Supply chain vulnerabilities hit medical and IoT devices

Cardiac monitor

Researchers at Forescout’s Vedere Labs have discovered a set of vulnerabilities targeting the PTC Axeda agent which is commonly used in medical and IoT devices.

The Axeda agent enables device manufacturers to remotely access and manage connected devices, making these vulnerabilities reminiscent of the Kaseya hack and the SolarWinds Orion compromise.

More than 150 device models from over 100 manufacturers are potentially affected by these vulnerabilities. Devices utilizing the impacted Axeda agents include surgical, ventilation and radiotherapy equipment along with several medical imaging and laboratory devices.

There is a set of seven vulnerabilities in all which Forescout is calling ‘Access:7’ and three of these are rated critical. Protection requires patching devices running the vulnerable versions of the Axeda components. PTC has released its official patches, and device manufacturers using this software should provide their own updates to customers.

“The nature of these vulnerabilities could lead to heightened risk and expose healthcare organizations to even further cybersecurity threats and risks,” says Daniel dos Santos, head of security research at Vedere Labs, Forescout. “Access:7 further illustrates the problems with supply chain components that we have seen before in Forescout’s Project Memoria. However, this time it affects a remote management solution that could enable hackers to remotely execute malicious code. Complete protection against Access:7 requires patching devices running the vulnerable versions of the Axeda components and it is important organizations take action.”

You can read more about the threat and see recommendations for dealing with it on the Forescout blog.

Image credit: sudok1/depositphotos.com

Author: Martha Meyer