– The Division of Homeland Safety Cybersecurity and Infrastructure Safety Company launched an advisory on a medium-severity vulnerability discovered in Philips’ DreamMapper software program. A profitable exploit might permit an attacker to entry log file data containing descriptive error messages.
The DreamMapper cellular app is a personalised remedy adherence software used to handle sleep apnea.
Safety researchers Lutz Weimann, Tim Hirschberg, Issam Hbib, and Florian Mommertz of SRC Safety Analysis & Consulting GmbH first reported the vulnerability to CISA.
The vulnerability is discovered in variations 2.24 and earlier and may very well be exploited remotely with low-level talent. If exploited, an attacker might entry log recordsdata to insert delicate data and acquire steering from the knowledge written to these recordsdata.
“This potential vulnerability doesn’t affect affected person security,” Philips officers defined. “[DreamMapper] doesn’t straight present remedy or analysis to sufferers. To this point, Philips has not obtained any reviews of exploitation of this vulnerability.”
Philips intends to launch a brand new model of the DreamMapper app by June 30, 2021, which is able to remediate the vulnerability. Within the interim, CISA offered organizations with defensive measures that would decrease the chance of exploitation.
Directors might want to implement bodily safety measures to restrict or management entry to vital methods, together with limiting system entry to approved personnel and following a least privilege strategy.
Organizations also needs to apply defense-in-depth methods and disable pointless accounts and companies. Previous to deploying any defensive measures, organizations might want to carry out a correct affect evaluation and threat evaluation.
If extra help and steering is required, leaders ought to check with present medical machine cybersecurity insights from the Meals and Drug Administration. CISA additionally shared its advisable practices for management methods safety, which incorporates updating antivirus, creating cyber forensics plans, creating cybersecurity incident response plans, and a bunch of different priceless insights.
There are at present no public exploits towards the DreamMapper vulnerability. However suspected malicious exercise ought to be reported to CISA for evaluation and monitoring.
Philips preemptively disclosed the flaw previous to the DHS CISA alert, as a part of its Coordinated Vulnerability Disclosure Coverage, which is designed to drive consciousness and remediation of potential safety vulnerabilities.
For the reason that FDA launched its medical machine steering in 2016, there was a major improve in vulnerability disclosures. Business stakeholders have famous that this improve is an indication of rising compliance and maturing threat assessments throughout the healthcare sector.
As famous by a number of safety leaders, such a collaboration is essential to shifting the needle on medical machine safety.