Misfortune Cookie vulnerability returns to impact medical devices

The four-year-old security flaw has reared its head once again but this time medical equipment, and not routers, are at risk.
Written by Charlie Osborne, Contributing Writer

A severe security flaw impacting routers and disclosed four years ago has once again returned to the field, but this time, medical devices are potentially at risk.

The vulnerability, known as Misfortune Cookie, has been assigned a severity rating of 9.8.

Otherwise known as CVE-2014-9222, the bug first came on the radar through disclosure by Check Point researchers in 2014.

According to the cybersecurity firm, Misfortune Cookie impacted residential gateway SOHO routers from a variety of vendors. If exploited, the security flaw allowed attackers to remotely hijack devices.

A new security advisory issued by Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) says that the vulnerability has now been found in medical device systems.

The equipment in question is the Datacaptor Terminal Server (DTS), a medical device gateway developed by Qualcomm Life subsidiary Capsule Technologies SAS.

The gateway is used in hospitals to connect medical devices to larger network infrastructure.

See also: FDA one of many 'toothless dragons' with no will to tackle medical device security | IoT security warning: Cyber-attacks on medical devices could put patients at risk | KRACK Wi-Fi vulnerability can expose medical devices, patient records | FDA issues recall of 465,000 St. Jude pacemakers to patch security holes

Cybersecurity firm CyberMDX discovered the presence of the flaw which can be exploited by attackers to conduct remote arbitrary memory write, which could lead to unauthorized login and code execution.

The previously undocumented vulnerability in the device is present in a software component called "RomPager" from AllegroSoft used by the DTS web interface.

According to the company, the version of RomPager in use is an older version, earlier than 4.07, which is susceptible to Misfortune Cookie. More up-to-date versions of the component are not affected.

TechRepublic: AI that improves healthcare efficiency also threatens profits

When the four year-old-flaw is applied to medical attacks, it is possible for DTS configurations to be tampered with, communication to be spoofed, and information to be stolen.

CNET: Oculus, Children's Hospital push for mandatory VR medical training program

CyberMDX reported its findings to Qualcomm Life, which developed a firmware patch to resolve the security issue.

A security fix has been issued on the "single board" version of DTS. However, dual board, Capsule Digi Connect ES converted to DTS, and Capsule Digi Connect ES versions of the portal will not be patched due to "technical limitations."

"Capsule recommends that customers with any of these three versions of DTS disable the embedded web server to mitigate the vulnerability," the company said. "The web server is only utilized for configuration during the initial deployment and is not necessary for continued remote support of the device."

Qualcomm Life is unaware of any active exploits of this vulnerability in the wild and said the bug does not impact any other Capsule Technologies products.

Last year, the US Food and Drug Administration (FDA) issued a voluntary recall of Abbott's pacemakers -- formerly St. Jude Medical -- for firmware updates.

Critical vulnerabilities were discovered in the crucial medical devices and the recall gave patients the option of visiting a hospital to have security patches applied. However, the recall was voluntary as there was a small risk of complete functional loss.

A basic guide to diving in to the dark web

Previous and related coverage

Editorial standards