- FDA on Tuesday issued a cybersecurity alert warning about seven vulnerabilities in software company PTC's Axeda agent and desktop server, third-party components that enable remote service via the internet, which are used in medical devices from several manufacturers.
- The agency said if the vulnerabilities in the web-based agent and desktop server, dubbed Access:7, were successfully exploited it "could result in changes to the operation of the medical device and impact the availability of the remote support functionality." More than 150 products from over 100 companies may be affected with more than half of the impacted devices in healthcare, according to research firm CyberMDX, who discovered the vulnerabilities.
- The Cybersecurity and Infrastructure Security Agency in its own advisory named Accuray, Bayer, Elekta, GE Healthcare and Varian as manufacturers with products dependent on the affected Axeda agent and desktop server that use hard-coded credentials and "could allow a remote authenticated attacker to take full remote control of the host operating system." CISA has given several of the vulnerabilities, including the hard-coded credentials, a Common Vulnerability Scoring System score of 9.8 out of 10 (critical severity).
All versions of PTC's Axeda agent and desktop server are affected by the Access:7 cyber vulnerabilities, according to FDA's alert to device users and manufacturers. FDA warned that "successful exploitation of these vulnerabilities could result in full system access, remote code execution, read/change configuration, file system read access, log information access, and a denial-of-service condition."
PTC in its public advisory said the vulnerabilities were discovered by research firm CyberMDX and reported through PTC's Coordinated Vulnerability Disclosure Program. Working together, the two companies investigated and implemented fixes for the vulnerabilities and then PTC "notified customers and guided their remediations ahead of disclosure."
Accuray said it determined that the recently discovered Axeda vulnerabilities "affect" its products, but no exploitation has been reported. Bayer's website reported that the company has been "working with urgency to minimize any potential impact" to its customers and has "deployed a patch to all Bayer devices connected to VirtualCARE Remote Support," while injection systems "that have received this patch are no longer at risk for the vulnerability."
GE Healthcare on its website said the company has performed impact and risk assessments, indicating that only a very limited number of its products are "potentially impacted by a subset of these vulnerabilities." Varian in a statement noted that its "cybersecurity experts continue to analyze and address potential impact to our products" from the Axeda vulnerabilities and "when appropriate, Varian provides updates to fix the vulnerability, or specific countermeasures for products where fixes are not yet available."
Chris Gates, director of product security at medical device engineering firm Velentium, contends that remote desktop software is utilized in a lot of devices and it is going to be costly for manufacturers to fix all of them in the field.
"At what point are vendors such as PTC going to be liable for selling such insecure products? This isn't just a case of a missed vulnerability. The presence of hard-coded credentials shows a distinct disregard for creating a secure product. And, this is a remote desktop, one of the most targeted classes of products," Gates said.
In response to a query from MedTech Dive, PTC declined to comment on the vulnerabilities of its Axeda agent and desktop server and instead pointed to its advisory.
Mike Rushanan, director of medical security at consultancy Harbor Labs, contends that hard-coded credentials in particular – the software development practice of embedding authentication data such as passwords directly into the source code – are a significant cybersecurity risk.
"Manufacturers, especially medical device manufacturers, must not hard-code any credentials – passwords and cryptographic keys. And, they must force users to update default credentials immediately on first use," Rushanan said.
Axel Wirth, chief security strategist of medical device cyber firm MedCrypt, called it "astounding" that nine years after CISA issued one of its early cybersecurity alerts calling out the risk of hard-coded passwords, the medtech industry is still seeing advisories that are related to hard-coded credentials.
Becton Dickinson on Tuesday in a statement said it is "aware of and actively monitoring" vulnerabilities associated with PTC's Axeda agent and desktop server, which are no longer used in BD's products.
"Prior to August 2019, select BD diagnostic and biosciences products, including older versions of BD Assurity Linc, were offered with Axeda Agent and/or Axeda Desktop Server. BD is proactively reaching out to customers who may still have Axeda Agent or Axeda Desktop Server in limited instances to assist in removing the application," the medtech said, noting that it has not received any reports of the vulnerabilities being exploited on its products.
However, BD last month disclosed cybersecurity vulnerabilities in its Viper and Pyxis products that allow for the use of hard-coded credentials. BD voluntarily reported the vulnerabilities to CISA and the FDA.
CISA last week issued two separate advisories warning that successful exploitation of BD's Viper hard-coded credential vulnerability "could allow an attacker to access, modify, or delete sensitive information," while the company's Pyxis hard-coded credential vulnerability "could allow an attacker to gain access to electronic protected health information (ePHI) or other sensitive information."