Researchers: Thousands of Medical Devices Are Vulnerable To Hacking

← Back to Stories (view on slashdot.org)

Researchers: Thousands of Medical Devices Are Vulnerable To Hacking

Posted by samzenpus on Wednesday September 30, 2015 @12:30PM from the soft-targets dept.

itwbennett writes: At the DerbyCon security conference, researchers Scott Erven and Mark Collao explained how they located Internet-connected medical devices by searching for terms like 'radiology' and 'podiatry' in the Shodan search engine. Some systems were connected to the Internet by design, others due to configuration errors. And much of the medical gear was still using the default logins and passwords provided by manufacturers. 'As these devices start to become connected, not only can your data gets stolen but there are potential adverse safety issues,' Erven said.

29 comments

Min score:

Reason:

Sort:

well, of course by turkeydance · 2015-09-30 12:37 · Score: 1

every-damn-thing is, IF it's connected. once.
1. Re:well, of course by Anonymous Coward · 2015-09-30 12:56 · Score: 0
  
  And when you ask the vendor to fix it they cry "the FDA won't let us patch them".
2. Re:well, of course by Anonymous Coward · 2015-09-30 13:06 · Score: 5, Insightful
  
  It's not a vendor issue. Hospitals/practices should be using segregation in their networks, e.g.: VLANs. While there are use cases for accessing various medical equipment within the confines of the hospital/practice (monitoring, alarms, etc.) there's no reason they need access to the open internet.
3. Re:well, of course by davester666 · 2015-09-30 13:33 · Score: 3, Funny
  
  How else can the doctor check your status from the golf course? Talking on the phone might disturb the other person while they are taking a stroke.
  
  --
  Sleep your way to a whiter smile...date a dentist!
4. Re:well, of course by jellomizer · 2015-09-30 21:16 · Score: 1
  
  That is true, but hospitals like hiring yes men to manage their IT.
  So Doctor will abuse the "Medically necessary" excuse for the quickest and easiest setup so they get to play with there new toys faster.
  If the hospital hired more competent staff the doctors have fits and may leave the organization because we will not give them access to install Dropbox or allow there PC to use USB sticks.
  Also MD for some reason feel like they are qualified to make such decisions as somehow there degree makes them qualified for all levels of work. Not realizing that other people who may not have the Dr. Title in their name may still be a specialist in their field and knows what needs to be done far more then they do.
  
  --
  If something is so important that you feel the need to post it on the internet... It probably isn't that important.
5. Re:well, of course by nhat11 · 2015-09-30 23:35 · Score: 2
  
  Depend on the doctor, they could be so busy they could care less about security, it's more of the managers who run the hospitals that should be responsible for more security.
6. Re:well, of course by Orestesx · 2015-10-01 08:11 · Score: 1
  
  Managers are at the mercy of the doctors. Physicians control the balance in power. Sometimes even the CIO is a physician.
DUH... by Lumpy · 2015-09-30 12:46 · Score: 3, Informative

Most anyone that has dealt with these devices have known this for a decade. Almost all MRI machines are insecure in every way. Hell even the little drug dose meter boxes have an open serial port on them.

--
Do not look at laser with remaining good eye.
1. Re:DUH... by Michael+Woodhams · 2015-09-30 13:51 · Score: 2
  
  But the people who have the power to change the situation either don't know, don't think it is important, or don't care enough to act. Research like this can change one of the above.
  
  --
  Quattuor res in hoc mundo sanctae sunt: libri, liberi, libertas et liberalitas.
2. Re:DUH... by jellomizer · 2015-09-30 21:18 · Score: 1
  
  The serial port can be secured with chewing gum.
  
  --
  If something is so important that you feel the need to post it on the internet... It probably isn't that important.
3. Re:DUH... by Lumpy · 2015-10-01 01:51 · Score: 1
  
  The real answer is that they do know and they don't care at all in any way. IT has been shown to them in plush meeting rooms on the big projector screen while they sit in their $12,000 chair. They are told about every problem and they just do not care in any way.
  The fix is to make Hospital Administrators Personally liable for any data breach, and to allow suing the Executives and Board members of companies directly for selling highly vulnerable equipment.
  
  --
  Do not look at laser with remaining good eye.
" ... not only can your data gets stolen ..." by Anonymous Coward · 2015-09-30 12:46 · Score: 0

... by those tricksy hobbitses ...
Proofreading. Try it.
this is the third time you posted this by WillAffleckUW · 2015-09-30 13:05 · Score: 1

Meanwhile, Win 10 is pushing updates without asking that have bricked some computers.
Heck, would you like to post how any car since 1992 can easily be hacked remotely?

--
-- Tigger warning: This post may contain tiggers! --
IT in health by Anonymous Coward · 2015-09-30 13:36 · Score: 5, Interesting

Speaking as a contractor that looks after a number of health organisation in Australia.
All devices that we are putting in are vlaned and have specific firewall rules so that
a. They can only contact the IP and port of the govt server that requires the information from the device.
b. Nothing on both the internal network and the external network cannot get access to it all.

Other than that, there is nothing we can do. The govt IT manages those devices including passwords.
We also have to deal with computer illiterate health professionals which certainly doesn't help with the whole situation.
So Raytheon gets another billion $? by Anonymous Coward · 2015-09-30 13:39 · Score: 0

So no doubt Raytheon will get another no-bid $billion contract to 'secure' hospitals.
https://www.youtube.com/watch?v=b0w36GAyZIA
I doubt it by samantha · 2015-09-30 13:50 · Score: 0

Medical devices really get put through a very very anal (no pun intended, eww) process before receiving regulatory approval. While I am not claiming that processi s perfect they are some of the safest and most tamper and foolproof devices produced. So I conclude this article is basically FUD.
1. Re:I doubt it by polymath69 · 2015-09-30 16:01 · Score: 1
  
  If only.
  I wear a few medical devices which talk to each other, and other things, wirelessly. I have seen firsthand that the main device can connect to a computer and obey a command to download its history without any indication showing on the screen, no beep or other indication that anything is going on. If it can do that without my permission, what else is it open to? Could it obey a command to, say, silently overdose me?
  It is clear from my experience that these devices were designed with convenience in mind, both for the user and the doctor's office, and with security in mind not at all. My worry is mitigated some because I don't believe anyone has it out for me personally.
  
