Vulnerabilities Identified in Roche Point of Care Handheld Medical Devices

Share this article on:

ICS-CERT has issued an advisory concerning five vulnerabilities that have been identified in Roche Point of Care handheld medical devices. Four vulnerabilities are high risk and one has been rated medium risk.

Successful exploitation of the vulnerabilities could allow an unauthorized individual to gain access to the vulnerable devices, modify system settings to alter device functionality, and execute arbitrary code.

The vulnerabilities affect the following Roche Point of Care handheld medical devices.

  • Accu-Chek Inform II (except Accu-Chek Inform II Base Unit Light and Accu-Chek Inform II Base Unit NEW with Software 04.00.00 or later)
  • CoaguChek Pro II
  • CoaguChek XS Plus & XS Pro
  • Cobas h 232 POC
  • Including the related base units (BU), base unit hubs and handheld base units (HBU).

CVE-2018-18564 is an improper access control vulnerability. An attacker in the adjacent network could execute arbitrary code on the system using a specially crafted message. The vulnerability is rated high severity and has been assigned a CVSS v3 base score of 8.3.

The vulnerability is present in:

  • Accu-Chek Inform II Instrument (Versions prior to 03.06.00 (SN < 14000) and 04.03.00 (SN > 14000))
  • CoaguChek Pro II (Versions prior to 04.03.00)
  • cobas h 232 (Versions prior to 04.00.04 (SN > KQ0400000 or KS0400000))

CVE-2018-18565 is an improper access control vulnerability that would allow an individual that has access to an adjacent network to change the configuration of instrumentation. The vulnerability is rated high severity and has been assigned a CVSS v3 base score of 8.2.

The vulnerability is present in:

  • Accu-Chek Inform II Instrument (Versions prior to 03.06.00 (SN < 14000) and 03.00 (SN >14000))
  • CoaguChek Pro II (Versions prior to 04.03.00)
  • CoaguChek XS Plus (Versions prior to 03.01.06)
  • CoaguChek XS Pro (Versions prior to 03.01.06)
  • Cobas h 232 (Versions prior to 03.01.03 (SN < KQ0400000 or KS0400000))
  • Cobas h 232 (Versions prior to 03.01.03 (SN > KQ0400000 or KS0400000))

CVE-2018-18562 concerns insecure permissions in a service interface that could allow unauthorized users in an adjacent network to execute arbitrary commands on operating systems. The vulnerability is rated high severity and has been assigned a CVSS v3 base score of 8.0.

The vulnerability is present in:

  • Accu-Chek Inform II Base Unit / Base Unit Hub 9 (Versions prior to 03.01.04)
  • CoaguChek / cobas h232 Handheld Base Unit (Versions prior to 03.01.04)

CVE-2018-18563 affects the software update mechanism which could be exploited by an attacker in an adjacent network to overwrite arbitrary files on the system using a specially crafted update package. The vulnerability is rated high severity and has been assigned a CVSS v3 base score of 8.0

The vulnerability is present in:

  • CoaguChek Pro II (Versions prior to 04.03.00)
  • CoaguChek XS Plus (Versions prior to 03.01.06)
  • CoaguChek XS Pro (Versions prior to 03.01.06)
  • Cobas h 232 (Versions prior to 03.01.03 (SN < KQ0400000 or KS0400000))
  • Cobas h 232 (Versions prior to 03.01.03 (SN > KQ0400000 or KS0400000))

CVE-2018-18561 is an improper authentication vulnerability involving the use of weak access credentials. An individual that has access to an adjacent network could gain service access to a vulnerable device through a service interface. The vulnerability is rated medium severity and has been assigned a CVSS v3 base score of 6.5.

The vulnerability is present in:

  • Accu-Chek Inform II Base Unit / Base Unit Hub
  • CoaguChek / Cobas h232 Handheld Base Unit running 03.01.04 and earlier versions

All five vulnerabilities were identified by Niv Yehezkel of Medicate, who disclosed the vulnerabilities to Roche.

Mitigation procedures have been recommended by Roche to reduce the risk of the vulnerabilities being exploited. Software updates to address the vulnerabilities have been scheduled for release in November 2018.

Roche recommends:

  • Restricting network and physical access to the devices and their attached infrastructure through the activation of device security features
  • Protecting vulnerable devices from unauthorized access, theft, and malicious software
  • Monitoring network infrastructure and system activity for suspicious activity.

Author: HIPAA Journal

Share This Post On