CVE-2017-14014

Vulnerability

The Boston Scientific ZOOM LATITUDE Programmer/Recorder/Monitor (PRM) Model 3120 uses a hard-coded cryptographic key to encrypt protected health information (PHI) before transferring it to removable media. This vulnerability, identified as CWE-321, affects all versions of the ZOOM LATITUDE PRM Model 3120. The hard-coded key is embedded in the device firmware, making it accessible to anyone with physical access to the device or its software [1].

Exploitation

An attacker must have physical access to the device or to the removable media containing encrypted PHI. Since the device is not designed to be network accessible, remote exploitation is not possible. The attacker can extract the hard-coded key from the device (e.g., by analyzing firmware or through direct access) and use it to decrypt any PHI stored on removable media that was encrypted by the device. No authentication or user interaction is required beyond physical possession [1].

Impact

Successful exploitation results in the disclosure of patient health information (PHI), compromising confidentiality. The CVSS v3 base score is 4.6 (AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact with no impact on integrity or availability. The attacker gains access to sensitive medical data from implanted pacemakers and defibrillators [1].

Mitigation

Boston Scientific has provided compensating controls to reduce the risk of exploitation, but no software patch is available to remove the hard-coded key. Organizations should implement physical security measures to restrict access to the device and ensure that removable media are handled securely. The device is not network accessible, so network-based mitigations are not applicable. Users should follow the guidance in the ICS-CERT advisory (ICSMA-17-292-01) for recommended compensating controls [1].