Medical Devices Vulnerable to Hackers

Uploaded on 2015-10-06 in NEWS-News Analysis, FREE TO VIEW, BUSINESS-Services-Health & Welfare

Thousands of critical medical systems, such as MRI machines, are available for hackers to access online, according to researchers. Some 68,000 medical systems from a large unnamed US health group have been exposed. 

Security researchers Scott Erven and Mark Collao presented their findings at hacker conference Derbycon. They also revealed that they had created fake medical devices, which attracted thousands of hackers. Interfaces connected to medical systems were available via search engine Shodan, the researchers told conference-goers.

The researchers used Shodan - a search engine specifically for Internet-connected devices - to look for exposed software from a range of health treatment providers, such as radiology and pediatric clinics, as well as one large healthcare organisation. They told tech news website the Register that they ended up with "thousands of misconfigurations and direct attack vectors". Hospitals whose networking equipment and administrative computers were exposed online risked attacks and the exposure of patient data, they said.

Such information would allow attackers to build up details on health organisations, including exact information about where medical devices were housed, they added. Then it would be a case of "crafting an email and sending it to the guy who has access to that device with a payload that will run on the machine", Mr Collao said.

Presenting their findings at hacking conference Derbycon, the researchers said they had reported dozens of vulnerabilities to big-name medical device manufacturers over the last year. The pair also ran an experiment to illustrate how hackers were already targeting medical devices.

For six months, they ran fake MRI and defibrillator machines in the form of software, which mimicked the real devices. The two fake machines attracted tens of thousands of login attempts and some 299 attempts to download malware, the researchers said.

The fact that their "honeypot" devices attracted so much interest suggests that medical devices are targets for hackers, said security researcher Ken Munro. He emphasised the need to make the real-life versions more secure.
"Medical devices should not be available on the public internet. They should be behind multiple layers of protection," he said. "Based on their research, we can see that hackers will have a go at devices that are clearly critical medical systems. That is scary, if unsurprising.
"What is even scarier is that the research shows that some medical devices have already been compromised."


BBC:

« Cyber Attacks Cost Business Over $300bn Worldwide Last Year
Russian Scientists Create Cockroach Robo-Spy »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

Tresorit

Tresorit

Tresorit helps teams to collaborate securely and easily by protecting their data with end-to-end encryption.

OpenSphere

OpenSphere

OpenSphere is an IT company providing security consultancy, information system risk management and security management services.

Tymlez Software & Consulting

Tymlez Software & Consulting

Tymlez Software and Consulting is a start-up specialised in blockchain technology for enterprises.

Mitchell Sandham

Mitchell Sandham

Mitchell Sandham is an, independent insurance and financial services brokerage. Business products include Cyber/Privacy Liability insurance.

Bugcrowd

Bugcrowd

As leaders in crowdsourced security testing, Bugcrowd connects companies and their applications to a crowd of tens of thousands of security researchers to identify critical software vulnerabilities.

Qubitekk

Qubitekk

Qubitekk has developed quantum cryptography solutions for the machine-to-machine (M2M) communications market.

National Center for Manufacturing Sciences (NCMS)

National Center for Manufacturing Sciences (NCMS)

NCMS is a cross-industry technology development consortium, dedicated to improving the competitiveness of the US industrial base. Strategic initiatives include industrial cyber security.

totemo

totemo

Totemo offers solutions for the secure exchange of business information.

CNA Insurance

CNA Insurance

CNA offers a market-leading suite of cyber liability insurance products and risk control resources for businesses of all sizes.

RackTop Systems

RackTop Systems

RackTop Systems is the pioneer of CyberConverged data security, a new market that fuses data storage with advanced security and compliance into a single platform.

Get Indemnity

Get Indemnity

Get Indemnity are specialist insurance brokers with experience working on a wide range of innovative business insurance products that combine risk management, indemnity and incident response services.

Cyber Intelligence 4U

Cyber Intelligence 4U

Cyber Intelligence 4U is an educational services company that provides two levels of cybersecurity training programs: executive and technical.

CyFIR

CyFIR

CyFIR is a network investigation and Incident Response tool for performing live computer investigations across any size enterprise.

ProcessUnity

ProcessUnity

ProcessUnity is a leading provider of Third-Party Risk Management software, helping companies remediate risks posed by third-party service providers.

Center for Information Technology Policy (CITP) - Princeton University

Center for Information Technology Policy (CITP) - Princeton University

The Center for Information Technology Policy at Princeton University is a nexus of expertise in technology, engineering, public policy, and the social sciences.

CYDEF

CYDEF

CYDEF provides comprehensive, state-of-the-art cybersecurity protection that is accessible and affordable to organizations of any size.