Memo

 

To: Information Security Team Chairperson

From: Michael Brause

Date: October 26, 2020

Re: Vulnerabilities of Two Devices of Internet of Things (IoT) Relevant to Northwest Shelbyville Regional Hospital (NSRH)

Northwest Shelbyville Regional Hospital (NSRH) has continued to introduce Internet of Things (IoT) devices to improve patient care in the facility. These devices are utilized for outpatient and inpatient monitoring, tracking of assets to help the healthcare professional easily find equipment, automating HVAC systems, as well as lighting to lessen the spread of infection and reduce care costs. However, the introduction of these devices has prompted an increase in cyber threats. Internet of Things (IoT) devices which are relevant to Northwest Shelbyville Regional Hospital and with publicly known problems are Honeywell WIN-PAK and Google Android 11.0 Camera.

Device 1: Honeywell WIN-PAK

Honeywell is an IoT device keeping patients connected with remotely located healthcare providers who receive transmitted biometrics data through patients’ dashboard. This device also hosts video visits giving multiple, thus giving several healthcare providers to access patients’ essential statistics to be integrated with blood pressure, an oximeter, and precision health scale.

CVE for Honeywell WIN-PAK is CVE-2020-7005. In Honeywell WIN-PAK 4.7.2, Web and prior versions, the affected product is vulnerable to a cross-site request forgery, which may allow an attacker to remotely execute arbitrary code.

 

Honeywell suggests that the following steps should be taken for the protection of affected products:

4. Update WIN-PAK to the latest version, namely WIN-PAK 4.7.2 B1072.3.4, before applying the patch.
5. Users need to create additional layers of defence to their system from the Internet by putting the affected hardware into a DMZ or behind a firewall.

• If remote connections are needed, users should consider using a VPN to ensure secure remote connections into the network where the device is located.

Device 2: Google Android 11.0 Camera

A smartphone camera is an in-built camera with the ability to capture high-quality photographs. This camera can also record video. The resulting images captured and video recorded can be sent to different healthcare, such as Northwest Shelbyville Regional Hospital.

CVE for Google Android 11.0 smartphone camera is a CVE-2020-0328. The reference for this CVE is A-150331085. The description for the vulnerability: In the camera, there is a possible out of bounds read due to an integer overflow. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation. Product: Android Versions: Android-11Android ID: A-150156131.

Countermeasures for this vulnerability include:

1. Firewalling.
2. Upgrading

• Patching

1. Configuration

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

References

https://us-cert.cisa.gov/ics/advisories/icsa-20-056-05

https://source.android.com/security/bulletin/android-11