Roche Diagnostics Point of Care Handheld Medical Devices (Update A)

Plan PatchCVSS 8.3ICS-CERT ICSMA-18-310-01Nov 6, 2018

Healthcare

Attack path

Attack VectorAdjacent

Auth RequiredNone

ComplexityHigh

User InteractionNone needed

Summary

Roche Point of Care handheld medical devices and their base units contain multiple vulnerabilities (CWE-287 authentication bypass, CWE-78 command injection, CWE-434 unrestricted upload, CWE-284 improper access control) that allow attackers with network access to connected devices or physical access to non-connected devices to modify system settings or execute arbitrary code. Affected products include Accu-Chek Inform II, CoaguChek Pro II/XS Plus/XS Pro, and cobas h 232 POC. Roche indicates all affected products will not receive patches and recommends mitigation through network/physical access controls and monitoring.

What this means

What could happen

An attacker with network access to a connected Point of Care device could modify system settings or execute arbitrary code, potentially altering test results or disabling device functionality in a clinical setting.

Who's at risk

Healthcare facilities operating Roche Point of Care handheld diagnostic devices, including clinical laboratories, point-of-care testing (POCT) coordinators, and infection control staff responsible for device security. Affected devices include Accu-Chek Inform II, CoaguChek Pro II/XS Plus/XS Pro, and cobas h 232 POC systems with base unit infrastructure.

How it could be exploited

An attacker on the same network segment (LAN) as a connected Point of Care device could exploit authentication or input validation weaknesses to gain unauthorized access. For connected devices via Ethernet or Wi-Fi, the attacker could then modify system configuration or run commands to alter device behavior. Non-connected devices require physical proximity for theft or tampering.

Prerequisites

Network access to the device (Ethernet or Wi-Fi for connected devices)
Physical access for non-connected devices
No credentials required

no authentication requirednetwork-accessible on connected devicesaffects medical diagnostic equipmentno patch available at time of advisorylow complexity attack

Exploitability

Unlikely to be exploited — EPSS score 0.3%

Affected products (8)

1 pending7 EOL

ProductAffected VersionsFix Status

Point of Care handheld medical devices - Including the related base units (BU), base unit hubs and handheld base units (HBU).base units (BU)|handheld base units (HBU)No fix yet

Point of Care handheld medical devices - Accu-Chek Inform IIAccu-Chek Inform IINo fix (EOL)

Point of Care handheld medical devices - CoaguChek Pro IICoaguChek Pro IINo fix (EOL)

Point of Care handheld medical devices - CoaguChek XS PlusCoaguChek XS PlusNo fix (EOL)

Point of Care handheld medical devices - CoaguChek XS ProCoaguChek XS ProNo fix (EOL)

Point of Care handheld medical devices - cobas h 232 POCcobas h 232 POCNo fix (EOL)

Point of Care handheld medical devices - Accu-Chek Inform II Base Unit LightAccu-Chek Inform II Base Unit LightNo fix (EOL)

Point of Care handheld medical devices - Accu-Chek Inform II Base Unit NEW with Software 04.00.00 or newerAccu-Chek Inform II Base Unit NEW with Software 04.00.00 or newerNo fix (EOL)

Remediation & Mitigation

0/6

Do now

0/3

HARDENINGEnable device security features on all connected Point of Care devices (Ethernet and Wi-Fi)

HARDENINGRestrict network access to Point of Care devices by implementing firewall rules to limit connectivity to authorized clinical workstations only

HARDENINGRestrict physical access to devices and attached infrastructure to prevent theft or unauthorized manipulation

Schedule — requires maintenance window

0/3

Patching may require device reboot — plan for process interruption

HARDENINGIsolate Point of Care device networks from business network and Internet connectivity

HARDENINGMonitor network and system infrastructure for suspicious activity and unauthorized access attempts

HOTFIXDeploy updated Roche software when available (scheduled for November 2018 and later)

CVEs (5)

CVE-2018-18561 CVE-2018-18562 CVE-2018-18563 CVE-2018-18564 CVE-2018-18565

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/0b73164b-589e-416f-8c66-90e2b2400877

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.