Patient data revealed in medical device hack

[Erica Absetz <eabsetz () opensecurityfoundation org>]

http://www.scmagazine.com.au/News/329222,patient-data-revealed-in-medical-device-hack.aspx

Researchers have exploited critical vulnerabilities in two popular
medical management platforms used in a host of services including
assisting surgeries and generating patient reports.

The dangerous unpatched flaws within the Philips Xper systems allowed
researchers to develop an exploit within two hours capable of gaining
remote root access on the device.

> From there, attackers would have administrative access to a host of
patient data stored in connected databases.

The affected machine can operate any medical device which uses the
ubiquitous HL7 standard.

"We have a remote unauthenticated exploit for Xper, so if you same see
an Xper machine on a network, then you can own it," Cylance researcher
Billy Rios told SC.

The holes were so severe that the US Department of Homeland Security
(DHS) and Food and Drug Administration (FDA) stepped in to pressure
Philips to fix the system.

"We've dropped exploits before on medical systems like Honeywell and
Artridum, but we've never seen the FDA move like that," he says.

"It was quicker than anything else I’ve seen before."

After initial bids to contact Philips failed, researchers Rios and
colleague Terry McCorkle sought assistance from the DHS, the FDA and
the country's Industrial Control Systems Cyber Emergency Response Team
(ICS CERT).

Two days later, DHS control system director Marty Edwards told the
researchers the agency would from then on handle all information
security vulnerabilities found in medical devices and software.

The announcement comes month after the US Government Accountability
Office said in a report (pdf) that action was required to address
medical device flaws, adding that the FDA did not consider such
security risks "a realistic possibility until recently".

Vulnerabilities

Once an extensive 200Gb forensic imaging process of the Windows-based
platform had completed and the system was booted into a virtual
machine, it took the researchers "two minutes" to find the first
vulnerability.

"We noticed there was a port open, and we started basic fuzzing and
found a heap overflow and wrote up a quick exploit for it," Rios said.

"The exploit runs as a privileged service, so we owned the entire box
- we owned everything that it could do."

The researchers suspect the authentication logins for the system,  one
with a username Philips and password Service01, are hardcoded and
unchangeable by users, but when they warned Philips the company
refuted the claim.

The Xper Physio monitoring 5 platform was formerly used by an Ohio
hospital and purchased from an unnamed reseller which sold the Dell
Blade-like machine for a cut-rate of $200, delivered to Rios' home
address.

That move broke the resellers' contractual obligations with Philips
which requires the return of unwanted devices ostensibly to safeguard
against such security gaffes.

"That you need to jump through some hoops to get the hardware is not
some sort of defence," Rios said. "That's security through obscurity."

The dealer was reported to the DHS and the equipment was returned to Philips.

Mobile holes

Further holes were found in patient monitoring tool SpaceLabs
ICS-Xprezz. The iOS application allowed doctors and medical
practitioners to access a string of devices that monitor patient
vitals.

But the app could also allow attackers to access corporate networks.

"It uses RDP into a Windows box, but you can change that box to
whatever you want: I ran cmd.exe and a who am I and was amazed,"
McCorkle said.

"I can't imagine what they are actually deploying in hospitals."

It also stored passwords to allow users to instantly log-in, a feature
that could become a security risk should devices be lost or stolen.

Research into medical device and software flaws has blossomed in
recent years and caused stirs outside of security circles due to the
potential deadly consequences of the vulnerabilities.

Last year, Barnaby Jack, a forefront researcher in the field recently
showed at the BreakPoint conference in Melbourne that a tampered
pacemaker transmitter could deliver deadly electric shocks to
pacemakers within about 10 metres.

Attackers could also rewrite the software running the devices and
infect other pacemakers within wireless range.

And in 2011 a security researcher demonstrated how commands could be
sent wirelessly to disable insulin pumps within a distance of about 45
metres. Other pumps have been made to dump their entire contents of
insulin into a patient.

Copyright © SC Magazine, Australia
_______________________________________________
Dataloss-discuss Mailing List (dataloss-discuss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges. 

Tenable Network Security (http://www.tenable.com/)
Tenable Network Security provides a suite of solutions which unify real-time
vulnerability, event and compliance monitoring into a single, role-based, interface
for administrators, auditors and risk managers to evaluate, communicate and
report needed information for effective decision making and systems management.