Researchers: Thousands of Medical Devices Are Vulnerable To Hacking

← Back to Stories (view on slashdot.org)

Researchers: Thousands of Medical Devices Are Vulnerable To Hacking

Posted by samzenpus on Wednesday September 30, 2015 @12:30PM from the soft-targets dept.

itwbennett writes: At the DerbyCon security conference, researchers Scott Erven and Mark Collao explained how they located Internet-connected medical devices by searching for terms like 'radiology' and 'podiatry' in the Shodan search engine. Some systems were connected to the Internet by design, others due to configuration errors. And much of the medical gear was still using the default logins and passwords provided by manufacturers. 'As these devices start to become connected, not only can your data gets stolen but there are potential adverse safety issues,' Erven said.

21 of 29 comments (clear)

Min score:

Reason:

Sort:

well, of course by turkeydance · 2015-09-30 12:37 · Score: 1

every-damn-thing is, IF it's connected. once.
1. Re:well, of course by Anonymous Coward · 2015-09-30 13:06 · Score: 5, Insightful
  
  It's not a vendor issue. Hospitals/practices should be using segregation in their networks, e.g.: VLANs. While there are use cases for accessing various medical equipment within the confines of the hospital/practice (monitoring, alarms, etc.) there's no reason they need access to the open internet.
2. Re:well, of course by davester666 · 2015-09-30 13:33 · Score: 3, Funny
  
  How else can the doctor check your status from the golf course? Talking on the phone might disturb the other person while they are taking a stroke.
  
  --
  Sleep your way to a whiter smile...date a dentist!
3. Re:well, of course by jellomizer · 2015-09-30 21:16 · Score: 1
  
  That is true, but hospitals like hiring yes men to manage their IT.
  So Doctor will abuse the "Medically necessary" excuse for the quickest and easiest setup so they get to play with there new toys faster.
  If the hospital hired more competent staff the doctors have fits and may leave the organization because we will not give them access to install Dropbox or allow there PC to use USB sticks.
  Also MD for some reason feel like they are qualified to make such decisions as somehow there degree makes them qualified for all levels of work. Not realizing that other people who may not have the Dr. Title in their name may still be a specialist in their field and knows what needs to be done far more then they do.
  
  --
  If something is so important that you feel the need to post it on the internet... It probably isn't that important.
4. Re:well, of course by nhat11 · 2015-09-30 23:35 · Score: 2
  
  Depend on the doctor, they could be so busy they could care less about security, it's more of the managers who run the hospitals that should be responsible for more security.
5. Re:well, of course by Orestesx · 2015-10-01 08:11 · Score: 1
  
  Managers are at the mercy of the doctors. Physicians control the balance in power. Sometimes even the CIO is a physician.
DUH... by Lumpy · 2015-09-30 12:46 · Score: 3, Informative

Most anyone that has dealt with these devices have known this for a decade. Almost all MRI machines are insecure in every way. Hell even the little drug dose meter boxes have an open serial port on them.

--
Do not look at laser with remaining good eye.
1. Re:DUH... by Michael+Woodhams · 2015-09-30 13:51 · Score: 2
  
  But the people who have the power to change the situation either don't know, don't think it is important, or don't care enough to act. Research like this can change one of the above.
  
  --
  Quattuor res in hoc mundo sanctae sunt: libri, liberi, libertas et liberalitas.
2. Re:DUH... by jellomizer · 2015-09-30 21:18 · Score: 1
  
  The serial port can be secured with chewing gum.
  
  --
  If something is so important that you feel the need to post it on the internet... It probably isn't that important.
3. Re:DUH... by Lumpy · 2015-10-01 01:51 · Score: 1
  
  The real answer is that they do know and they don't care at all in any way. IT has been shown to them in plush meeting rooms on the big projector screen while they sit in their $12,000 chair. They are told about every problem and they just do not care in any way.
  The fix is to make Hospital Administrators Personally liable for any data breach, and to allow suing the Executives and Board members of companies directly for selling highly vulnerable equipment.
  
  --
  Do not look at laser with remaining good eye.
this is the third time you posted this by WillAffleckUW · 2015-09-30 13:05 · Score: 1

Meanwhile, Win 10 is pushing updates without asking that have bricked some computers.
Heck, would you like to post how any car since 1992 can easily be hacked remotely?

