Vitrea View

2022: Finding holes used for unauthorized remote control

At the end of September 2022, it became known that holes used for unauthorized remote control were found in Canon medical equipment. The problems are related to Canon Medical's Vitrea View software - vulnerabilities in the cybersecurity system have been identified there that could jeopardize patient information.

Information security specialists from Trustwave have discovered two vulnerabilities in Vitrea View that could allow an attacker to access patient information, potentially change it, and access confidential information and credentials for other services integrated with the platform. The Vitrea View is a tool that is used to view medical images and other documents.

Vitrea View

This vulnerability only potentially affects the access, viewing and updating of any medical image information integrated with the Vitrea! The images are also related to patient records, so there is potentially a huge amount of information that can be exfiltrated (violation of patient privacy) or changed (replacing patient medical images with others, deleting records, or potentially changing patient information directly), said information security researcher at Trustwave Jordan Hedges.

Trustwave said in its own statement that equipment originally used to create images, such as X-ray scanners or MRI machines, could not be affected. The company contacted Canon Medical about the vulnerabilities, and developed a fix to fix the problems in version 7.7.6, according to the post. Trustwave said it had no data on how many of Cannon Medical's patient or customer records were potentially at risk because of the vulnerability.^[1]