Boston Scientific Zoom Latitude

MonitorCVSS 6.9ICS-CERT ICSMA-21-273-01Sep 30, 2021

Attack path

Attack VectorPhysical

Auth RequiredNone

ComplexityHigh

User InteractionRequired

Summary

The ZOOM LATITUDE Programmer/Recorder/Monitor Model 3120 contains multiple vulnerabilities that allow an attacker with physical access to obtain patient protected health information or compromise device integrity. The vulnerabilities stem from insufficient access controls (CWE-284), insufficient authentication (CWE-916), and improper data protection mechanisms (CWE-1278, CWE-353, CWE-1329). The device is not network-connected and cannot be exploited remotely. Boston Scientific will not release a patch for the Model 3120 and recommends transitioning to the replacement Model 3300 Programmer.

What this means

What could happen

An attacker with physical access to the device could extract patient health information or alter the programmer's settings, potentially affecting device function or patient safety. Since the device is not networked, remote attacks are not possible.

Who's at risk

Hospitals and cardiac care facilities using Boston Scientific ZOOM LATITUDE Programmer/Recorder/Monitor Model 3120 devices. Any facility that manages implantable cardiac devices (pacemakers, defibrillators) with this programmer is affected. The risk is primarily to patient privacy and device integrity at the point of care.

How it could be exploited

An attacker must have physical possession of the ZOOM LATITUDE Programmer Model 3120. Once in hand, they could exploit vulnerabilities in the device's access controls or data protection mechanisms to read stored patient information or modify device configuration without authentication. No network access is required.

Prerequisites

Physical possession of the device
Ability to power on or interact with the device interface
No credentials or authentication required

Physical access requiredNo authentication neededAffects patient health information (PHI)No vendor patch availableNot remotely exploitable

Exploitability

Unlikely to be exploited — EPSS score 0.0%

Affected products (1)

ProductAffected VersionsFix Status

ZOOM LATITUDE Programmer/Recorder/Monitor Model 3120 - Boston Scientific reports these vulnerabilities affects the ZOOM LATITUDE Programmer/Recorder/Monitor (PRM) Model 31203120No fix (EOL)

Remediation & Mitigation

0/3

Do now

0/2

HARDENINGPhysically control access to the ZOOM LATITUDE Model 3120 device—keep it in a locked location when not in use and maintain an inventory of who has access

HARDENINGRemove all patient protected health information (PHI) from the device before retiring or decommissioning it per the operator's manual instructions

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXPlan transition from ZOOM LATITUDE Model 3120 to the replacement LATITUDE Programming System Model 3300, which has enhanced security

CVEs (5)

CVE-2021-38400 CVE-2021-38394 CVE-2021-38392 CVE-2021-38396 CVE-2021-38398

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/fc72abb6-4854-4dac-aa81-e35c9714646a

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.