Nozomi Networks Labs has uncovered multiple vulnerabilities in Proges Plus Plug&Track products, specifically targeting the Sensor Net Connect V2 and Thermoscan IP devices used in temperature monitoring at hospitals. These devices, critical for tracking temperature and humidity in medical environments, are used globally across various applications, including patient sample and pharmaceutical monitoring. The flaws, disclosed in a blog post, are concerning due to their potential impact on patient privacy and equipment reliability.
Among the vulnerabilities, CVE-2024-31202 stands out as particularly severe. This flaw involves incorrect permission assignments in the Thermoscan IP software, allowing unauthorized users to escalate their privileges. With a high CVSS score of 8.4, this vulnerability could enable a basic user to gain administrative access, potentially creating backdoor accounts and compromising sensitive patient data. This could lead to serious privacy violations or disruptions in critical temperature monitoring systems.
Nozomi Networks reported their findings to Proges Plus and Plug&Track but received no response or patch updates. In the absence of fixes, they advise implementing stringent access controls to prevent unauthorized access to the monitoring tools. Additionally, users should closely monitor logs and account activities for signs of exploitation. The lack of a patch raises significant concerns about the ongoing security of these devices in healthcare settings.
The discovered flaws highlight broader risks associated with medical IoT devices. Similar vulnerabilities have been identified in other critical medical equipment, such as gas chromatography machines used for blood tests. This underscores the need for robust security measures and responsive actions from manufacturers to protect patient data and maintain the integrity of medical monitoring systems.
Reference:
