Is there a hacker in the hospital? MRI machines and other medical kit can be compromised by hackers, researchers warn
Commonly used medical equipment is vulnerable to online hackers, researchers have warned.
The warning comes after the researchers presented their findings at the Derbycon conference in Louisville, Kentucky. The researchers also set up up fake “honeypot” medical devices that attracted thousands of hackers.
White hat researchers Scott Erven and Mark Collao reportedly told the conference that at least 68,000 medical systems from a large unnamed US health group are exposed to hackers. Devices that are vulnerable include MRI machines, infusion systems, and pacemakers.
This is not the first time that there has been warnings about the threat to medical equipment from hackers.
In 2012, researchers from McAfee showed that they could take control of insulin pumps implanted inside diabetes patients. Scientists at the University of Massachussetts also showed that they can use radio attacks to turn off defibrillators inside heart patients.
Erven and Collao uncovered the fact that interfaces to medical equipment can be located via search engine Shodan. This is a search engine that lets the user find specific types of computers (routers, servers, etc) connected to the internet using a variety of filters.
The researchers warned that critical hospital machinery can be accessed by hackers.
“Once we start changing [Shodan search terms] to target speciality clinics like radiology or podiatry or paediatrics, we ended up with thousands with misconfiguration and direct attack vectors,” Erven was quoted by The Register as saying.
“Not only could your data get stolen but there are profound impacts to patient privacy,” he added.
And it seems that hackers can build up detailed intelligence about healthcare organisations, thanks to vulnerable networking gear and admin computers, which can expose patient records and even where medical equipment is located.
“You can easily craft an email and send it to the guy who has access to that [medical] device with a payload that will run on the (medical) machine,” Collao was quoted as saying. He pointed out that medical devices run Windows XP or XP service pack two and don’t have antivirus protection, which means hackers can install custom payloads or other nastiness on vulnerable equipment.
The researchers have reported dozens of vulnerabilities to big-name medical device manufacturers that could give hackers remote administrative access to critical medical devices and supporting systems, said The Register. Indeed, the researchers reportedly discovered 30 very serious flaws in GE medical equipment alone, which they said that GE tends to be most of the most proactive when fixing flaws. Flaws in all makers gear included weak default passwords and badly patched vulnerabilities on older equipment.
The researchers also setup fake medical equipment to gauge how active the hacker community is in targeting medical devices.
For six months they ran used software to emulate genuine MRI and defibrillator machines, and worryingly the two fake machines attracted tens of thousands of login attempts and hundreds of attempts to download malware.
In total, the fake medical kit attracted 55,416 successful SSH and web logins and some 299 malware payloads.
How well do you know data security? Take our quiz!