Publication Date: August 30, 2018
Update Date: August 30, 2018
Philips is a committed leader in medical device cybersecurity. As part of our global Product Security Policy, the company conducts extensive ongoing analysis of our products, often in collaboration with customers and researchers, to identify and address potential vulnerabilities.
In accordance with Philips’ Coordinated Vulnerability Disclosure Policy for the awareness and remediation of possible system security vulnerabilities, the company is proactively issuing an advisory concerning potential unencrypted communication vulnerabilities in versions of Philips e-Alert service units up to and including R2.1.
If successfully exploited, this potential vulnerability may allow an attacker within the same subnet to impact or compromise customer contact details, system integrity, and/or system availability. The vulnerabilities may allow attackers of low skill to provide unexpected input into the application, execute arbitrary code, display system information, or potentially cause a system crash. Philips e-Alert is not a medical device, therefore there is no risk to patient safety.
In June 2018, Philips released a new software version to mitigate this potential issue. This update addressed the vulnerability and enhanced the security capabilities of the e-Alert unit.
Philips has reached out to affected users to schedule updates. Philips encourages users to use Philips-validated and authorized changes only for the e-Alert unit supported by Philips ’authorized personnel or under Philips’ explicit published directions for patches, updates, or releases. Philips always requires that the device never be Internet-facing.
Philips has reported these potential vulnerabilities and its resolution to customers and the appropriate government agencies, including US DHS ICS-CERT, which is issuing an advisory.
Users with questions regarding their specific E-Alert solutions are advised by Philips to contact their local Philips service support team or regional service support. Philips contact information is available at the following location: