Code Blue: Thousands of Bugs Found on Medical Monitoring System

The Department of Homeland Security warned of hundreds of vulnerabilities in a hospital monitoring system sold by Philips. Security researchers who studied the system said the security holes may number in the thousands.
The Department of Homeland Security warned of hundreds of vulnerabilities in a hospital monitoring system sold by Philips. Security researchers who studied the system said the security holes may number in the thousands.

In-brief: The Department of Homeland Security warned of hundreds of vulnerabilities in a hospital monitoring system sold by Philips. Security researchers who studied the system said the security holes may number in the thousands.

Security researchers analyzing a critical piece of equipment used to monitor patients in hospitals have uncovered thousands of vulnerabilities on the system, including 272 in the monitoring system itself and hundreds more in third-party components that run alongside it.

The Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) issued an alert on July 14 about the discovery of 460 vulnerabilities in the Philips Xper-IM Connect system, including 360 with a severity rating of “high” or “critical” severity. But an interview with one of the researchers who analyzed the Xper system said that the true number of vulnerabilities was much higher, numbering in the thousands.

Xper IM Connect is a “physiomonitoring” system that is widely used in the healthcare sector to monitor and manage other medical devices. Research by two companies, Synopsys and Whitescope LLC, working in collaboration with Philips, found that the system is directly afflicted by 460 software vulnerabilities, including 272 in the Xper software itself and 188 in the Windows XP operating system that Xper IM runs on. The vulnerabilities include remote code execution flaws that could allow malicious code to be run on the Xper system as well as vulnerabilities that could expose sensitive information stored on Xper systems.

Attacks on the Xper IM could be particularly thorny, because the system acts as a management node for a wide range of other, clinical system, said Mike Ahmadi of Synopsys*, one of two independent researchers who studied the Philips Xper IM Connect software. “You can think of it as the brain,” Ahmadi said. “Everything feeds into it.” That includes electronic health record (EHR) systems and medical devices directly monitoring patient health, he said.

[Read more Security Ledger coverage of medical device security.]

Attackers’ ability to compromise the device would depend on how easy it is to connect to it. Xper IM systems deployed behind hospital firewalls would presumably be protected from casual attacks. But the density of high and critical bugs on the Xper IM Connect platform mean that anyone who could connect to the device from within a hospital network – or the public Internet – wouldn’t have a hard time compromising it, Ahmadi said. “It’s pretty trivial to exploit this without a lot of knowledge,’ He said. “You could use a free tool like Metasploit and point it to the IP address of the (Xper IM Connect) and you’re done,” he said.

While 460 vulnerabilities named in the ICS CERT alert is bad, Ahmadi said that his company’s research with WhiteScope suggests that deployed Xper IM Connect systems may be even more susceptible to hacking. Working with Billy Rios of Whitescope, Ahmadi said he identified 2,882 vulnerabilities on the Xper IM Connect system the two studied. The vast majority of those holes were in third-party software components. For example, the two identified some 1,400 vulnerabilities in just three components: the Firefox and Internet Explorer web browsers as well as Java, Ahmadi said.

“Between 70 percent and 90 percent of the code used on these systems is third-party code,” Ahmadi said. “You have (third-party) libraries that are full of bugs.”

While those vulnerabilities aren’t inherent to the product, and may not exist when a system is first deployed, they accrue over time, as clinicians and IT staff add applications alongside the core medical software. As vulnerabilities arise in each of those third-party components and are not patched the system becomes more and more vulnerable, Ahmadi said.

In the ICS-CERT bulletin, Philips recommends upgrading affected systems to the latest version of the Xper-IM software (Version 1.5 Service Pack 13) and upgrading the operating system to Windows 2008 to resolve the vulnerabilities.

This isn’t the first time that Ahmadi, working with Rios, has warned of a critical hospital system that is rife with security holes. In March, the two reported the discovery of 1,418 vulnerabilities in Pyxis SupplyStation systems – automated supply cabinets used to dispense medical supplies including narcotics within clinical settings.

The dire state of clinical networks is attracting more attention. Earlier this month, for example, researchers at the firm TrapX warned that vulnerable medical device software, often running on machines using outdated operating systems are a chronic problem within healthcare environments.

Attacks against healthcare organizations continue to “pivot around medical devices installed within the hospital’s hardwired networks,” providing backdoor access to hospital networks that allow attackers to work “virtually non-stop” within those environment, TrapX said.

(*) Correction: an earlier version of this story misspelled the name of the firm Synopsys. PFR 8/81/2016

2 Comments

  1. It could bring much more if the Department of Homeland Security would warn: “…of hundreds of vulnerabilities in a hospital monitoring system STILL OPERATED by the hospitals: x,y,z.”
    Why they operate an old system without update?

  2. Pingback: Silent Epidemic: Do Software Errors Already Affect Patient Outcomes? | The Security Ledger