Security researchers have discovered 1,418 flaws in outdated medical equipment still in use by some healthcare providers. The vulnerabilities could allow hackers to remotely exploit systems.
Research carried out by Billy Rios and Mike Ahmadi, used automated security scanning tools on a decommissioned device. They found scores of bugs in equipment running customised versions of Windows XP.
The flaws were found in CareFusion's Pyxis SupplyStation medical dispensing system. Out of the 1,418 remotely exploitable flaws, 715 of those vulnerabilities in “automated supply cabinets used to dispense medical supplies” have a severity rating of high or critical. The flaws are found in Pyxis SupplyStation versions 8.0, 8.1.3, 9.0, 9.1, 9.2 and 9.3.
According to an ICS-CERT notification, an attacker with low skill “would be able to exploit many of these vulnerabilities”.
The products are used to dispense medical supplies that can document usage in real-time. The Pyxis SupplyStation systems include automated devices that may be deployed using a variety of functional configurations.
The systems typically include a network of units, or workstations, located in various patient care areas throughout a facility and managed by a server, which links to the facility's existing information systems.
The notification said that as a result of the identified vulnerabilities, CareFusion has started reissuing targeted customer communications, advising customers of end-of-life versions with an upgrade path.
“For customers not pursuing the remediation path of upgrading devices, CareFusion has provided compensating measures to help reduce the risk of exploitation,” said the notification.
These include: isolating affected products from the internet and untrusted systems; when remote access is required, use secure methods, such as VPNs; and monitor and log all network traffic attempting to reach the affected products for suspicious activity.
John Smith, principal solution architect at Veracode, told SCMagazineUK.com that while “scary”, it is unsurprising that yet another connected medical device has been found to have security flaws. Information security professionals have hypothesised about the significant threat that many new Internet of Things (IoT) devices pose to healthcare.
“Vulnerabilities will always be discovered in connected devices. The security of all IoT devices must be looked at holistically so that all devices, as well as their web and mobile applications, and back-end cloud services, are secure by default,” said Smith.
Cesare Garlati, chief security strategist for Prpl Foundation, told SCMagazineUK.com that many manufacturers do not patch flaws in a timely manner – even when notified by security researchers.
“Delays often occur due to the complexity of coordinating changes between various teams and code bases throughout the supply chain,” he said.
“A more serious and fundamental factor is that firmware is rarely cryptographically signed, meaning that an attacker could in theory replace it with new software of their choosing. This is akin to handing criminals a key and allowing them to replace the lock.”