Commonly used medical equipment is vulnerable to online hackers, researchers have warned.

The warning comes after the researchers presented their findings at the Derbycon conference in Louisville, Kentucky. The researchers also set up up fake “honeypot” medical devices that attracted thousands of hackers.

Medical Flaws

White hat researchers Scott Erven and Mark Collao reportedly told the conference that at least 68,000 medical systems from a large unnamed US health group are exposed to hackers. Devices that are vulnerable include MRI machines, infusion systems, and pacemakers.

This is not the first time that there has been warnings about the threat to medical equipment from hackers.

In 2012, researchers from McAfee showed that they could take control of insulin pumps implanted inside diabetes patients. Scientists at the University of Massachussetts also showed that they can use radio attacks to turn off defibrillators inside heart patients.

Erven and Collao uncovered the fact that interfaces to medical equipment can be located via search engine Shodan. This is a search engine that lets the user find specific types of computers (routers, servers, etc) connected to the internet using a variety of filters.

The researchers warned that critical hospital machinery can be accessed by hackers.

“Once we start changing [Shodan search terms] to target speciality clinics like radiology or podiatry or paediatrics, we ended up with thousands with misconfiguration and direct attack vectors,” Erven was quoted by The Register as saying.

“Not only could your data get stolen but there are profound impacts to patient privacy,” he added.

And it seems that hackers can build up detailed intelligence about healthcare organisations, thanks to vulnerable networking gear and admin computers, which can expose patient records and even where medical equipment is located.

“You can easily craft an email and send it to the guy who has access to that [medical] device with a payload that will run on the (medical) machine,” Collao was quoted as saying. He pointed out that medical devices run Windows XP or XP service pack two and don’t have antivirus protection, which means hackers can install custom payloads or other nastiness on vulnerable equipment.

The researchers have reported dozens of vulnerabilities to big-name medical device manufacturers that could give hackers  remote administrative access to critical medical devices and supporting systems, said The Register. Indeed, the researchers reportedly discovered 30 very serious flaws in GE medical equipment alone, which they said that GE tends to be most of the most proactive when fixing flaws. Flaws in all makers gear included weak default passwords and badly patched vulnerabilities on older equipment.

Honeypot Trap

The researchers also setup fake medical equipment to gauge how active the hacker community is in targeting medical devices.

For six months they ran used software to emulate genuine MRI and defibrillator machines, and worryingly the two fake machines attracted tens of thousands of login attempts and hundreds of attempts to download malware.

In total, the fake medical  kit attracted 55,416 successful SSH and web logins and some 299 malware payloads.

How well do you know data security? Take our quiz!

Tom Jowitt

Tom Jowitt is a leading British tech freelancer and long standing contributor to Silicon UK. He is also a bit of a Lord of the Rings nut...

Recent Posts

Ericsson To Cut 1,200 Jobs in Sweden Amid ‘Challenging’ Market

Swedish telecoms giant Ericsson blamed “challenging mobile networks market” and “further volume contraction” for job…

12 hours ago

FTX’s Sam Bankman-Fried Sentenced To 25 Years In Prison For $8bn Fraud

Dramatic downfall. Sam Bankman-Fried sentenced to 25 years in prison for masterminding $8bn fraud that…

13 hours ago

Elon Musk Orders FSD Demo For Every Tesla US Sale

Fallout avoidance? Tesla buyers in the US must be shown how to use the FSD…

14 hours ago

Amazon Pumps Another $2.75 Billion Into Anthropic

Amazon completes its $4bn investment into AI firm Anthropic, after providing an additional $2.75bn in…

15 hours ago

The Sustainability of AI

While AI promises unparalleled efficiency, productivity, and innovation, questions regarding its environmental impact loom large.…

18 hours ago

Trump’s Truth Social Makes Successful Market Debut

Shares in Donald Trump’s social media company rose about 16 percent after first day of…

18 hours ago