Skip to main content

Philips SureSigns Improper Access Vulnerabilities

Several vulnerabilities in a number of Philips Healthcare patient monitors have been disclosed. Exploitation of these may result in patient information being leaked.

Threat ID:
CC-3606
Threat Severity:
Low
Published:
24 August 2020 12:00 AM
Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Several vulnerabilities in a number of Philips Healthcare patient monitors have been disclosed. Exploitation of these may result in patient information being leaked.

Affected platforms

The following platforms are known to be affected:

Philips SureSigns VS4 Versions: A.07.107 and earlier

Threat details

Introduction

Philips Healthcare has released details of several vulnerabilities affecting their SureSigns VS4 vital signs monitors. They claim that an unauthorised attacker could exploit these vulnerabilities to later configuration settings and obtain patient data.

Vulnerability details

All three vulnerabilities appear to be the result of SureSigns VS4 systems not properly validating users inputs, likely due to an incorrectly implemented kiosk mode. This lack of validation in turn leads to the vulnerable systems not correctly verifying or restricting user access levels.

Remediation advice

At the time of publication, Philips Healthcare has not confirmed if an update to address these vulnerabilities will be produced. However, they have recommended affected organisations change ensure all vulnerable SureSigns systems are not using default passwords.

Last edited: 24 August 2020 4:06 pm