on the server. In other words - exploiting this vulnerability could end up with remotely executing arbitrary code on the server managing the defibrillators," he says.
"The dashboard is mainly used for making sure your defibrillator fleet has performed and passed the daily validation tests," he notes. So, remotely executing code on the server could potentially display false information regarding those tests, he says.
"I would also suggest that one of the reasons it took so long to discover [the Zoll vulnerabilities] is the shortage of researchers in the healthcare sector. Whereas other research areas such as Android, Mac and Windows are saturated with researchers, medical device research still has a lot of room for growth. Otherwise, this issue could have been reported earlier."
More vulnerabilities tend to show up in legacy devices for two main reasons, Luz says.
"The first is that many of these older devices were designed before cybersecurity issues were a real concern, and so they weren’t designed with proper cybersecurity in mind," he says.
Second, many older devices run on legacy software that has reached end-of-life or end-of-support status, so they no longer receive regular security updates, he adds.
"Cybersecurity should be integrated in the development life cycle of medical devices and receive ongoing attention from manufacturers," Luz says.
In a statement, Zoll tells Information Security Media Group that the company alerted its customers to the vulnerabilities highlighted by CISA's alert in October 2020, recommending they upgrade to version 2.2 of Defibrillator Dashboard. "Last week, ZOLL sent another announcement to customers to reinforce the importance of upgrading their Defibrillator Dashboard software if they haven’t already, and let them know that CISA is also posting the vulnerabilities on its website," Zoll says.
"Beyond the steps being taken to address this specific issue, ZOLL is constantly enhancing its software development security program. Internal risk assessments and lessons learned from the security researcher community constantly yield improvements, and ZOLL’s software development process uses widely integrated code-checking tools that are stronger than ever before," the company says.
Besides Zoll recommending users of affected versions to mitigate these vulnerabilities by upgrading to Defibrillator Dashboard Version 2.2 or later, Zoll also recommends "users of affected versions keep in mind data on the defibrillator device should be considered the source of accurate data, should there be any discrepancy with the Defibrillator Dashboard," CISA's advisory states.
"Users should perform frequent local checks to confirm readiness of the devices as per manuals," CISA says. Zoll also recommends users disable the password autocomplete function on browsers accessing the Defibrillator Dashboard, according to the advisory.
CISA recommends users take several defensive measures to minimize the risk of exploitation of these vulnerabilities, including:
- Minimize network exposure for all control system devices and/or systems and ensure that they are not accessible from the internet;
- Locate control system networks and remote devices behind a firewall and isolate them from the business network;
- When remote access is required, use secure methods, such the most current version of a virtual private network.
"While it seems counterintuitive, every vulnerability disclosure such as this is a good thing for the industry," Luz says. "With every disclosure, we eliminate another cybersecurity threat from our systems and raise awareness across the industry regarding the importance of cybersecurity."
Discussions among regulators, researchers, vendors and customers "help raise the standard of cybersecurity and ensure that, in the future, similar mistakes are avoided," he adds.