Innokas Yhtymä Oy Vital Signs Monitor

Monitor5.3ICS-CERT ICSMA-21-007-01Jan 7, 2021

Attack VectorPhysical

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

The VC150 vital signs monitor contains input validation (CWE-79) and improper encoding (CWE-74) vulnerabilities. Successful exploitation by an attacker with physical access could allow modification of communications between the monitor and downstream medical devices or disable certain device features. No known public exploits currently target these vulnerabilities.

What this means

What could happen

An attacker with physical access to the device could modify communications between the monitor and connected medical equipment or disable safety features, potentially affecting patient monitoring accuracy or alarm functionality.

Who's at risk

Hospital IT and biomedical teams managing Innokas VC150 vital signs monitors should prioritize this issue. The device is used in patient care areas to monitor and communicate critical vital sign data to downstream clinical systems.

How it could be exploited

An attacker with physical access to the VC150 device could exploit the input validation and improper encoding vulnerabilities (CWE-79, CWE-74) to inject malicious input, allowing them to modify the integrity of data sent to downstream medical devices or disable protective features.

Prerequisites

Physical access to the VC150 vital signs monitor
No authentication required to exploit the vulnerability

Physical access required (low practical risk in controlled hospital environment)No authentication requiredAffects medical device communicationsPotential to disable safety-related features

Exploitability

Low exploit probability (EPSS 0.2%)

Affected products (1)

ProductAffected VersionsFix Status

VC150: prior to< 1.7.151.7.15b

Remediation & Mitigation

0/5

Do now

0/2

WORKAROUNDPhysically secure vital signs monitors to prevent unauthorized access or tampering

HARDENINGEnsure vital signs monitors are not exposed to the Internet or accessible from untrusted networks

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate VC150 to firmware version 1.7.15b or later

Long-term hardening

0/2

HARDENINGImplement network segmentation using VLANs to isolate vital signs monitors from other hospital networks

HARDENINGConduct security awareness training with clinical staff to report unauthorized access attempts or device tampering

CVEs (2)

CVE-2020-27262 CVE-2020-27260

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/c46e0b63-0c26-44d8-a774-5692c492bcba