Slashdot Mirror

← Back to Stories (view on slashdot.org)

Researchers: Thousands of Medical Devices Are Vulnerable To Hacking

Posted by samzenpus on from the soft-targets dept.

itwbennett writes: At the DerbyCon security conference, researchers Scott Erven and Mark Collao explained how they located Internet-connected medical devices by searching for terms like 'radiology' and 'podiatry' in the Shodan search engine. Some systems were connected to the Internet by design, others due to configuration errors. And much of the medical gear was still using the default logins and passwords provided by manufacturers. 'As these devices start to become connected, not only can your data gets stolen but there are potential adverse safety issues,' Erven said.

8 of 29 comments (clear)

  1. DUH... by Lumpy · · Score: 3, Informative

    Most anyone that has dealt with these devices have known this for a decade. Almost all MRI machines are insecure in every way. Hell even the little drug dose meter boxes have an open serial port on them.

    --
    Do not look at laser with remaining good eye.
    1. Re:DUH... by Michael+Woodhams · · Score: 2

      But the people who have the power to change the situation either don't know, don't think it is important, or don't care enough to act. Research like this can change one of the above.

      --
      Quattuor res in hoc mundo sanctae sunt: libri, liberi, libertas et liberalitas.
  2. Re:well, of course by Anonymous Coward · · Score: 5, Insightful

    It's not a vendor issue. Hospitals/practices should be using segregation in their networks, e.g.: VLANs. While there are use cases for accessing various medical equipment within the confines of the hospital/practice (monitoring, alarms, etc.) there's no reason they need access to the open internet.

  3. Re:well, of course by davester666 · · Score: 3, Funny

    How else can the doctor check your status from the golf course? Talking on the phone might disturb the other person while they are taking a stroke.

    --
    Sleep your way to a whiter smile...date a dentist!
  4. IT in health by Anonymous Coward · · Score: 5, Interesting

    Speaking as a contractor that looks after a number of health organisation in Australia.
    All devices that we are putting in are vlaned and have specific firewall rules so that
    a. They can only contact the IP and port of the govt server that requires the information from the device.
    b. Nothing on both the internal network and the external network cannot get access to it all.

    Other than that, there is nothing we can do. The govt IT manages those devices including passwords.
    We also have to deal with computer illiterate health professionals which certainly doesn't help with the whole situation.

  5. Re:Why is this a problem? by AchilleTalon · · Score: 2

    So, you believe hackers are all acting rationally. How do you explain Mafia Boy and the likes? What did he gain from flooding Yahoo and other with a DDoS attack? Would you trust a medical result from a poorly protected medical device which may lead to a cancer diagnostic or something which in turn may lead to very bad, costly and inconvenient side effects? Hacking doesn't just mean the medical device is out of service, it can be much more subtle. You may just gather medical data to resell, blackmail, etc.

    --
    Achille Talon
    Hop!
  6. Re:well, of course by nhat11 · · Score: 2

    Depend on the doctor, they could be so busy they could care less about security, it's more of the managers who run the hospitals that should be responsible for more security.

  7. Re:Why is this a problem? by CSG_SurferDude · · Score: 2

    Multiple reasons why somebody would target these servers (BTW: I was at the talk. Their video is at http://www.irongeek.com/i.php?... . )

    Anyways, IMHO, reasons:
    1) As a gateway into the hospital so you can pwn servers to DDOS others
    2) As a gateway into medical records so you can better phish, or possibly blackmail your targets

    --

    LongTail SSH Brute Force analysis tool is here!