Medical and IoT devices from more than 100 vendors vulnerable to attack

More than 150 Internet of Things (IoT) devices — including many that are used in the healthcare sector — from over 100 companies are at heightened risk of attack from a set of seven vulnerabilities in a third-party remote access component in the devices.

Three of the bugs are rated as critical because they enable attackers to remotely execute malicious code on vulnerable devices to take full control of them. The remaining vulnerabilities have moderate to high severity ratings and give attackers a way to steal data or to execute denial-of-service attacks.

The vulnerabilities are present in multiple versions of PTC Axeda agent and PTC Desktop Server — technologies that many IoT vendors incorporate in their devices to enable remote access and management. Researchers from Forescout’s Vedere Labs and CyberMDX who discovered the vulnerabilities are tracking them collectively as “Access:7.”

In a report summarizing their findings this week, the researchers described the buggy component as especially prevalent in Internet-connected devices used in the healthcare sector, such as medical imaging, lab, radiotherapy, and surgical technologies. Forescout said an anonymized scan of its customer networks uncovered some 2,000 unique devices with vulnerable versions of Axeda on them. Of that, 55% were deployed in healthcare organizations, 24% in organizations developing IoT products, 8% in IT, 5% in financial services environments, 4% in manufacturing, and 4% across other verticals.

Among the affected devices — besides healthcare-related technologies — are ATMs, SCADA systems, vending machines, cash management systems, IoT gateways, and asset monitoring technologies. All versions of the Axeda technology below 6.9.3 are affected and PTC has released patches for all the vulnerabilities, Forescout said.

Daniel dos Santos, head of security research at Forescout, says the vulnerabilities are proof that remote management tools present a danger not just in the IT world — as shown by attacks like the one on Kaseya last year — but also for IoT and Internet-connected medical technologies.

“So, it’s important that organizations have an inventory of devices that are being remotely managed and understand how they are managed,” he says. “Organizations should first identify the vulnerable devices in the network, then make sure they are not exposed to these vulnerabilities by segmenting their networks and limiting traffic on the vulnerable ports.” They should then patch the devices, when possible, dos Santos says.

The set of seven vulnerabilities that Forescout and CyberMDX discovered include those stemming from the use of hard-coded credentials, missing authentication, improper limitation of a pathname, and improper check or handling of exceptions.

To read the complete article, visit Dark Reading.