Scott Erven is head of information security for a healthcare provider called Essentia Health, and his Friday presentation at Chicago’s Thotcon, “Just What The Doctor Ordered?” is a terrifying tour through the disastrous state of medical device security.
Wired’s Kim Zetter summarizes Erven’s research, which ranges from the security of implanted insulin pumps and defibrillators to surgical robots and MRIs. Erven and his team discovered that hospitals are full of fundamentally insecure devices, and that these insecurities are not the result of obscure bugs buried deep in their codebase (as was the case with the disastrous Heartbleed vulnerability), but rather these are incredibly stupid, incredibly easy to discover mistakes, such as hardcoded easy default passwords.
For example: Surgical robots have their own internal firewall. If you run a vulnerability scanner against that firewall, it just crashes, and leaves the robot wide open.
The backups for image repositories for X-rays and other scanning equipment have no passwords. Drug-pumps can be reprogrammed over the Internet with ease. Defibrillators can be made to deliver shocks — or to withhold them when needed.
Doctors’ instructions to administer therapies can be intercepted and replayed, adding them to other patients’ records.
You can turn off the blood fridge, crash life-support equipment and reset it to factory defaults. The devices themselves are all available on the whole hospital network, so once you compromise an employee’s laptop with a trojan, you can roam free.
You can change CT scanner parameters and cause them to over-irradiate patients.Continue reading…