Roche Diagnostics Point of Care Handheld Medical Devices (Update A)
Plan Patch8.3ICS-CERT ICSMA-18-310-01Nov 6, 2018
Attack VectorAdjacent
Auth RequiredNone
ComplexityHigh
User InteractionNone needed
Summary
Roche Point of Care handheld medical devices and their base units contain multiple vulnerabilities (CWE-287 authentication bypass, CWE-78 command injection, CWE-434 unrestricted upload, CWE-284 improper access control) that allow attackers with network access to connected devices or physical access to non-connected devices to modify system settings or execute arbitrary code. Affected products include Accu-Chek Inform II, CoaguChek Pro II/XS Plus/XS Pro, and cobas h 232 POC. Roche indicates all affected products will not receive patches and recommends mitigation through network/physical access controls and monitoring.
What this means
What could happen
An attacker with network access to a connected Point of Care device could modify system settings or execute arbitrary code, potentially altering test results or disabling device functionality in a clinical setting.
Who's at risk
Healthcare facilities operating Roche Point of Care handheld diagnostic devices, including clinical laboratories, point-of-care testing (POCT) coordinators, and infection control staff responsible for device security. Affected devices include Accu-Chek Inform II, CoaguChek Pro II/XS Plus/XS Pro, and cobas h 232 POC systems with base unit infrastructure.
How it could be exploited
An attacker on the same network segment (LAN) as a connected Point of Care device could exploit authentication or input validation weaknesses to gain unauthorized access. For connected devices via Ethernet or Wi-Fi, the attacker could then modify system configuration or run commands to alter device behavior. Non-connected devices require physical proximity for theft or tampering.
Prerequisites
- Network access to the device (Ethernet or Wi-Fi for connected devices)
- Physical access for non-connected devices
- No credentials required
no authentication requirednetwork-accessible on connected devicesaffects medical diagnostic equipmentno patch available at time of advisorylow complexity attack
Exploitability
Low exploit probability (EPSS 0.3%)
Affected products (8)
1 pending7 EOL
ProductAffected VersionsFix Status
Point of Care handheld medical devices - Including the related base units (BU), base unit hubs and handheld base units (HBU).base units (BU)|handheld base units (HBU)No fix yet
Point of Care handheld medical devices - Accu-Chek Inform IIAccu-Chek Inform IINo fix (EOL)
Point of Care handheld medical devices - CoaguChek Pro IICoaguChek Pro IINo fix (EOL)
Point of Care handheld medical devices - CoaguChek XS PlusCoaguChek XS PlusNo fix (EOL)
Point of Care handheld medical devices - CoaguChek XS ProCoaguChek XS ProNo fix (EOL)
Point of Care handheld medical devices - cobas h 232 POCcobas h 232 POCNo fix (EOL)
Point of Care handheld medical devices - Accu-Chek Inform II Base Unit LightAccu-Chek Inform II Base Unit LightNo fix (EOL)
Point of Care handheld medical devices - Accu-Chek Inform II Base Unit NEW with Software 04.00.00 or newerAccu-Chek Inform II Base Unit NEW with Software 04.00.00 or newerNo fix (EOL)
Remediation & Mitigation
0/6
Do now
0/3HARDENINGEnable device security features on all connected Point of Care devices (Ethernet and Wi-Fi)
HARDENINGRestrict network access to Point of Care devices by implementing firewall rules to limit connectivity to authorized clinical workstations only
HARDENINGRestrict physical access to devices and attached infrastructure to prevent theft or unauthorized manipulation
Schedule — requires maintenance window
0/3Patching may require device reboot — plan for process interruption
HARDENINGIsolate Point of Care device networks from business network and Internet connectivity
HARDENINGMonitor network and system infrastructure for suspicious activity and unauthorized access attempts
HOTFIXDeploy updated Roche software when available (scheduled for November 2018 and later)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/0b73164b-589e-416f-8c66-90e2b2400877