In the second quarter of 2016, Philips was contacted by security researchers regarding potential security vulnerabilities with the Philips Xper-IM Connect system. As part of our Responsible Disclosure policy and processes, Philips has been in collaboration with the security researchers investigating this issue to promptly and transparently address the identified vulnerabilities in the Xper-IM Connect system.
The joint analysis by Philips and the researchers determined that Xper-IM Connect systems running on unsupported Windows XP operating systems and outdated product software were vulnerable to a number of potential exploits, which if implemented, could result in a remote attacker gaining access to an affected system.
The Philips product security team was able to confirm that all of the reported vulnerabilities in the Xper-IM Connect system are remediated by upgrading to the minimum specification of Windows 2008 Server or the recommended specification of Windows 2008 Server R2 and then applying a new product software version (Xper-IM Connect Version 1.5 Service Pack 13). We are providing recommendations and contact information in order to help any affected customers using a potentially affected Xper-IM Connect System address the issue and correct any affected systems as rapidly as possible.
Both Philips and the security researchers contributed to a joint disclosure to the U.S. Department of Homeland Security’s NCCIC/ICS-CERT organization, and was the source for that body’s Medical Device Advisory concerning this issue.
Philips is committed to ensuring the security and integrity of our products. Philips takes this matter very seriously. While any potential or identified security vulnerabilities are a concern, at this time we are not aware of any customers or patients that have been directly affected by this issue.