Skip to main content

Innokas Vital Signs Monitor Vulnerabilities

Two vulnerabilities in Innokas' VC150 vital signs monitor have been disclosed. Exploitation of these may affect proper patient monitoring and data flows.

Threat ID:
CC-3718
Threat Severity:
Low
Published:
13 January 2021 12:00 AM
Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Two vulnerabilities in Innokas' VC150 vital signs monitor have been disclosed. Exploitation of these may affect proper patient monitoring and data flows.

Affected platforms

The following platforms are known to be affected:

Innokas VC140 vital signs monitor Versions: all prior to 1.7.15b

Threat details

Introduction

Innokas Medical (Innokas Yhtymä Oy) has disclosed two vulnerabilities affecting their VC150 vital signs monitor. They claim that a local unauthorised attacker could exploit these vulnerabilities to alter VC150 output data, including patient information, or edit system firmware.

Vulnerability details

Both vulnerabilities appear to be the result of separate underlying flaws:

  • CVE-2020-27260 - VC150 endpoints allow a physically located user to inject malicious HL7 V2.x segments into endpoint operating parameters via connected barcode reader.
  • CVE-2020-27262 - VC150 endpoints are vulnerable to cross-site scripting attacks, allowing a local user to inject HTML or web scripts to any endpoint connected to the local administrative interface.

Remediation advice

Affected organisations are encouraged to contact their relevant supplier and ensure any vulnerable VC150 endpoints are updated to version 1.7.15b or later.

Last edited: 13 January 2021 1:40 pm