Critical Bugs Expose Hundreds of Thousands of Medical Devices and ATMs:
Specialized health care devices, from imaging tools like CT scanners to diagnostic lab equipment, are often inadequately protected on hospital networks. Now, new findings about seven vulnerabilities in an Internet of Things remote management tool underscore the interconnected exposures in medical devices and the broader IoT ecosystem.
Researchers from the health care security firm CyberMDX, which was acquired last month by the IoT security firm Forescout, found seven easily exploited vulnerabilities, collectively dubbed Access:7, in the IoT remote access tool PTC Axeda. The platform can be used with any embedded device, but has proven particularly popular in medical equipment. The researchers also found that some companies have used it to remotely manage ATMs, vending machines, barcode scanning systems, and some industrial manufacturing equipment. The researchers estimate that the Access:7 vulnerabilities are in hundreds of thousands of devices in all. In a review of its own customers, Forescout found more than 2,000 vulnerable systems.
"You can imagine the type of impact an attacker could have when they can either exfiltrate data from medical equipment or other sensitive devices, potentially tamper with lab results, make critical devices unavailable, or take them over entirely," says Daniel dos Santos, head of security research at Forescout.
Some of the vulnerabilities relate to issues with how Axeda processes undocumented and unauthenticated commands, allowing attackers to manipulate the platform. Others relate to default configuration issues, like hard-coded, guessable system passwords shared by multiple Axeda users. Three of the seven vulnerabilities rate as critical and the other four are medium to high severity bugs.
Attackers could potentially exploit the bugs to grab patient data, alter test results or other medical records, launch denial of service attacks that could keep health care providers from accessing patient data when they need it, disrupt industrial control systems, or even gain a foothold to attack ATMs.
(Score: -1, Offtopic) by Anonymous Coward on Thursday March 10 2022, @10:23AM
ATE HIMSELF TO DEATH
(Score: 0) by Anonymous Coward on Thursday March 10 2022, @02:37PM
Looking forward to ATMs spitting out cash like casino slot machines Terminator2 style ...
(Score: 1, Funny) by Anonymous Coward on Thursday March 10 2022, @03:55PM
No, you can't used expired certs to sign stuff after the expiration date. There is a timestamp counter-signature that's required for validation, and that's an external service. It even is show in the screenshots - no timestamp and thus unable to validate.
What this means is that the group has probably also obtained the current certificates, and is signaling that by showing off the expired ones.
Either way nvidia is royally screwed because allowing this to happen shows a blatant disregard of safety measures and probably violates the EV certificate terms, which can bring their current CA revocation.