The US Department of Homeland security warns hundreds of widely-used medical devices are open to hack attacks.It follows a report by ethical hackers Billy Rios and Terry McCorkle of Cylance. They found they could easily crack the passwords of three hundred different healthcare machines including incubators for premature babies, defibrillators for emergency treatment of heart attacks and X-rays machines used for mammograms to detect breast cancer. Originally they experimented with just one machine, the Phillips Xper, used for monitoring patients with heart disease. They soon found that hundreds of other items of hospital kit and personal devices had the same security flaw. http://ics-cert.us-cert.gov/alerts/ICS-ALERT-13-164-01 Their report went to the DHS, which has now issued an advisory bulletin, echoed by a similar warning from the Food and Drug Administrationhttp://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm356423.htm.
“The Xbox has – right now – more sophisticated security devices than 99 percent of the medical devices on the market” said Rios, “And I don’t know how we got into that situation“. The vulnerability lies in the fact that the device manufacturers secure them with a technicians’ password which can only be accessed by company employees and not by doctors, nurses’ or the hospital’s own IT staff. Rios and McCorkle maintain that this is a bad practice. “We would never allow this for other pieces of software. If the manufacturer came to your laptop and had an account on it that you didn’t know about and only they could log into it, that would be crazy, right?
The penetration testers – who recently entered the online control systems for Google Australia’s HQ building in Sydney – describe the task of finding the technicians’ passwords for medical devices as ‘trivial’. They recommend that instead of using so-called ‘backdoor passwords’ manufacturers should use a digital signature to sign the firmware (the ‘brain’ or logic-controller of the device) in the same way that Apple and Android sign the firmware for mobile phones and games manufacturers secure their consoles. If anyone did crack the password and enter the device – either accidentally or maliciously – it would be almost impossible to detect, claimed Rios. ” To verify that that firmware – that logic – hasn’t been tampered, it actually requires that you take apart the device. I mean literally take the shells off and get direct access to the chips and do some measurements.” For future cybersecurity improvements, all the manufacturers need to do is to update their firmware with the software that applies a digital signature. But in the meantime a wide range of equipment used in life-or-death situations is open to attack or accident. The testers stress that they have no evidence so far that any device has failed or malfunctioned because a ‘backdoor password’ was cracked.
Cylance delivered the latest report on medical devices to the DHS months ago, and has been exposing flaws in the security of medical devices for more than two years now. Yet Rios applauds them for being pro-active., explaining that the long delay was caused by behind-the-scenes negotiations with vendors and manufacturers to make sure that the issues were clearly understood before they went public with the advisory notice. McCorkle denies that their company is scaremongering to drive new business ” We don’t care who people use for this. The issues have been recognised in other industries and we want people to realise that these issues are there, and that we should be addressing them”.
Citing business and political issues that interfere with the implementation of technical solutions, Rios and McCorkle are calling on patients and campaign groups to exert pressure on the authorities for urgent updates and safer practices in the use of medical devices.
“Patients do have a voice here and they can influence traction.”
The testers suggest that patients, their families and campaign groups let their hospitals and the device manufacturers and their representatives in government know there is a technical problem here that we need to fix they can contribute to the security of medical devices.