  --
  
  --
  I don't want to rule the world... I just want to be in charge of mayonnaise.
2. Re:I doubt it by Anonymous Coward · 2015-09-30 19:20 · Score: 1
  
  Totally not from a security perspective. The review process (at least here) is mostly how the device handles faults, how it is effective, and how it will not damage the patient.
  Software review is basically providing a trace document that you make yourself and is rubber stamped. Security holes are exempt, since the device is only required to be resistant against accidental errors, not malicious things.
Send for CSI: Cyber :) by nickweller · 2015-09-30 14:08 · Score: 1

"this show is amazing. it's like the howard the duck of tv shows. it's a show about technology that uses 0% real technology." ref
1. Re: Send for CSI: Cyber :) by Anonymous Coward · 2015-09-30 20:10 · Score: 0
  
  And yet it's popular, it influences the public's perception of technology and will in turn influence lawmakers. No tech article, no website and no blog post will ever claim a hundredth as much. Old media is ripping the internet to shreds with a vengeance and nobody is going to stop them.
2. Re: Send for CSI: Cyber :) by nickweller · 2015-10-01 05:03 · Score: 1
  
  @Anonymous Coward: "And yet it's popular, it influences the public's perception of technology and will in turn influence lawmakers. No tech article, no website and no blog post will ever claim a hundredth as much. Old media is ripping the internet to shreds with a vengeance and nobody is going to stop them."
  
  Mr. Robot managed to be 'thrilling' and yet technically accurate at the same time. Except most techies don't want to bring down the financial system and have and invisible friend :)
2 words by Anonymous Coward · 2015-09-30 14:13 · Score: 0

Embedded XP!
And they never get updated, since that would likely require re-authorization for that equipment state, by the FDA. Which, costs the vendor money, which they are loathe to spend.
Why yes, I do work in IT in a VERY large state healthcare system.
Why is this a problem? by maple_shaft · 2015-09-30 14:17 · Score: 0

Perhaps this is my failure to truly understand the scope of the problem, but where is the real motivation for hackers to compromise MRI machines and CAT scanners? Seriously. Why would somebody go to any level of effort and for that matter risk the felony charges that would come as a result?
I am not questioning that such a thing would be a violation of privacy. I am also not questioning that there is potential for serious harm to be maliciously done to or against somebody. I merely question the scope of the threat in terms of motivating factors. It is clear to me the motivating factor of compromising email. Serious hackers are motivated by Nationalism/Activism, financial gain, or sexual thrill/lulz. Hack the email account of important people or enemies and use private information to damage them or their cause. This can also get you closer to hacking their bank account for money, or possibly finding lewd or compromising content that can be used to blackmail them for money. Or maybe you are just doing it for the thrill of potentially finding sexual content that others are not supposed to see.
Beyond just the occasional script kiddie doing it for the lulz, I don't see many motivating factors to go through the trouble. Even if you leave the door to your house wide open, the vast majority of people won't risk walking in, especially if they know there is little of value in the house, and especially if they know the danger of being caught. It is still trespassing even if your door is open because of the fact that you weren't invited.
1. Re:Why is this a problem? by AchilleTalon · 2015-09-30 15:52 · Score: 2
  
  So, you believe hackers are all acting rationally. How do you explain Mafia Boy and the likes? What did he gain from flooding Yahoo and other with a DDoS attack? Would you trust a medical result from a poorly protected medical device which may lead to a cancer diagnostic or something which in turn may lead to very bad, costly and inconvenient side effects? Hacking doesn't just mean the medical device is out of service, it can be much more subtle. You may just gather medical data to resell, blackmail, etc.
  
  --
  Achille Talon
  Hop!
2. Re:Why is this a problem? by CSG_SurferDude · 2015-10-01 01:40 · Score: 2
  
  Multiple reasons why somebody would target these servers (BTW: I was at the talk. Their video is at http://www.irongeek.com/i.php?... . )
  Anyways, IMHO, reasons:
  1) As a gateway into the hospital so you can pwn servers to DDOS others
  2) As a gateway into medical records so you can better phish, or possibly blackmail your targets
  
  --
  LongTail SSH Brute Force analysis tool is here!
3. Re:Why is this a problem? by hink · 2015-10-01 03:29 · Score: 1
  
  That's exactly the problem - they can do it easily, and they might not get caught. The process can be scripted, then it can be automated to be done RAPIDLY. Perhaps even using a server inside the hospital.
  
  Never underestimate the willingness of bored stupid self-absorbed idiots to do something that makes them feel powerful for little investment on their part.
  
  --
  - speaking only for myself, as always
There was an episode of Law & Order about this by nintendoeats · 2015-09-30 14:37 · Score: 1

And I'm pretty sure it was made in the 90s.
consider what's required to change it by Goldsmith · 2015-10-01 02:18 · Score: 1

Medical devices are highly regulated. Clinical trials are extremely expensive to run, and the FDA can demand new clinical trials every time you push through a software update. At the very least, you have to file with the FDA (for every single software update) a document demonstrating that nothing substantial was changed in the operating of the device.