Vulnerabilities discovered in Boston Scientific Zoom Latitude Model 3120

A number of vulnerabilities have been discovered in Boston Scientific Zoom Latitude Model 3120. Successful exploitation of these vulnerabilities may allow an attacker with physical access to the affected device to obtain patient protected health information (PHI), and/or compromise the integrity of the device. The affected device is not network connected and does not contain hardware to be network connected.

Boston Scientific is in the process of transitioning all users to a replacement programmer with enhanced security, the LATITUDE Programming System, Model 3300. Boston Scientific will not issue a product update to address the identified vulnerabilities in the ZOOM LATITUDE Programming System, Model 3120.

The ZOOM LATITUDE Programming System, Model 3120 is a portable cardiac rhythm management (CRM) programming system designed to help you interrogate, monitor and program Boston Scientific implantable pulse generators (IPGs).

AFFECTED PRODUCTS

Boston Scientific reports these vulnerabilities affects the ZOOM LATITUDE Programmer/Recorder/Monitor (PRM) Model 3120.

VULNERABILITY OVERVIEW

USE OF PASSWORD HASH WITH INSUFFICIENT COMPUTATIONAL EFFORT

An attacker with physical access to the affected device can remove the hard disk drive or create a specially crafted USB to extract the password hash for brute force reverse engineering of the system password.

CVE-2021-38400 has been assigned to this vulnerability.

MISSING PROTECTION AGAINST HARDWARE REVERSE ENGINEERING USING INTEGRATED CIRCUIT (IC) IMAGING TECHNIQUES

An attacker with physical access to the device can extract the binary that checks for the hardware key and reverse engineer it, which could be used to create a physical duplicate of a valid hardware key. The hardware key allows access to special settings when inserted.

CVE-2021-38394 has been assigned to this vulnerability.

IMPROPER ACCESS CONTROL

A skilled attacker with physical access to the affected device can gain access to the hard disk drive of the device to change the telemetry region and could use this setting to interrogate or program an implantable device in any region in the world.

CVE-2021-38392 has been assigned to this vulnerability.

MISSING SUPPORT FOR INTEGRITY CHECK

The programmer installation utility does not perform a cryptographic authenticity or integrity checks of the software on the flash drive. An attacker could leverage this weakness to install unauthorized software using a specially crafted USB.

CVE-2021-38396 has been assigned to this vulnerability.

RELIANCE ON COMPONENT THAT IS NOT UPDATEABLE

The affected device uses off-the-shelf software components that contain unpatched vulnerabilities. A malicious attacker with physical access to the affected device could exploit these vulnerabilities.

CVE-2021-38398 has been assigned to this vulnerability.