Iot Patient Header

Misconfiguration in telecom router leaks 30,000 patient data

Comment by Rainer Richter, Director Channels, SEC Technologies

“The Internet of Things is a curse and a blessing at the same time: while networked devices are streamlining our lives and opening up new lucrative business opportunities for businesses, the impact of increased connectivity on our physical and digital security is far worse.

The number of IoT devices is constantly increasing, and so are the risks of misuse, data theft, or dangerous manipulation. One does not even need a lot of hacking skills. If you want to cause a serious data protection incident, just take a conventional telecom router with a simple misconfiguration. While this might sound like a fake news, this happened in a Lower Saxon doctor’s office, quite recently. Their 30,000 sensitive patient and employee data were freely accessible to anyone on the Internet via a Windows server. A true disaster, not only in the eyes of the GDPR.

Who was to blame for this mishap? A simple inadequate configuration of the ports. As investigations revealed, the business router didn’t just open standard port 433 when releasing the service “HTTPS”, but some ten access ports from the Internet. A small mistake that could and did result in serious consequences for the end-user. The incident is a perfect example of the state of our current IoT security. More than 90% of IoT firmware files show critical vulnerabilities, as demonstrated by a review of the IoT Inspector firmware analysis platform. In addition to misconfigurations, the main issues range from hard-coded passwords in the firmware file system, hidden standard user credentials or SSH host keys… be it on network cameras or state-of-the-art children’s toys.

Manufacturers of IoT devices need a quick development cycle and a fast time-to-market. This leaves almost no room for adequately checking any product for potential security breaches even if such security issues are taken seriously. This is risky because dealing with the aftermath and its consequences – for example, in tens of thousands of IoT components used worldwide – is likely to cost you more than an early analysis and possible resolution before rollout. Keep in mind: Prevention is always better than looking for a cure.

Companies and service providers are strongly advised to take the lead and to look for vulnerabilities in devices used. To avoid any further nasty surprises, the firmware on new IoT device needs to be checked for vulnerabilities even before it is in use. There is no other preventive measure to take as doing so will ensure the necessary measures in terms of protection are taken, at the right time.”


ONEKEY is a leading European specialist in product cybersecurity. The unique combination of an automated security & compliance software analysis platform and consulting services by cybersecurity experts provides fast, comprehensive analysis, and solutions in the area of IoT/OT product cybersecurity. Building upon automatically generated “Digital Twins” and “Software Bill of Materials (SBOM)” of devices, ONEKEY autonomously analyzes firmware for critical security vulnerabilities and compliance violations, all without source code, device, or network access. Vulnerabilities for attacks and security risks are identified in the shortest possible time, and can thus be remediated in a targeted manner. The easy-to-integrate solution enables manufacturers, distributors, and users of IoT technology to quickly and continuously perform 24/7 security and compliance audits throughout the product lifecycle. Leading international companies in Asia, Europe, and America are already successfully benefiting from the ONEKEY platform and experts.


Sara Fortmann

Marketing Manager


euromarcom public relations GmbH

+49 611 973 150

Share on facebook
Share on twitter
Share on pinterest
Share on linkedin
Share on xing
Share on email