What is the Issue?
Recently, an undocumented vulnerability in the Qualcomm Life’s Capsule Datacaptor Terminal Server (DTS) medical device gateway was found to be exposed to the “misfortune Cookie” vulnerability CVE-2014-9222. This opens the possibility for remote attackers to gain privileges and the ability for remote code execution via crafted cookie that triggers memory corruption, aka the “Misfortune Cookie” vulnerability.
Why is this noteworthy?
Qualcomm Life’s Capsule DTS is a gateway device used in hospitals to connect their medical devices to the network. The gateway connects bedside devices, such as monitors, respirators, anesthesia, and infusion pumps. Altering the availability and/configuration of the Capsule DTS directly influencing the connectivity of the medical devices and allows the spoofing of communications to and/or from the medical devices. Essentially; when patient’s sensitive information is sent to and from a medical device it can be changed or stolen by an attacker. Also, an attacker could remotely start, stop, change the rates, and silence alarms of infusion and anesthesia pumps.
What is the exposure or risk?
Exploitation of this vulnerability can allow attackers to make changes to the configurations of medical devices and allow the theft of sensitive information.
What are the recommendations?
SKOUT recommends users to update Qualcomm Life’s Capsule devices to their latest software versions, disable the embedded webserver, and disable access to the device’s management ports, including HTTP and/or restrict access trusted parties only. Furthermore, Qualcomm Life’s Capsule Technologies firmware update that was released will only fix the “Single Board” version of the DTS; there is no fix for other versions and there is no plan by Qualcomm to release a fix due to technical limitations.
If you have any questions, please contact our Security Intelligence Center.