Summary: This content discusses the unpatchable vulnerabilities found in temperature monitors made by Proges Plus and used in hospitals.
Threat Actor: No specific threat actor mentioned.
Victim: Hospitals using temperature monitors made by Proges Plus.
Key Point :
- Researchers have discovered unpatchable vulnerabilities in temperature monitors made by Proges Plus and used in hospitals.
- The manufacturer, Proges Plus, has not responded to the vulnerability findings.
Governance & Risk Management
,
Healthcare
,
Industry Specific
Researchers Say Manufacturer Proges Plus Hasn’t Responded to Vulnerability Findings
Vulnerabilities in internet-connected temperature monitoring devices mainly used in hospitals, and their accompanying desktop application, could allow hackers to gain administrator privileges to the technology.
See Also: Managing Shadow IT Across Your Enterprise
Researchers at Nozomi Networks uncovered four vulnerabilities in Sensor Net Connect and three flaws in the Thermoscan IP desktop application, both made by a division of French firm Proges Plus.
The system is designed for environments such as hospitals where temperatures must remain exact and constant. One flaw, tracked as CVE-2024-31202, would allow a user with basic access to the Thermoscan IP application to create new accounts and would assign them admin-level privileges. Real-world examples of users who might already have basic access to the desktop application include maintenance contractors and third-party applications, Nozomi said in a Thursday blog post.
The researchers said attackers could use their access to exfiltrate sensitive data or compromise temperature monitoring integrity. In the United States, authorities have long warned that medical devices are potential avenues for hackers, given manufacturers’ tendency to not subject their products to security testing during development or post-sale.
If vulnerabilities are discovered in devices, many remain unpatched, especially if the devices are used in smaller medical practices that lack full-time cybersecurity support. A 2022 warning from the FBI cited research that says medical devices on average carry 6.2 vulnerabilities and that more than half of networked devices in hospitals have known critical flaws.
A 2023 U.S. law requires manufacturers to hew to enhanced cybersecurity requirements when submitting new devices for federal approval, including by demonstrating a device’s ability to be updated and patched, as well as proving the efficacy of their security controls and testing procedure (see: Exclusive: FDA Leader on Impact of New Medical Device Law).
Nozomi said it attempted to contact Proges Plus multiple times, directly and indirectly through the U.S. CERT Coordination Center, but received no response. Information Security Media Group has requested comment from the company.
Given the lack of direct remediation, such as the vendor releasing patches or mitigation advice, Nozomi recommends segregating the temperature monitoring infrastructure by preventing regular clients from accessing the web configuration interface. The firm also suggests regularly monitoring logs and account activity to look for signs of suspicious or malicious activity.
Source: https://www.bankinfosecurity.com/no-patches-for-hospital-temperature-monitors-critical-flaws-a-25632
“An interesting youtube video that may be related to the article above”