Thousands of 'directly hackable' hospital devices exposed online

Hackers make 55,416 logins to MRIs, defibrillator honeypots

Derbycon Thousands of critical medical systems – including Magnetic Resonance Imaging machines and nuclear medicine devices – that are vulnerable to attack have been found exposed online.

Security researchers Scott Erven and Mark Collao found, for one example, a "very large" unnamed US healthcare organization exposing more than 68,000 medical systems. That US org has some 12,000 staff and 3,000 physicians.

Exposed were 21 anaesthesia, 488 cardiology, 67 nuclear medical, and 133 infusion systems, 31 pacemakers, 97 MRI scanners, and 323 picture archiving and communications gear.

The healthcare org was merely one of "thousands" with equipment discoverable through Shodan, a search engine for things on the public internet.

Erven, an associate director at Protiviti and who has five years of experience specifically securing medical devices, said critical hospital machinery is at the fingertips of miscreants.

"Once we start changing [Shodan search terms] to target speciality clinics like radiology or podiatry or paediatrics, we ended up with thousands with misconfiguration and direct attack vectors," Erven said.

"Not only could your data get stolen but there are profound impacts to patient privacy."

Collao, of security consultancy NeoHapsis, said exposed networking gear and admin computers let attackers build up detailed intelligence on healthcare orgs, including the floors in which certain medical devices are housed.

"You can easily craft an email and send it to the guy who has access to that [medical] device with a payload that will run on the (medical) machine," Collao said.

"[Medical devices] are all running Windows XP or XP service pack two … and probably don't have antivirus because they are critical systems."

Executing custom payloads, establishing shells, and lateral pivoting within a network, are all possible, he said.

Erven ran through dozens of vulnerabilities that he reported in the last 12 months to big-name medical device manufacturers. These holes can grant scumbags remote administrative access to critical medical devices and supporting systems.

GE passwords

These most common GE medical device passwords grant login access 85 percent of the time, Erven says.

That included 30 holes in GE medical kit, which were reported this year and all rated a maximum severity of 10. Some enabled remote root access over Telnet and FTP to nuclear imaging and cardiology systems. Others had hard-coded or no password, including a popular default password "bigguy".

Patched flaws on older kit resurfaced in new machines, indicating a failure by manufacturers to fully scrub out bugs from products that can take years to change due to slow time-to-market. He listed credentials for more than 100 medical devices.

Erven said GE is one of the most progressive medical manufacturers in terms of dealing with bug fixes and interaction with the security community.

Proven attacks

The security men showcased the real-world risks to exposed hospital equipment after their "real life" MRI and defibrillator machine honeypots attracted tens of thousands of login attempts from miscreants on the internet.

In total, the machines built to mimic actual equipment attracted a whopping 55,416 successful SSH and web logins and some 299 malware payloads.

Attackers also popped the devices with 24 successful exploits of MS08-067, the remote code execution hole tapped by the ancient Conficker worm.

Collao said attackers did not appear to realize the machines they popped were would-be critical medical devices.

"They come in, do some enumeration, drop a payload for persistence and connect to a command and control server," Collao said.

"We can deduct that there is owned medical devices calling back to a C2 (command and control server) and that there is an attacker out there who does not know what they sitting on.

"These devices are getting owned repeatedly now that more hospitals are WiFi-enabled and no longer support arcane protocols."

The honeypots ran for about six months and mimicked devices "to a tee" complete with security vulnerabilities. The pair used Shodan to find devices on which to base their honeypots.

The pair also posted fake hacking data and medical device credentials to Pastebin and used a bogus Twitter hacker account to alert potential attackers that are interested in the space. ®

Similar topics

Other stories you might like

  • CISA and friends raise alarm on critical flaws in industrial equipment, infrastructure
    Nearly 60 holes found affecting 'more than 30,000' machines worldwide

    Updated Fifty-six vulnerabilities – some deemed critical – have been found in industrial operational technology (OT) systems from ten global manufacturers including Honeywell, Ericsson, Motorola, and Siemens, putting more than 30,000 devices worldwide at risk, according to private security researchers. 

    Some of these vulnerabilities received CVSS severity scores as high as 9.8 out of 10. That is particularly bad, considering these devices are used in critical infrastructure across the oil and gas, chemical, nuclear, power generation and distribution, manufacturing, water treatment and distribution, mining and building and automation industries. 

    The most serious security flaws include remote code execution (RCE) and firmware vulnerabilities. If exploited, these holes could potentially allow miscreants to shut down electrical and water systems, disrupt the food supply, change the ratio of ingredients to result in toxic mixtures, and … OK, you get the idea.

    Continue reading
  • 1Password's Insights tool to help admins monitor users' security practices
    Find the clown who chose 'password' as a password and make things right

    1Password, the Toronto-based maker of the identically named password manager, is adding a security analysis and advice tool called Insights from 1Password to its business-oriented product.

    Available to 1Password Business customers, Insights takes the form of a menu addition to the right-hand column of the application window. Clicking on the "Insights" option presents a dashboard for checking on data breaches, password health, and team usage of 1Password throughout an organization.

    "We designed Insights from 1Password to give IT and security admins broader visibility into potential security risks so businesses improve their understanding of the threats posed by employee behavior, and have clear steps to mitigate those issues," said Jeff Shiner, CEO of 1Password, in a statement.

    Continue reading
  • Inside the RSAC expo: Buzzword bingo and the bear in the room
    We mingle with the vendors so you don't have to

    RSA Conference Your humble vulture never liked conference expos – even before finding myself on the show floor during a global pandemic. Expo halls are a necessary evil that are predominatly visited to find gifts to bring home to the kids. 

    Do organizations really choose security vendors based on a booth? The whole expo hall idea seems like an outdated business model – for the vendors, anyway. Although the same argument could be made for conferences in general.

    For the most part, all of the executives and security researchers set up shop offsite – either in swanky hotels and shared office space (for the big-wigs) or at charming outdoor chess tables in Yerba Buena Gardens. Many of them said they avoided the expo altogether.

    Continue reading

Biting the hand that feeds IT © 1998–2022