--
-- Tigger warning: This post may contain tiggers! --
IT in health by Anonymous Coward · 2015-09-30 13:36 · Score: 5, Interesting

Speaking as a contractor that looks after a number of health organisation in Australia.
All devices that we are putting in are vlaned and have specific firewall rules so that
a. They can only contact the IP and port of the govt server that requires the information from the device.
b. Nothing on both the internal network and the external network cannot get access to it all.

Other than that, there is nothing we can do. The govt IT manages those devices including passwords.
We also have to deal with computer illiterate health professionals which certainly doesn't help with the whole situation.
Send for CSI: Cyber :) by nickweller · 2015-09-30 14:08 · Score: 1

"this show is amazing. it's like the howard the duck of tv shows. it's a show about technology that uses 0% real technology." ref
1. Re: Send for CSI: Cyber :) by nickweller · 2015-10-01 05:03 · Score: 1
  
  @Anonymous Coward: "And yet it's popular, it influences the public's perception of technology and will in turn influence lawmakers. No tech article, no website and no blog post will ever claim a hundredth as much. Old media is ripping the internet to shreds with a vengeance and nobody is going to stop them."
  
  Mr. Robot managed to be 'thrilling' and yet technically accurate at the same time. Except most techies don't want to bring down the financial system and have and invisible friend :)
There was an episode of Law & Order about this by nintendoeats · 2015-09-30 14:37 · Score: 1

And I'm pretty sure it was made in the 90s.
Re:Why is this a problem? by AchilleTalon · 2015-09-30 15:52 · Score: 2

So, you believe hackers are all acting rationally. How do you explain Mafia Boy and the likes? What did he gain from flooding Yahoo and other with a DDoS attack? Would you trust a medical result from a poorly protected medical device which may lead to a cancer diagnostic or something which in turn may lead to very bad, costly and inconvenient side effects? Hacking doesn't just mean the medical device is out of service, it can be much more subtle. You may just gather medical data to resell, blackmail, etc.

--
Achille Talon
Hop!
Re:I doubt it by polymath69 · 2015-09-30 16:01 · Score: 1

If only.
I wear a few medical devices which talk to each other, and other things, wirelessly. I have seen firsthand that the main device can connect to a computer and obey a command to download its history without any indication showing on the screen, no beep or other indication that anything is going on. If it can do that without my permission, what else is it open to? Could it obey a command to, say, silently overdose me?
It is clear from my experience that these devices were designed with convenience in mind, both for the user and the doctor's office, and with security in mind not at all. My worry is mitigated some because I don't believe anyone has it out for me personally.

--

--
I don't want to rule the world... I just want to be in charge of mayonnaise.
Re:I doubt it by Anonymous Coward · 2015-09-30 19:20 · Score: 1

Totally not from a security perspective. The review process (at least here) is mostly how the device handles faults, how it is effective, and how it will not damage the patient.
Software review is basically providing a trace document that you make yourself and is rubber stamped. Security holes are exempt, since the device is only required to be resistant against accidental errors, not malicious things.
Re:Why is this a problem? by CSG_SurferDude · 2015-10-01 01:40 · Score: 2

Multiple reasons why somebody would target these servers (BTW: I was at the talk. Their video is at http://www.irongeek.com/i.php?... . )
Anyways, IMHO, reasons:
1) As a gateway into the hospital so you can pwn servers to DDOS others
2) As a gateway into medical records so you can better phish, or possibly blackmail your targets

--
LongTail SSH Brute Force analysis tool is here!
consider what's required to change it by Goldsmith · 2015-10-01 02:18 · Score: 1

Medical devices are highly regulated. Clinical trials are extremely expensive to run, and the FDA can demand new clinical trials every time you push through a software update. At the very least, you have to file with the FDA (for every single software update) a document demonstrating that nothing substantial was changed in the operating of the device.
Re:Why is this a problem? by hink · 2015-10-01 03:29 · Score: 1

That's exactly the problem - they can do it easily, and they might not get caught. The process can be scripted, then it can be automated to be done RAPIDLY. Perhaps even using a server inside the hospital.

Never underestimate the willingness of bored stupid self-absorbed idiots to do something that makes them feel powerful for little investment on their part.

--
- speaking only for myself, as always