Boston Scientific Mitigates Vulnerabilities

Thursday, October 19, 2017 @ 04:10 PM gHale

Boston Scientific provided compensating controls to reduce the risk of exploitation with two vulnerabilities in its ZOOM LATITUDE Programmer/Recorder/Monitor (PRM) – Model 3120, according to a report with ICS-CERT.

ZOOM LATITUDE PRM – Model 3120, all versions suffer from the vulnerability discovered by researchers Jonathan Butts and Billy Rios of Whitescope.

Holes in Progea Movicon SCADA/HMI
NXP Fixing Multiple Vulnerabilities
Envitech Patches EnviDAS Ultimate
WECON Fixes HMI Editor Issue

Successful exploitation of these vulnerabilities may allow an attacker with physical access to obtain patient health information (PHI). The affected device is not designed to be network accessible.

The affected products, ZOOM LATITUDE PRMs, are portable cardiac rhythm management systems used to communicate with implanted pacemakers and defibrillators.

Marlborough, MA-based Boston Scientific ZOOM LATITUDE PRMs are deployed across the Healthcare and Public Health sector. Boston Scientific said these products see action on a global basis.

In one of the vulnerabilities, the affected device uses a hard-coded cryptographic key to encrypt PHI prior to having it transferred to removable media.

CVE-2017-14014 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 4.6.

In a missing encryption of sensitive data, the affected device does not encrypt PHI at rest.

CVE-2017-14012 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 4.6.

These vulnerabilities are not remotely exploitable and require physical access. No known public exploits specifically target these vulnerabilities. However, an attacker with a low skill would be able to exploit these vulnerabilities.

Boston Scientific will not be issuing a product update to address the identified vulnerabilities in the ZOOM LATITUDE PRM – Model 3120. Boston Scientific identified compensating controls to reduce the risk of exploitation and recommends that users implement the following measures:
• Control access to the device and ensure all access is properly inventoried.
• Maintain the device in a secure or locked location when not in use.
• Remove PHI prior to retiring or removing the device from the facility. Instructions for removing PHI are outlined in the operator’s manual.

Leave a Reply

You must be logged in to post a comment.