Vulnerabilities Identified in Innokas Yhtymä Oy Vital Signs Monitors

Two medium-severity vulnerabilities have been identified in Innokas Yhtymä Oy vital signs monitors which allow communications between downstream devices to be modified and certain features of the monitors to be disabled. The vulnerabilities affect All versions of VC150 patient monitors prior to software version 1.7.15.

Vulnerable patient monitors have a stored cross-site scripting (XSS) vulnerability which allows a web script or HTML to be injected via the filename parameter to update multiple endpoints of the administrative web interface. The vulnerability is due to improper neutralization of input during web page generation. The vulnerability is tracked as CVE-2020-27262 and has been assigned a severity score of 4.6 out of 10.

The second vulnerability, tracked as CVE-2020-27260, is due to improper neutralization of special elements in the output used by downstream components. HL7 v2.x injection vulnerabilities allow physically proximate attackers with a connected barcode reader to inject HL7 v2.x segments into HL7 v2.x messages via multiple expected parameters. The vulnerability has been assigned a severity rating of 5.3 out of 10.

The vulnerabilities were identified by Julian Suleder, Nils Emmerich, and Birk Kauer of ERNW Research GmbH; and Dr. Oliver Matula of ERNW Enno Rey Netzwerke GmbH.

Innokas Yhtymä Oy has released a software update to correct the flaws and recommends only using software version 1.7.15b or later. There have been no cases reported of the vulnerabilities being exploited in the wild.

It is also recommended to adhere to network best practices including segmenting networks, using VLANs, and isolating patient monitors. Physical protections should be implemented to prevent unauthorized access to patient monitors and clinical staff should be instructed to report any cases of unauthorized individuals attempting to login or tamper with the monitors.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.