The Zoll defibrillator dashboard would run the contents of random Excel files that ordinary users could import • The registry
A defibrillator management platform was riddled with vulnerabilities, including a remote command execution flaw that could apparently be invoked by uploading an Excel spreadsheet to the platform.
Or warned the United States Cybersecurity and Infrastructure Security Agency, who said the Defibrillator Dashboard software, made by medical device company Zoll, contained six flaws in total, the combined effect of which could present an infosec Swiss cheese to be exploited by malicious people.
In addition to allowing underprivileged users to download files that the dashboard software would then run, it recorded user credentials in clear text, stored passwords in “a recoverable format” that allowed them to be retrieved at. from web browsers, and was also vulnerable to cross-site. script attacks (XSS).
Rated at 9.9 on the CVSS v3.0 severity scale, the File Download Vulnerability (CVE-2021-27489) could be invoked by an ordinary user. More details have not yet been released. Another vuln, CVE-2021-27481, has been described as the dashboard using a hard-coded encryption key “in the process of exchanging data”.
Zoll’s product is used to manage fleets of defibrillators, life-saving electric shock devices used to detect irregular heartbeat (arrhythmia) when people experience cardiac arrest and return them to a normal rhythm. According to the company website, its defibrillators perform daily self-tests and feed the result to the central dashboard software: “If the readiness of an R Series is compromised, email notifications are automatically sent to the appropriate personnel – so much. as many people as you want. And you can see the status of the fleet anytime, from any mobile device, anywhere. “
The dashboard accepts downloads of Excel spreadsheets (“Save time importing defibrillator fleet information with Microsoft® Excel files”) and can export data in the same format. CISA has listed the vulnerabilities in a information note outlining the six flaws in brief detail.
Zoll had not responded to a request for comment from The register at the time of publication. NHS Digital said it is investigating the number of instances of Zoll Defibrillator Dashboard that have been deployed in the UK state-run healthcare service area. Zoll has an active commercial presence in the UK and its defibrillator products are listed on several online medical device stores.
Ian Thornton-Trump, CISO of threat intelligence firm Cyjax, said The register: “The major point of this announcement is in my mind to draw attention to the link between IoT medical technology and human security. This confirms the work of Josh Coreman and the mission of the organization I am the Cavalry, ”referring to a US-based IoT medical security. advocacy group.
Ten years ago, infosec bod Barnaby Jack, famous in the field of ATM jackpots, warned that wireless attacks on implanted defibrillators could potentially kill their human hosts. In 2019, a CVE was issued for a vulnerability that potentially allowed tampering with wireless data flowing between pacemakers and their external controllers.
While the impact of Zoll vulnerabilities is far from deadly, medical cybersecurity is an under-examined area that offers many opportunities for criminals to exploit. For example, compromising Zoll’s software could provide an anchor in the victim’s network allowing further exploitation in a supply chain attack. This is a real and growing threat, as the compromises of SolarWinds and Microsoft Exchange Server have shown. ®