Hackers Flock to Fake Medical Devices

Marie Thibault

Researchers have shown, through an experiment, that medical devices are available to hackers. According to tech news outlet The Register, security experts this week said that software they used to imitate two devices, an MRI and a defibrillator, was targeted by “a whopping 55,416 successful SSH [Secure Shell] and web logins and some 299 malware payloads” over about six months.

The fake devices were part of the findings discussed by experts Scott Erven and Mark Collao at the DerbyCon security conference this week.

While that’s illuminating, what’s more frightening is that tens of thousands of real medical devices can be found by hackers.

The Register reports that Erven and Collao revealed that thousands of medical systems, by virtue of being on public Internet, are accessible to hackers. The researchers found thousands of medical products using the Shodan search engine, which is billed as “the world’s first search engine for Internet-connected devices.”

They found medical device-related vulnerabilities by searching for medical-specific terms. Erven told The Register, “Once we start changing [Shodan search terms] to target specialty clinics like radiology or podiatry or paediatrics, we ended up with thousands with misconfiguration and direct attack vectors.”

Among the items that Erven, an associate director at Protiviti, and Collao, a security consultant at Protiviti, found by searching Shodan was more than 68,000 medical systems from a large healthcare organization in the United States. The Register details the equipment included in this finding: “21 anesthesia, 488 cardiology, 67 nuclear medical, and 133 infusion systems, 31 pacemakers, 97 MRI scanners, and 323 picture archiving and communications gear.”

According to The Register, Erven has reported numerous vulnerabilities to major medical device makers.

Collao told The Register, “[Medical devices] are all running Windows XP or XP service pack two . . . and probably don’t have antivirus because they are critical systems.”

Devices running antiquated technology like Windows XP is an important don’t for cybersecurity expert Stephanie Preston, a cyber embedded systems engineer at Battelle. She recently told MD+DI that device manufacturers need to stop using outdated technology.

Marie Thibault is the associate editor at MD+DI. Reach her at [email protected] and on Twitter @medtechmarie.  

[Image courtesy of STUART MILES/FREEDIGITALPHOTOS.NET]