Zero-day vulnerabilities in temperature monitors could leak patient data

Multiple vulnerabilities were discovered in Proges Plus Plug&Track products used for temperature monitoring at hospitals, with no patches in sight.

The flaws were discovered by Nozomi Networks Labs, which publicly disclosed four vulnerabilities in Sensor Net Connect V2 and three vulnerabilities in Thermoscan IP in a blog post Thursday.

Sensor Net Connect is a Linux-based device used to monitor temperature or humidity from multiple sensors simultaneously, which can be connected to a hospital network via Wi-Fi or Ethernet. Thermoscan IP is an accompanying software for the Sensor Net Connect device that allows for real-time viewing and analysis of data collected by the device.

These products are used in numerous applications, including for temperature monitoring of patient samples and pharmaceuticals in medical environments. According to the Proges website, Plug&Track products are used in more than 60 countries and cater to small and medium sized businesses.

The most severe vulnerability discovered by Nozomi, which is tracked as CVE-2024-31202, is described as an “incorrect permission assignment for critical resource” flaw in Thermoscan IP that could enable local privilege escalation leading to sensitive data exposure.

CVE-2024-31202, which has a high CVSS score of 8.4, can be exploited by an unprivileged user with basic access to a healthcare system that has Thermoscan IP installed, according to Nozomi. For example, the flaw could be leveraged by a contractor doing maintenance on the system, or potentially through a compromised or malicious third-party app installed on the same machine.

Due to the incorrect permission assignment flaw in Thermoscan IP, an unprivileged user can run commands as an administrator, enabling them to create a new “backdoor” administrator account. This risks exfiltration or manipulation of sensitive patient data.

This flaw could be combined with other flaws in both the device and software for maximum impact, leading to a range of consequences from patient privacy violations to denial-of-service (DoS) of critical temperature monitoring equipment. Disruption of this equipment can have severe real-life consequences, such as the destruction of temperature-sensitive vaccines or contamination of biological samples.

How to prevent exploitation when no patch is available

Nozomi Networks’ blog post indicates that the security researchers attempted to contact Proges Plus and its Plug&Track subdivision multiple times regarding the vulnerabilities but did not receive any response from the company or indication that the flaws had been fixed. The post also states that the flaws were reported through the CERT Coordination Center’s Vulnerability Information and Coordination Environment (VINCE).

With no way to patch the Thermoscan IP software or Sensor Net Connect v2 Devices, Nozomi Networks recommends users of the products implement strict access control, ensuring unprivileged users and applications that do not need to use the temperature monitoring tools are blocked from accessing their data and settings.

Nozomi also recommends monitoring logs and accounts associated with Thermoscan IP software for any signs of suspicious activity or exploitation.

SC Media reached out to Nozomi Networks for more information about the vulnerabilities and scope of potential attacks, and did not receive a response by time of publishing. SC Media also reached out to Plug&Track and Proges Plus through their respective contact forms and did not receive a response.

Medical IoT devices may play an unexpected role in the risk to hospital cybersecurity and patient privacy. In another recent example, researchers at Claroty discovered two flaws in gas chromatography machines used for blood tests.