"Critical Flaws in Defibrillator Management Tool Pose Account Takeover, Credential Risk for Hospitals"
The Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) has issued an Industrial Controls Systems (ICS) Medical Advisory on the discovery of multiple vulnerabilities in the ZOLL Defibrillator Dashboard. The exploitation of these vulnerabilities could allow a hacker to take control of an affected system. The ZOLL Defibrillator Dashboard is designed for biomedical engineering departments in the hospital environment and provides efficient management of defibrillators, enabling real-time device monitoring in the enterprise environment and across many sites. The six vulnerabilities were discovered in all versions of the dashboard released before 2.2. A hacker does not need to be highly skilled to exploit the flaws. Through the abuse of the vulnerabilities, the attacker could gain access to credentials as well as impact the availability, confidentiality, and integrity of the application. One of the flaws, warned by CISA to have a high likelihood of exploitation, is the dashboard's use of hard-coded cryptographic keys, which significantly increases the possibility of encrypted data being recovered by an attacker. The cryptographic key is in a hard-coded string value that is compared to the password. Therefore, it is likely that an attacker can read the key and compromise the system. This article continues to discuss the potential exploitation and impact of the critical flaws found in the ZOLL Defibrillator Dashboard.