Valleylab (electrosurgical generators)

2019: Vulnerability because of which anyone can manage electrosurgical generators far off

In the middle of November, 2019 it became known that because of vulnerability in software anyone can manage electrosurgical generators of Medtronic far off. The problem concerns Valleylab FT10 devices (V4.0.0 below) and Valleylab FX8 (v1.1.0 below) used by surgeons for such procedures as cauterization during transactions.

Owing to vulnerability of one of utilities of the device any malefactor can load files on Valleylab generators. Use of the uncorrected version of software gives to hackers remote access for the administrator and an opportunity to correct the code at own discretion. As generators are often connected to the general network, providing remote control, malefactors can easily use the detected hole. One more revealed problem consists in unsafe hashes of passwords which can be taken from the device thanks to other above described vulnerabilities.

It became known that because of vulnerability in software anyone can manage electrosurgical generators of Medtronic far off

Developers already submitted the corrected version of software of Valleylab FT10, and the patch of FX8 will become available at the beginning of 2020. Meanwhile Medtronic recommends or to disconnect the corresponding devices from IP networks, or to separate these networks from public.

Medtronic not for the first time faces security of the devices. In addition, a number of shortcomings of the implanted kardioverterakh-defibrillators and pacemakers in 2018-2019 were necessary to correct the companies. At the same time independent researchers found out that the company did not hurry to release software updatings - devices remained vulnerable for cyber attacks even in 18 months after detection of a problem. This time Medtronic decided to correct vulnerabilities of software right after their identification that experts consider a significant step forward in ensuring cyber security of medical devices.^[1]

Notes