More than 1,400 remotely exploitable security flaws were recently discovered in CareFusion's Pyxis SupplyStation medical dispensing system.
More than half of those were dubbed 'high-rated', or 'critical'.
The secure storage device for medical supplies is used to document supply usage. To make things worse, the researchers, Billy Rios and Mike Ahmadi said that hackers don't even have to be extremely skilled in order to exploit these vulnerabilities - “An attacker with low skill would be able to exploit many of these vulnerabilities,” it said in the ICS-CERT advisory.
Commenting on the issue, regional systems engineering director at Bromium, Fraser Kyne, said how all businesses, hospitals in particular, are faced with the need to avoid costs by sweating their computing tools as long as possible.
“The report states clearly that “These vulnerabilities could be exploited remotely”, and provides sane advice such as “Isolate affected products from the Internet and untrusted systems”. The problem is that we want to use our systems to run critical secure processes, and at the same time we want to run completely unsafe processes such as web browsing and email on the same devices,” he said.
“Isolation is a solid security principle, but we shouldn’t have to compromise between security and functionality.”
The vulnerabilities can be found in seven third-party software packs, including Microsoft Windows XP, Sybase SQL Anywhere 9, Symantec Antivirus 9 and Symantec pcAnywhere 10.5.
CareFusion is working hard on contacting all the affected customers, advising them to upgrade.