Governance & Risk Management , Patch Management

No Patches for Hospital Temperature Monitors' Critical Flaws

Researchers Say Manufacturer Proges Plus Hasn't Responded to Vulnerability Findings
No Patches for Hospital Temperature Monitors' Critical Flaws
Temperature monitors made by Proges Plus and used in hospitals have unpatchable vulnerabilities, says Nozomi Networks. (Image: Shutterstock)

Vulnerabilities in internet-connected temperature monitoring devices mainly used in hospitals, and their accompanying desktop application, could allow hackers to gain administrator privileges to the technology.

See Also: SBOM and Connected Device Security

Researchers at Nozomi Networks uncovered four vulnerabilities in Sensor Net Connect and three flaws in the Thermoscan IP desktop application, both made by a division of French firm Proges Plus.

The system is designed for environments such as hospitals where temperatures must remain exact and constant. One flaw, tracked as CVE-2024-31202, would allow a user with basic access to the Thermoscan IP application to create new accounts and would assign them admin-level privileges. Real-world examples of users who might already have basic access to the desktop application include maintenance contractors and third-party applications, Nozomi said in a Thursday blog post.

The researchers said attackers could use their access to exfiltrate sensitive data or compromise temperature monitoring integrity. In the United States, authorities have long warned that medical devices are potential avenues for hackers, given manufacturers' tendency to not subject their products to security testing during development or post-sale.

If vulnerabilities are discovered in devices, many remain unpatched, especially if the devices are used in smaller medical practices that lack full-time cybersecurity support. A 2022 warning from the FBI cited research that says medical devices on average carry 6.2 vulnerabilities and that more than half of networked devices in hospitals have known critical flaws.

A 2023 U.S. law requires manufacturers to hew to enhanced cybersecurity requirements when submitting new devices for federal approval, including by demonstrating a device's ability to be updated and patched, as well as proving the efficacy of their security controls and testing procedure (see: Exclusive: FDA Leader on Impact of New Medical Device Law).

Nozomi said it attempted to contact Proges Plus multiple times, directly and indirectly through the U.S. CERT Coordination Center, but received no response. Information Security Media Group has requested comment from the company.

Given the lack of direct remediation, such as the vendor releasing patches or mitigation advice, Nozomi recommends segregating the temperature monitoring infrastructure by preventing regular clients from accessing the web configuration interface. The firm also suggests regularly monitoring logs and account activity to look for signs of suspicious or malicious activity.

About the Author

Prajeet Nair

Prajeet Nair

Assistant Editor, Global News Desk, ISMG

Nair previously worked at TechCircle, IDG, Times Group and other publications, where he reported on developments in enterprise technology, digital transformation and other issues.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.