Researchers have exploited critical vulnerabilities in two popular medical management platforms used in a host of services, including assisting surgeries and generating patient reports.
The dangerous unpatched flaws within the Philips Xper systems allowed researchers to develop an exploit within two hours, capable of gaining remote root access on the device.
From there, attackers would have administrative access to a host of patient data stored in connected databases. The affected machine can operate any medical device that uses the common HL7 standard.
Cylance researcher Billy Rios told SC Magazine Australia: “We have a remote unauthenticated exploit for Xper, so if you see an Xper machine on a network, then you can own it.”
The holes were so severe that the US Department of Homeland Security (DHS) and Food and Drug Administration (FDA) stepped in to pressure Philips to fix the system.
“We've dropped exploits before on medical systems like Honeywell and Artridum, but we've never seen the FDA move like that. It was quicker than anything else I've seen before," said Rios.
After initial bids to contact Philips failed, researchers Rios and colleague Terry McCorkle sought assistance from the DHS, the FDA and the country's Industrial Control Systems Cyber Emergency Response Team (ICS CERT). Two days later, DHS control system director Marty Edwards told the researchers the agency would from then on handle all information security vulnerabilities found in medical devices and software.
The announcement comes a month after the US government Accountability Office said in a report that action was required to address medical device flaws, adding that the FDA did not consider such security risks "a realistic possibility until recently".
Once an extensive 200Gb forensic imaging process of the Windows-based platform had completed and the system was booted into a virtual machine, it took the researchers ‘two minutes' to find the first vulnerability.
Rios said: “We noticed there was a port open, and we started basic fuzzing and found a heap overflow and wrote up a quick exploit for it. The exploit runs as a privileged service, so we owned the entire box - we owned everything that it could do.”
The researchers suspect the authentication logins for the system, one with a username Philips and password Service01, are hardcoded and unchangeable by users, but when they warned Philips the company refuted the claim.
The Xper Physio monitoring five platform was formerly used by a Utah hospital and purchased from an unnamed reseller that sold the Dell Blade-like machine for a cut-rate of $200, delivered to Rios' home address.
That move broke the resellers' contractual obligations with Philips, which requires the return of unwanted devices ostensibly to safeguard against such security gaffes.
“That you need to jump through some hoops to get the hardware is not some sort of defence,” Rios said. “That's security through obscurity.”
The dealer was reported to the DHS and the equipment was returned to Philips.
Further holes were found in patient monitoring tool SpaceLabs ICS-Xprezz. The iOS application allowed doctors and medical practitioners to access a string of devices that monitor patient vitals.
The app could also allow attackers to access corporate networks. “It uses RDP into a Windows box, but you can change that box to whatever you want: I ran cmd.exe and a who am I and was amazed,” McCorkle said. “I can't imagine what they are actually deploying in hospitals.”
It also stored passwords to allow users to instantly login, a feature that could become a security risk should devices be lost or stolen.