Roche Point of Care Handheld Medical Devices’ Vulnerabilities Detected

ICS-CERT has issued a warning about five vulnerabilities in Point of Care handheld medical devices manufactured by Roche. Four vulnerabilities are considered high risk while one is medium risk. If exploited, an attacker could access to the medical devices, change system configurations and execute arbitrary code.

The following Roche Point of Care portable medical devices are affected by the vulnerabilities: Accu-Chek Inform II (with the exception of Accu-Chek Inform II Base Unit Light and Accu-Chek Inform II Base Unit NEW with Software 04.00.00 or later); CoaguChek XS Plus & XS Pro; CoaguChek Pro II; Cobas h 232 POC including similar base units (BU), base unit hubs and handheld base units (HBU).

CVE-2018-18564 concerns improper access controls. A hacker in an adjacent network could execute arbitrary code on a vulnerable device by means of a specially constructed message. The vulnerability has been given a high severity classification and a CVSS v3 base rating of 8.3.

The vulnerability is found in the following devices: CoaguChek Pro II (Versions before 04.03.00); Accu-Chek Inform II Instrument (Versions before 03.06.00 (Serial Number < 14000) and 04.03.00 (Serial Number > 14000)) and cobas h 232 (Versions before 04.00.04 (Serial Number > KQ0400000 or KS0400000)).

CVE-2018-18565 is another improper access control vulnerability. An unauthorized person could exploit the vulnerability from an adjacent network and modify the instrumentation settings. The vulnerability has been given a high severity classification and a CVSS v3 base rating of 8.2.

The vulnerability is found in the following devices: CoaguChek Pro II (Versions before 04.03.00); CoaguChek XS Pro (Versions before 03.01.06); CoaguChek XS Plus (Versions before 03.01.06); Cobas h 232 (Versions prior to 03.01.03 (Serial Number < KQ0400000 or KS0400000)); Cobas h 232 (Versions before 03.01.03 (Serial Number > KQ0400000 or KS0400000)) and Accu-Chek Inform II Instrument (Versions before 03.06.00 (Serial Number < 14000) and 03.00 (SN >14000))

CVE-2018-18562 concerns insecure permissions in a service interface that would allow an unauthorized user to run arbitrary commands on operating systems from an adjacent network . The vulnerability has been given a high severity classification and a CVSS v3 base rating of 8.0.

The vulnerability is found in the following devices: CoaguChek / cobas h232 Handheld Base Unit (Versions before 03.01.04) and Accu-Chek Inform II Base Unit / Base Unit Hub 9 (Versions before 03.01.04).

CVE-2018-18563 is a vulnerability in the software program update mechanism, which if exploited by a hacker could allow the overwriting of system files by using a specially created update package. The vulnerability has been given a high severity classification and a CVSS v3 base rating of 8.0.

The vulnerability is found in the following devices: CoaguChek XS Plus (Versions prior to 03.01.06); CoaguChek Pro II (Versions prior to 04.03.00); CoaguChek XS Pro (Versions prior to 03.01.06); Cobas h 232 (Versions prior to 03.01.03 (Serial Number > KQ0400000 or KS0400000)) and Cobas h 232 (Versions prior to 03.01.03 (Serial Number < KQ0400000 or KS0400000)).

CVE-2018-18561 is an improper authentication vulnerability. A person with access to an adjacent network could get service access to a vulnerable device via a service interface. The vulnerability has been given a medium severity classification and a CVSS v3 base rating of 6.5.

The vulnerability is found in the following devices: Accu-Chek Inform II Base Unit / Base Unit Hub and CoaguChek / Cobas h232 Handheld Base Unit running 03.01.04 and prior models.

Niv Yehezkel of Medicate identified all five vulnerabilities and reported them to Roche. Roche has recommended mitigation procedures to minimize the risk of exploitation of the vulnerabilities.

  • Limit physical and network access to the handheld devices and ensure security feature are activated
  • Secure vulnerable devices and prevent access by unauthorized individuals and protect against theft and malware
  • Monitor for suspicious activity

A software update to fix the vulnerabilities will be issued in November 2018.