ICT Security-Sécurité PC et Internet

Bluetooth-related vulnerabilities can affect a dizzying array of devices. In the latest instance, a newly discovered round of 12 Bluetooth bugs potentially exposes more than 480 devices to attack, including fitness trackers, smart locks, and dozens of medical tools and implants.

Researchers from Singapore University of Technology and Design began developing techniques for analyzing Wi-Fi security in January 2019, and later realized they could apply those same methods to assess Bluetooth as well. By September they had found their first bug in certain implementations of Bluetooth Low Energy, the version of the protocol designed for devices with limited resources and power. Within weeks, they had found 11 more.

Collectively dubbed "SweynTooth," the flaws exist not in BLE itself, but in the BLE software development kits that come with seven "system on a chip" products—microchips that integrate all of a computer's components in one place. IoT manufacturers often turn to off-the-shelf SoCs to develop new products quickly. That also means, though, that SoC implementation flaws can propagate across a wide variety of devices.

Learn more / En savoir plus / Mehr erfahren:

https://www.scoop.it/t/securite-pc-et-internet/?&tag=Bluetooth

https://www.scoop.it/topic/securite-pc-et-internet/?&tag=SweynTooth

Sicherheitslücken in Beatmungsgeräten

Über das Krankenhausnetzwerk lassen sich Befehle an Anästhesie- und Beatmungsgeräte des Herstellers GE senden. Eine Sicherheitslücke ermöglicht unter anderem, Dosierung und Typ des Narkosemittels zu ändern.

An die Anästhesie- und Beatmungsgeräte Aestiva und Aespire der Firma GE lassen sich unauthentifiziert Befehle schicken, sofern die Geräte an das Krankenhausnetzwerk angeschlossen wurden. Beispielsweise lassen sich Alarme aus der Ferne abschalten oder die Gaszusammensetzung bei der Beatmung ändern. Entdeckt wurde die Lücke von der Sicherheitsfirma Cybermdx. Das Department of Homeland Security (DHS) warnt vor der Sicherheitslücke, der Hersteller GE sieht hingegen keine Gefahr für die Patienten.

Sind die betroffenen Versionen 7100 und 7900 von Aestiva und Aespire über einen Terminal-Server an das Krankenhaus-Netzwerk angeschlossen, können Angreifer Befehle an die Geräte senden.

Zum Einsatz kommt laut Cybermdx ein proprietäres Protokoll, dessen Befehle sich leicht herausfinden lassen. Mit einem dieser Befehle lassen sich die Geräte dazu bringen, eine ältere Version des Protokolls zu verwenden, das aus Gründen der Kompatibilität immer noch vorhanden ist. Eine Authentifizierung, um die Befehle abzusetzen, gibt es nicht.

Learn more / En savoir plus / Mehr erfahren:

https://www.scoop.it/topic/securite-pc-et-internet/?&tag=Medicine

The U.S. Food and Drug Administration (FDA) warned this week that a number of insulin pumps from Medtronic MiniMed might be at risk of a cybersecurity breach, going as far as to warn patients to switch devices—"Medtronic is recalling affected MiniMed pumps," the FDA said, "and providing alternative insulin pumps to patients."

A full list of affected models can be found with the warning. The affected models cannot be updated and need to be replaced, even though "the FDA is not aware of any reports of patient harm related to these potential cybersecurity risks."

Learn more / En savoir plus / Mehr erfahren:

https://www.scoop.it/t/securite-pc-et-internet/?&tag=Pacemakers+Hacking

https://www.scoop.it/topic/securite-pc-et-internet/?&tag=Medicine

The Cybersecurity and Infrastructure Security Agency (CISA) issued an advisory warning of vulnerabilities in several medical IoT devices that could lead to remote code execution.

Advisory ICSA-19-274-01, which has a CVSS rating or 9.8, covers the following pieces of equipment: OSE by ENEA, INTEGRITY RTOS by Green Hills Software, ITRON, Zebos by IP Infusion, and VxWorks by Wind River. The vulnerabilities include stack-based buffer overflow, heap-based buffer overflow, integer underflow, improper restriction of operations within the bounds of a memory buffer, race condition, argument injection and null pointer dereference.

All are described as exploitable remotely, requiring only a low skill level to exploit and public exploits are available. This is an expanded advisory with the original being issued by DHS in July.

“The Interpeak IPnet stack vulnerabilities were first reported under ICSA-19-211-01 Wind River VxWorks. These vulnerabilities have expanded beyond the affected VxWorks systems and affect additional real-time operating systems (RTOS). CISA has reached out to affected vendors of the report and asked them to confirm the vulnerabilities and identify mitigations,” the advisory stated.

In response ENEA recommends affected users upgrade to a newer version of OSE or contact WindRiver (now the license holder for Interpeak) for compensating controls; Green Hills Software recommends affected users contact Wind River for compensating controls; ZebOS by IP Infusion has not yet responded to CISA inquiries.

 Learn more / En savoir plus / Mehr erfahren:

https://www.scoop.it/topic/securite-pc-et-internet/?&tag=Medicine

Security researchers have discovered vulnerabilities in two models of hospital anesthesia machines manufactured by General Electric (GE).

The two devices found to be vulnerable are GE Aestiva and GE Aespire -- models 7100 and 7900. According to researchers from CyberMDX, a healthcare cybersecurity firm, the vulnerabilityies reside in the two devices' firmware.

RESEARCHERS: FLAWS CAN PUT PATIENTS AT RISK
CyberMDX said attackers on the same network as the devices -- a hospital's network -- can send remote commands that can alter devices' settings.

"There is simply a lack of authentication," a CyberMDX researcher told ZDNet in an email today, detailing the exact nature of the security flaws.

"The mentioned commands are supported by design," he added. "Some of them are only supported on an earlier version of the protocol, however there is another command that allows changing the protocol version (for backward compatibility). After sending a command to change the protocol version to an earlier one, an attacker can send all other commands.

Learn more / En savoir plus / Mehr erfahren:

https://www.scoop.it/topic/securite-pc-et-internet/?&tag=Medicine