Philips Delays Fix for Cardiograph Cybersecurity Vulnerabilities

Philips does not intended to fix cybersecurity vulnerabilities in its PageWriter Cardiograph devices, which could allow attackers to modify settings on the devices, until mid-year 2019, according to an August 16 advisory from ICS-CERT. The PageWriter TC10, TC20, TC30, TC50, TC70 Cardiograph devices suffer from improper input validation and use of hard-coded credentials, the advisory noted. With the improper input validation, the PageWriter device does not sanitize data entered by user, which can lead to buffer overflow or format string vulnerabilities, the advisory noted. And the hard-coded credentials vulnerability could enable an attacker with both the superuser password and physical access to enter the superuser password and access and modify all settings on the device.