Cybersecurity experts have found that several medical devices manufactured by the Swiss medical company Roche put patients at risk of cyber attack.

Medigate's experts, specializing in providing security for Internet-connected medical devices, have found a total of five vulnerabilities in Roche's three products.

Affected devices include the Accu-Chek testing devices, CoaguChek anticoagulation therapy devices and Cobas portable point-of-care systems.

Each of the detected vulnerabilities affects certain models and versions of Roche devices.

The affected products consist of a base unit and a portable wireless communication device with the base station. Medigate's cybersecurity experts have found that a hacker with access to the local network can penetrate the base device and from there target successfully the handheld devices.

Vulnerabilities are valued with points between 6.5 and 8.3 on the CVSSv3 scale, which is a pretty serious risk to the safety of patients using these devices.

The affected devices are Accu-Chek Inform II, CoaguChek Pro II, CoaguChek XS Plus, CoaguChek XS Pro, cobas h 232 POC, and related base stations, hubs, and manual base stations. Vulnerabilities did not affect the following Accu-Chek devices:

  • Accu-Chek Inform II Base Unit Light.
  • Accu-Chek Inform II Base Unit NEW with 04.00.00 or later.

Vulnerability CVE-2018-18561 is rated as 6.5 CVSS and affects the products:

  • Accu-Chek Inform II Base Unit / Base Unit Hub - all newer versions since 03.01.04.
  • CoaguChek / cobas h232 Handheld Base Unit - all newer versions since 03.01.04.

CVE-2018-18562 is defined by 8.0 CVSS and is present in:

  • Accu-Chek Inform II Base Unit / Base Unit Hub - all newer versions since 03.01.04.
  • CoaguChek / cobas h232 Handheld Base Unit - all versions before 03.01.04.

Also, with 8.0 CVSS was assessed the CVE-2018-18563 flaw, which affects:

  • CoaguChek Pro II – all versions before 04.03.00
  • CoaguChek XS Plus – all versions before 03.01.06
  • CoaguChek XS Pro – all versions before 03.01.06
  • cobas h 232 – all versions before 03.01.03 (serial number below KQ0400000 or KS0400000)
  • cobas h 232 – all versions before 04.00.04 (serial number above KQ0400000 or KS0400000)

More dangerous was the CVE-2018-18564 vulnerability with 8.3 CVSS. It affects the products:

  • Accu-Chek Inform II Instrument – all versions before 03.06.00 (Serial number below 14000) / 04.03.00 (Serial Number above 14000)
  • CoaguChek Pro II – all versions before 04.03.00
  • cobas h 232 – all versions before 04.00.04 (Serial number above KQ0400000 or KS0400000)

8.2 CVSS points are assigned to CVE-2018-18565, which affects:

  • Accu-Chek Inform II Instrument – all versions before 03.06.00 (Serial number below 14000) / 04.03.00 (Serial Number above 14000)
  • CoaguChek Pro II – all versions before 04.03.00
  • CoaguChek XS Plus – all versions before 03.01.06
  • CoaguChek XS Pro – all versions before 03.01.06
  • cobas h 232 – all versions before 03.01.03 (Serial number below KQ0400000 or KS0400000)
  • cobas h 232 – all versions before 04.00.04 (Serial number above KQ0400000 or KS0400000).
  • cobas h 232 - all versions before 04.00.04 (Serial number above KQ0400000 or KS0400000).

Bugs can be exploited by a network hacker to bypass authentication for an advanced interface. The hacker will also be able to execute code on the attacked device using specific medical protocols, as well as place arbitrary files on the file system.

For the sake of accuracy, we must point out that one of the command execution flaws requires authentication. But according to ICS-CERT, the products in question use weak access credentials, which mean that hackers will not be hard at all to authenticate themselves on the system.

“The vulnerabilities are easy to exploit once known, but are very hard to discover and research,” the Medigate experts told SecurityWeek.

Roche admitted that these vulnerabilities can be a real threat to patients using the affected devices.

“These vulnerabilities allow complete control of the base station and hand-held device including all generated network traffic. This means the medical protocol used by the device can be altered and the medical data can be changed. In the case of a blood glucose meter, this can put a patient at risk. If the device is altered, it could affect the readings or data transfer which could lead to incorrect treatment,” Medigate explains the danger that may cause the vulnerabilities' exploit.

Roche develops patches for the vulnerabilities detected by Medigate, which should be released in November. But until then, the medical company has advised its patients to limit both network and physical access to devices affected by these flaws. Until the patches release, there are some measures patients can take on their own to protect themselves. In this way, they will be able to protect their devices from malware infection and unauthorized access to cybercriminals.

Although it sounds like a crime movie scenario, it has been a long time ago in the technological world to use the technique of deliberately harming the health and life of targeted victims by skilled cybercriminals. So AMATAS reminds you to be especially careful about all the IoT devices you use in your ordinary life, as they can give hackers full access to your personal life and health.

Photo: Roche.com