(I)IoT Security News
ICS, News, Vulnerabilities

SOOIL Dana Diabecare RS Products

SOOIL Dana Diabecare RS Products

1. EXECUTIVE SUMMARY

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to access sensitive information, modify therapy settings, bypass authentication, or crash the device being accessed. These vulnerabilities could affect patient safety.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Dana Diabecare Insulin Pumps and mobile applications are affected:

3.2 VULNERABILITY OVERVIEW

3.2.1    USE OF HARD CODED CREDENTIALS CWE-798

A hard-coded physician PIN in the physician menu of the insulin pump allows attackers with physical access to change insulin therapy settings.

CVE-2020-27256 has been assigned to this vulnerability. A CVSS v3 base score of 4.6 has been calculated; the CVSS vector string is (AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N). 

3.2.2    INSUFFICIENTLY PROTECTED CREDENTIALS CWE-522

An information disclosure vulnerability in the communication protocol of the insulin pump and its AnyDana-i and AnyDana-A mobile applications allows unauthenticated attackers to extract the pump’s keypad lock PIN via Bluetooth Low Energy.

CVE-2020-27258 has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

3.2.3    USE OF INSUFFICIENTLY RANDOM VALUES CWE-330

The communication protocol of the insulin pump and its AnyDana-i and AnyDana-A mobile applications use deterministic keys, which allows unauthenticated, physically proximate attackers to brute-force the keys via Bluetooth Low Energy.

CVE-2020-27264 has been assigned to this vulnerability. A CVSS v3 base score of 7.6 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L).

3.2.4    USE OF CLIENT-SIDE AUTHENTICATION CWE-603

A client-side control vulnerability in the insulin pump and its AnyDana-i and AnyDana-A mobile applications allows physically proximate attackers to bypass user authentication checks via Bluetooth Low Energy.

CVE-2020-27266  has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

3.2.5    CLIENT-SIDE ENFORCEMENT OF SERVER-SIDE SECURITY CWE-602

A client-side control vulnerability in the insulin pump and its AnyDana-i and AnyDana-A mobile applications allows physically proximate attackers to bypass checks for default PINs via Bluetooth Low Energy.

CVE-2020-27268  has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

3.2.6    AUTHENTICATION BYPASS BY CAPTURE-REPLAY CWE-294

The communication protocol of the insulin pump and its AnyDana-i and AnyDana-A mobile applications lacks replay protection measures, which allows unauthenticated, physically proximate attackers to replay communication sequences via Bluetooth Low Energy.

CVE-2020-27269 has been assigned to this vulnerability. A CVSS v3 base score of 5.4 has been calculated; the CVSS vector string is (AV:A/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:N).

3.2.7    UNPROTECTED TRANSPORT OF CREDENTIALS CWE-523

The communication protocol of the insulin pump and its AnyDana-i and AnyDana-A mobile applications does not use adequate measures to protect encryption keys in transit, which allows unauthenticated, physically proximate attackers to sniff the keys via Bluetooth Low Energy.

CVE-2020-27270 has been assigned to this vulnerability. A CVSS v3 base score of 5.7 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N).

3.2.8    KEY EXCHANGE WITHOUT ENTITY AUTHENTICATION CWE-322

The communication protocol of the insulin pump and its AnyDana-i and AnyDana-A mobile applications does not use adequate measures to authenticate the pump before exchanging keys, which allows unauthenticated, physically proximate attackers to eavesdrop the keys and spoof the pump via Bluetooth Low Energy.

CVE-2020-27272 has been assigned to this vulnerability. A CVSS v3 base score of 5.7 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N). 

3.2.9    AUTHENTICATION BYPASS BY SPOOFING CWE-290

The communication protocol of the insulin pump and its AnyDana-i and AnyDana-A mobile applications does not use adequate measures to authenticate the communicating entities before exchanging keys, which allows unauthenticated, physically proximate attackers to eavesdrop the authentication sequence via Bluetooth Low Energy.

CVE-2020-27276 has been assigned to this vulnerability. A CVSS v3 base score of 5.7 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N).

3.3 BACKGROUND

3.4 RESEARCHER

Julian Suleder, Birk Kauer, Raphael Pavlidis, and Nils Emmerich of ERNW Research GmbH reported these vulnerabilities to the Federal Office for Information Security (BSI, Germany), in the context of the BSI project ManiMed – Manipulation of Medical Devices. BSI then provided this report to CISA.

4. MITIGATIONS

Dana Diabecare recommends users update the Dana Diabecare insulin pumps to Version 3.0 or higher, or to the latest available release. Additionally, users are encouraged to immediately update AnyDana-A and AnyDana-i to Version 3.0 or higher. Also, SOOIL recommends users to apply these mitigating strategies:

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on us-cert.cisa.gov. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage on us-cert.cisa.gov in the Technical Information Paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents.

No known public exploits specifically target these vulnerabilities.

Source:

https://us-cert.cisa.gov/ics/advisories/icsma-21-012-01

Related posts

Siemens Industrial Products with OPC UA (Update F)

(I) IoT
5 years ago

OpenClinic GA

(I) IoT
4 years ago

Rockwell Automation ISaGRAF5 Runtime (Update A)

(I) IoT
3 years ago
Exit mobile version