Critical medical devices are being 'owned' by botnet operators

Failure to build appropriate security into medical devices, combined with a lax user attitude, is exposing patients to cyber-risk.

Has this defibrillator been "owned"?
Has this defibrillator been "owned"?

Fancy a hack attack with your heart attack? Security researchers who set up ‘honeypots' to test whether sensitive medical devices like defibrillators and MRI machines are being hacked have found these systems are “getting owned repeatedly” by botnet operators.

Researchers Scott Erven, an associate director at Protiviti, and pen tester Mark Collao, from Cisco subsidiary Neohapsis, set up 10 fake medical devices online which attracted over 55,000 logins from potentially malicious actors.

These logins resulted in almost 300 pieces of malware being loaded onto the devices, along with 24 successful remote code execution exploits.

The researchers concluded that the devices are being ‘pwned' by botnet operators, with most of the attacks coming from The Netherlands, China and Korea.

Reporting their findings at the DerbyCon security conference in Louisville, Kentucky last weekend, Collao said: “It's pretty scary knowing that these PACS (medical imaging) systems, MRI machines, defibrillators are connected to the internet. We can deduct that there are owned medical devices calling back somewhere to a C2 and there's a bot operator out there with these machines.”

He added: “These devices are getting owned repeatedly and now that more devices and hospitals are WiFi enabled, it's pretty prevalent. Next time you're in hospital and you're getting hooked up to a machine and you see Ethernet going into a wall, it makes you think twice – is this connected to a command and control server somewhere? Is this a DDoS machine that I'm going to get on? Very scary stuff.”

The researchers also examined how easy it is for hackers to get admin access to medical devices – and Erven said they found “treasure troves” of publicly available personal health information which give backdoors into the systems.

He listed over 100 examples of credentials they had found online, such as default user IDs and passwords, which allowed attackers to set up their own privileged access to the kit.

On the positive side, the researchers' honeypots revealed no evidence of deliberate targeted attacks on medical devices.

But Collao warned that if botnet operators realised the sensitivity of the devices they ‘owned', they could move to targeted attacks for extortion or other malicious purposes.

The two researchers' findings go beyond the known existence of general classes of vulnerabilities in medical devices.

Collao said the honeypot attacks they detected came mainly from The Netherlands, China and Korea. He said they were surprised at “why is traffic coming from the Netherlands” but said the source may be a compromised server or data centre in that country.

Erven said they had discovered over 130 sets of credentials relating to GE Healthcare devices such as MRI and CT scanners, X-ray, cardiology systems and cameras. This resulted in around 30 CVE critical ‘flaws' being registered. He emphasised that GE responded quickly to the findings.

Commenting on the results, UK security expert Professor John Walker of Nottingham-Trent University, director of cyber consultancy ISX, said he was not surprised to see “the obvious hostile agents” interested in infiltrating medical devices.

He told SCMagazineUK.com via email: “Consider the implications in a conflict of your adversary gaining access to field medical devices and infrastructures as a secondary line of attack. Such cyber-capabilities to manipulate medical devices surely fall under the wing of the cyber armoury.”

Scott MacKenzie, CISO at Logical Step, told SC via email: “This research shows that medical devices are clearly targets, along with all internet-connected devices. Vulnerabilities will exist in medical device software the same as software found on any other systems.”

But he pointed out: “Within the UK we have some protection from the attacks. The UK NHS systems all connect to the N3, a virtual private network connecting hospitals and GP surgeries, rather than directly connecting systems to the internet.

“The main mitigation against these attacks, other than not connecting systems to the internet, is for manufacturers to be vigilant in releasing security patches for the devices. This depends also on the staff who support these devices applying the patches in a timely manner.”

Walker agreed: “Again, sadly it would seem we must remind all those developing such tools to carry an expectation that security is included in the development lifecycle, and look to provide an appropriate level of hardening that is commensurate to the actual or potential real-time surface of attack and compromise.”