IoT devices vulnerable to Spectre and Meltdown exploitation, patch now

Medical devices running operating systems like Windows, Linux, etc. on processors that could be vulnerable to Meltdown and Spectre.
By Bill Siwicki
08:37 AM
Spectre and Meltdown

Healthcare organizations should use risk management processes to ensure the security of health information and protect against the vulnerabilities stemming from the Spectre and Meltdown threats.

Those chip vulnerabilities could wreak havoc for healthcare cybersecurity, potentially affecting personally identifiable information leakage and medical device security problems, according to an update from the Healthcare Cybersecurity and Communications Integration Center.

[Also: What you need to know about the Spectre and Meltdown processor vulnerabilities]

"Medical devices and supporting medical equipment, may not resemble computers, but may run operating systems (Windows, Linux, etc.) on processors that could be vulnerable to Meltdown and Spectre," said the update from HCCIC. "Contact medical device manufacturers through security portals, if available, for information specific to each medical device and the manufacturer's recommendations for patching medical devices."

Meltdown and Spectre can work around computer defenses and reveal just about all information on a computer, including encrypted data, passwords and more. They affect many processors and operating systems in use today. According to reports, affected processors include Intel, AMD and ARM. Also, according to reports, affected systems include Windows, Linux, Android, Chrome, iOS and MacOS (including laptops, embedded devices, servers, clients, mobile phones and more).

[Also: Infosec pros must accelerate adoption of security policies for mobile, cloud]

According to the new update, the potential for data leaks is greater in situations where infrastructure is shared, such as the cloud.

"The vulnerability is due to the lack of proper checks on JavaScript code, leading to an exploitable information disclosure of browser data," according to the update. "An attacker could exploit the vulnerability by sending a crafted HTML page embedded with malicious JavaScript code. A successful attack could lead to an information leak of sensitive browser information including cookies, credentials, passwords, or payment information a user enters into a browser."

If an organization has not been offered a security update by its relevant software vendors, it could be running incompatible anti-virus software and the organization should follow up with its vendors, the update added.

In describing the Meltdown vulnerability, researchers have characterized it as follows:

"Meltdown exploits side effects of out-of-order execution on modern processors to read arbitrary kernel-memory locations including personal data and passwords. … Meltdown enables an adversary to read memory of other processes or virtual machines in the cloud without any permissions or privileges, affecting millions of customers and virtually every user of a personal computer."

Additionally, "Spectre attacks involve inducing a victim to speculatively perform operations that would not occur during correct program execution and which leak the victim's confidential information via a side channel to the adversary."

Twitter: @SiwickiHealthIT
Email the writer: