Menu
Fake patient data could have been uploaded through SAP medical app

Fake patient data could have been uploaded through SAP medical app

SAP has patched the issue, which affected Electronic Medical Records Unwired

SAP has fixed two flaws in a mobile medical app, one of which could have allowed an attacker to upload fake patient data.

The issues were found in SAP's Electronic Medical Records (EMR) Unwired, which stores clinical data about patients including lab results and images, said Alexander Polyakov, CTO of ERPScan, a company based in Palo Alto, California, that specializes in enterprise application security.

Researchers with ERPScan found a local SQL injection flaw that could allow other applications on a mobile device to get access to an EMR Unwired database. That's not supposed to happen, as mobile applications are usually sandboxed to prevent other applications from accessing their data.

"For example, you can upload malware to the phone, and this malware will be able to get access to this embedded database of this health care application," Polyakov said in a phone interview.

They also found another issue in EMR Unwired where an attacker could tamper with a configuration file and then change medical records stored on the server, according to an ERPScan advisory.

"You can send fake information about the medical records, so you can imagine what can be done after that," Polyakov said. "You can say, 'This patient is not ill'."

SAP fixed both of the issues about a month ago, Polyakov said.

The German software giant also fixed another flaw about a week ago found by ERPScan researchers, which affected its Mobile Device Management software, a mobile client that allows access to the company's other business applications.

The issue was a server-side buffer overflow that could cause a denial-of-service attack, according to an advisory. That may not seem serious, but that server software accepts supply-chain reports from the field and is also used by executives to get access to business-critical data, Polyakov said.

"If you can disable the mobile server for at least an hour, the supply chain of the company can be stopped, so you can imagine how bad it can be for a company," Polyakov said.

The vulnerability is not remotely exploitable, so an attacker would need to have access to a SAP Mobile Device Management client, he said. But that would be accessible from inside the company and possibly from third-parties, he added.

Send news tips and comments to jeremy_kirk@idg.com. Follow me on Twitter: @jeremy_kirk


Follow Us

Join the New Zealand Reseller News newsletter!

Error: Please check your email address.

Tags applicationssecurityenterprise resource planningSAPsoftwareExploits / vulnerabilitiesERPScanbusiness intelligence

Featured

Slideshows

Sizing up the NZ security spectrum - Where's the channel sweet spot?

Sizing up the NZ security spectrum - Where's the channel sweet spot?

From new extortion schemes, outside threats and rising cyber attacks, the art of securing the enterprise has seldom been so complex or challenging. With distance no longer a viable defence, Kiwi businesses are fighting to stay ahead of the security curve. In total, 28 per cent of local businesses faced a cyber attack last year, with the number in New Zealand set to rise in 2017. Yet amidst the sensationalism, media headlines and ongoing high profile breaches, confusion floods the channel, as partners seek strategic methods to combat rising sophistication from attackers. In sizing up the security spectrum, this Reseller News roundtable - in association with F5 Networks, Kaspersky Lab, Tech Data, Sophos and SonicWall - assessed where the channel sweet spot is within the New Zealand channel. Photos by Maria Stefina.

Sizing up the NZ security spectrum - Where's the channel sweet spot?
Kiwi channel comes together for another round of After Hours

Kiwi channel comes together for another round of After Hours

The channel came together for another round of After Hours, with a bumper crowd of distributors, vendors and partners descending on The Jefferson in Auckland. Photos by Maria Stefina.​

Kiwi channel comes together for another round of After Hours
Consegna comes to town with AWS cloud offerings launch in Auckland

Consegna comes to town with AWS cloud offerings launch in Auckland

Emerging start-up Consegna has officially launched its cloud offerings in the New Zealand market, through a kick-off event held at Seafarers Building in Auckland.​ Founded in June 2016, the Auckland-based business is backed by AWS and supported by a global team of cloud specialists, leveraging global managed services partnerships with Rackspace locally.

Consegna comes to town with AWS cloud offerings launch in Auckland
Show Comments