Vulnerabilities Identified in WLAN Firmware Used by Philips IntelliVue Portable Patient Monitors

Two vulnerabilities have been identified in Philips IntelliVue WLAN firmware which affect certain IntelliVue MP monitors. The flaws could be exploited by hackers to install malicious firmware which could impact data flow and lead to an inoperable condition alert at the device and Central Station.

Philips was alerted to the flaws by security researcher Shawn Loveric of Finite State, Inc. and proactively issued a security advisory to allow users of the affected products to take steps to mitigate risk.

The flaws require a high level of skill to exploit in addition to access to a vulnerable device’s local area network. Current mitigating controls will also limit the potential for an attack. As such, Philips does not believe either vulnerability would impact clinical. Philips does not believe the flaws are being actively exploited.

The first flaw, tracked as CVE-2019-13530, concerns the use of a hard-coded password which could allow an attacker to remotely login via FTP and upload malicious firmware. The second flaw, tracked as CVE-2019-13534, allows the download of code or an executable file from a remote location without performing checks to verify the origin and integrity of the code. The flaws have each been assigned a CVSS v3 base score of 6.4 out of 10.

The following Philips products are affected:

  • IntelliVue MP monitors MP20-MP90 (M8001A/2A/3A/4A/5A/7A/8A/10A)
    • WLAN Version A, Firmware A.03.09
  • IntelliVue MP monitors MP5/5SC (M8105A/5AS)
    • WLAN Version A, Firmware A.03.09, Part #: M8096-67501
  • IntelliVue MP monitors MP2/X2 (M8102A/M3002A)
    • WLAN Version B, Firmware A.01.09, Part #: N/A (Replaced by Version C)
  • IntelliVue MP monitors MX800/700/600 ((865240/41/42)
    • WLAN Version B, Firmware A.01.09, Part #: N/A (Replaced by Version C)

WLAN Version B is obsolete and will not be patched. Philips has advised customers to update to the WLAN Module Version C wireless module if they are using any of the patient monitors affected by the flaws. WLAN Version C with current firmware of B.00.31 is not affected by either vulnerability. Mitigating controls include the use of authentication and authorization via WPA2, implementing a firewall rule on the wireless network, and ensuring physical controls are implemented to restrict access to the system.

The flaw in WLAN Version A will be addressed with a patch which Philips plans to release via Incenter by the end of 2019.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.