ICSMA-17-292-01_Boston Scientific ZOOM LATITUDE PRM Vulnerabilities

Monitor4.6ICS-CERT ICSMA-17-292-01Oct 19, 2017

Attack VectorPhysical

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Boston Scientific ZOOM LATITUDE Programmer/Recorder/Monitor (PRM) Model 3120 stores sensitive configuration data and patient information in unencrypted format on the device. An attacker with physical access could extract this data, including patient records and system credentials. The device uses weak or missing cryptographic protections (CWE-321, CWE-311) for stored data.

What this means

What could happen

An attacker with physical access to the device could read sensitive configuration and patient data stored on the ZOOM LATITUDE PRM due to unencrypted storage, compromising patient privacy and revealing system settings.

Who's at risk

Healthcare facilities using Boston Scientific ZOOM LATITUDE Programmer/Recorder/Monitor (PRM) devices should be concerned. This affects implantable cardiac device programming and monitoring equipment. Hospitals and clinics that program and manage implantable pacemakers and defibrillators are the primary users.

How it could be exploited

An attacker with physical access to the device could connect to the internal storage or debug ports to read unencrypted configuration files and data. No authentication is required once physical access is obtained. The attacker could extract patient information, device settings, and programming credentials.

Prerequisites

Physical access to the ZOOM LATITUDE PRM device
Ability to connect to device storage or debug interfaces

no patch availableaffects medical/safety systemsunencrypted sensitive data storagephysical access required but difficult to secure in all environments

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (1)

ProductAffected VersionsFix Status

ZOOM LATITUDE Programmer/Recorder/Monitor (PRM) - Model 3120: all versionsAll versionsNo fix yet

Remediation & Mitigation

0/3

Do now

0/1

HARDENINGLimit device access to authorized personnel only and monitor device locations

Long-term hardening

0/2

HARDENINGImplement physical security controls around ZOOM LATITUDE PRM devices to restrict unauthorized access

HARDENINGConsider device placement in secure, access-controlled areas of the facility

CVEs (2)

CVE-2017-14014 CVE-2017-14012

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/b6ef4adc-0258-40d8-81ac-7b9df63fca45