Epidemic: Researchers Find Thousands of Medical Systems Exposed to Hackers

by Paul Roberts
Thousands of medical devices installed in clinical settings can be accessed from the public Internet using default credentials, researchers revealed at a security conference over the weekend.
Thousands of medical devices installed in clinical settings can be accessed from the public Internet using default credentials, researchers revealed at a security conference over the weekend.

In-brief: Thousands of clinical systems are exposed to remote attacks according to researchers, who say that poorly designed and loosely configured medical devices are a major source of insecurity. 

Researchers looking into the security of medical devices have found thousands of sensitive systems that are exposed to the Internet and vulnerable to remote attack, including drug infusion systems, MRI imaging machines, anesthesia systems and more.

The researchers combined searches for vulnerable medical devices using the Shodan search engine with further reconnaissance. They discovered information on 68,000 systems, many of which could be attacked directly from the public Internet. Also exposed were third party organizations and healthcare systems, including external radiology clinics.

Among the organizations exposed by way of vulnerable medical devices was a “very large US healthcare system” with more than 12,000 employees and 3,000 physicians working for it, according to Scott Erven of the firm Protiviti said at the conference.

Erven and Mark Collao, of Neohapsis (now owned by Cisco), presented their findings at the Derbycon security conference in Louisville, Kentucky, on Saturday. Erven has spent three years researching medical device security and has presented evidence that medical environments are rife with vulnerable devices, many containing valuable and regulated patient health information. He has presented some of the findings of his research before, including this talk at the 2014 DEFCON conference in Las Vegas.

The researchers found many of the vulnerable systems simply by using the Shodan search engine to look for hosts that were listening for connections on potentially vulnerable ports like 445, which is used by Windows systems for SMB (Server Message Block) traffic used to manage file sharing and other sensitive activities.

The researchers limited their searches to host names with words like “health,” “clinic,” “hospital” or “MRI,” that suggested they were deployed in clinical settings. Even then, the Shodan searches turned up hundreds and even thousands of publicly accessible systems, Erven said.

Common medical systems like PACS – which is used to store radiologic imagery – are “soft” he said. While the front end-user interfaces to these systems might require authentication to access, those systems typically talk to back-end storage systems that are very often accessible without authentication, Erven said. “Most don’t have NTFS permissions set on the back-end storage. You can just walk in via the IP (address) and grab all these files that are sitting there,” he said.

[Read more Security Ledger coverage of medical device security here.]

Collao said medical environments are susceptible to many different types of attacks. Most hospitals are loosely controlled environments where individuals can easily walk in and get access to a terminal in an unused room.  Even without remote access to an entire medical network, an attacker could combine reconnaissance conducted online by perusing vulnerable systems with physical access to the facility to gain access.

Phishing attacks on employees and clinical staff are also a reliable technique, especially when combined with information gleaned through reconnaissance.

Finally, attackers can easily pivot from exposed clinical systems which often run older versions of Windows to more valuable and secure systems connected to the same network, Collao said.

In one example, Erven and Collao discovered GE Healthcare systems exposed via the Shodan search engine including cardiology systems, nuclear imaging workstations and more. The systems could be accessed using default administrator credentials that was published in GE’s documentation.
“All this information was publicly available and sitting out on GE’s website in the documentation,” Erven said. Even worse, some of the information had been public since 2006, he said. Credentials for services like Telnet and FTP as well as root accounts and service logins were discovered. Passwords were typically weak or easily guessed, the researchers said.  In all, the researchers found 130 sets of credentials used across GE Healthcare’s product line. Among the most common passwords was the word “bigguy.”
While GE’s response to Erven and Collao’s discovery earned the company praise from the researchers, the company’s investigation merely concluded that the credentials were the default values and were, therefore, designed to be changed. But Erven said that GE’s own documentation advises customers not to change credentials or allow password resetting in some instances. Beyond that, secure configuration guidelines from the vendor are often not available.
Finally, a heavy reliance on company documentation by support personnel means that default credentials tend to be reused heavily between customers, he said.
Better security features may be on the way. In October 2014, the U.S. Food and Drug Administration (FDA) issued final guidance that is meant to strengthen the safety of medical devices. The FDA called on medical device manufacturers to consider cyber security risks as part of the design and development of devices.
But improvements might not start showing up for years, given the ponderous device approval process and the tendency of clinical environments to use devices for years, if not decades, with few changes to their configuration.
In the last year, healthcare providers have increasingly been the target of persistent cyber attacks that are aimed at absconding with sensitive patient information. Vulnerable medical devices can act as a beachhead for such attackers to penetrate these networks. Studies also suggest that they may allow malicious software and cyber adversaries to lurk undetected on clinical networks, even as non-clinical systems are closely monitored for threats. In June, for example, a report from the security firm TrapX claimed that attackers are using unprotected medical devices, including radiologic systems, to maintain a foothold on healthcare networks, avoiding detection by security software and IT staff.

Comments are closed.