Publication Date:  March 26, 2018

Update Date:  March 26, 2018

 

As part of Philips’ Responsible Disclosure Policy for the awareness and remediation of potential system security vulnerabilities, the company is proactively issuing an advisory concerning a potential, low-risk security vulnerability that may affect the Philips Alice 6 Polysomnography System (PSG).

 

Philips has identified hard-coded credentials and clear text storage and transmission of patient personal health information vulnerabilities in Philips Alice 6 devices. Philips has updated product documentation and will release a new version that mitigates these vulnerabilities. These vulnerabilities could potentially be exploited remotely.

 

Successful exploitation may allow an attacker to gain visibility to usernames/passwords and personal data. Insufficient encryption and cryptographic integrity checks can lead to altered, corrupted, or disclosed personal data. Disclosure of personal data can occur by replacing a trusted node with a malicious node.

 

Philips is scheduled to release a new product version and supporting product documentation in December 2018. For all users of Alice 6 version up through R8.0.2, Philips will make an update available. This update will introduce HTTPS for remote connections and eliminates hardcoded/fixed password vulnerabilities.

 

Philips will provide users with notification of the availability of the update. Users will be able to apply the update without Philips assistance.

 

Philips recognizes that the security of our healthcare, personal health, and home consumer products and services are business critical for our customers. Philips has taken the lead in creating a Responsible Disclosure policy, to collaborate with customers, security researchers, regulators and other agencies to help proactively identify, address and disclose potential vulnerabilities in a safe and effective manner.

 

Users with questions regarding their specific Alice 6 solutions are advised by Philips to contact their local Philips service support team or regional service support.