Publication Date: September 11, 2017
Update Date: September 21, 2017
Philips is releasing this advisory, confirming the findings of a customer submitted complaint and vulnerability report that identified two vulnerabilities in Philips’ IntelliVue MX40 Patient Worn Monitor for use with wireless local area networks (WLAN). Philips has produced a software update that fixes one of the identified vulnerabilities (Partial Re-Association to Central Monitor) and provides mitigations for the remaining vulnerability (Wi-Fi Access Point (AP) “Blacklisting”). In March 2017, Philips initiated a voluntary medical device correction on systems affected by this vulnerability. This was reported to appropriate competent authorities. Philips is planning to release an additional software update in 2017 to address the remaining vulnerability.
Philips has received no reports of incidents from clinical use that we have been able to associate with this problem.
Partial Re-Association to Central Monitor [Improper Cleanup on Thrown Exception]:
Under specific 802.11 network conditions, a partial re-association of the MX40 Patient Worn Monitor (WLAN) to a compatible central monitoring system (Information Center”) is possible. In this state, although the Information Center provides a visible and audible “No Data Tele” INOP alert, the MX40 WLAN itself enters telemetry mode, i.e., its screen turns off in one minute and local alarming is disabled.
This potential issue was addressed with an IntelliVue MX40 software update (version B.06.18) issued in March 2017 (reference FCO86201774), which has been verified in mitigating the impact of network conditions on the device, and to ensure correct operation, messaging and alarm functions.
Wi-Fi Access Point (AP) “Blacklisting” [Improper Handling of Exceptional Conditions]:
Several specific 802.11 Wi-Fi network management instructions might not de-authenticate (disconnect) the MX40 from the access point (AP) without also placing the AP on a security AP blacklist to block or prevent further use of the AP without intervention by staff. While AP blacklisting from the MX40 is an intended security feature of MX40 in response to certain Wi-Fi management messages, several Wi-Fi messages have been identified to invoke AP blacklisting when not required and could be invoked either by environmental Wi-Fi network conditions or a crafted script.
This issue is mitigated by MX40 design and software update B.06.18 whereby MX40 switches into local mode with messaging and alarming on the local device and at the Central Station, thus alerting hospital staff when MX40 disconnects from the AP and disassociates from central. While mitigated, Philips recognizes the potential gap and concern and will release an MX40 software update targeted within 2017 to correct the intended alignment between Wi-Fi management messages and security blacklisting of the AP.
To date, the necessary network conditions for both issues (partial re-association, AP blacklisting) have only been found during system testing by a customer and Philips. Nonetheless, if either of the issues occurred while monitoring a patient, it could result to a delay in treatment. Philips therefore recommends customers update to MX40 software version B.06.18.
Under the terms of Philips’ Responsible Disclosure Policy, Philips worked with the customer and global and U.S. government agencies and related organizations to draft and distribute an advisory concerning this potential issue.