Attackers Target Medical Devices, But Do Nothing Once They’re In

ORLANDO–Medical devices have become the new go-to example whenever someone wants to illustrate just how bad security is. And for good reason. These devices often run on Windows XP, have hardcodes passwords, haven’t been patched since the George W. Bush administration, and are reachable over the Internet. That’s not how any of this is supposed to work.

Security researchers only recently began digging into the way that medical devices work, how they send data, and what attackers can do to and with them, and what they’ve found is as ugly as it gets. Researchers last week revealed they’d found more than 1,400 remotely exploitable vulnerabilities in medical devices made by CareFusion, none of which will be patched because the devices are at end-of-life. That’s on top of many other known vulnerabilities in insulin pumps, medicine dosing machines, and imaging equipment. While the general picture of medical device security is relatively clear, what hasn’t been discussed much yet is what exactly attackers do when they compromise a target device.

The answer, apparently, is not much of anything.

Scott Erven, a security researcher with a background in the health care industry, has been looking at the way that organizations secure their medical devices and the results have been much as you’d expect. With some simple Shodan searches, Erven discovered devices belonging to a major United States health care organization exposed to the public Internet, leaking intelligence about the internal network, and with the SMB protocol open. That protocol is a favorite of attackers, and Erven found that if an attacker exploited a known SMB bug on one of the organization’s devices, he’d be able to reach the internal network, the patient portal, and electronic medical records. He also found that this case was not unique, and hundreds of other organizations had similar exposures, putting devices such as imaging machines, anesthesia carts, and others at risk of compromise.

“Malicious intent isn’t a prerequisite for adverse patient outcomes.”

“You could use the SMB-enabled machine to exploit the vulnerability and pivot to the rest of the network,” Erven, the associate director of medical device and health care security at Protiviti, said in a talk at the InfoSec World conference here Monday. “This is a systemic issue that is across the industry. We have to get better.”

Knowing the brutal state of security on these devices, Erven wanted to see what happens when attackers find a vulnerable device and compromise it. So he and a colleague set up a small set of medical device honeypots running on Windows XP with exposed Web front ends and then broadcast their availability on Shodan and made them searchable on Google. The 10 honeypots got more than 55,000 successful logins via SSH and the Web and were hit by 24 successful exploits. The various attackers dropped nearly 300 individual malware samples on the devices.

But Erven said that most of the malware was designed to scrape credit card information, indicating that the attackers didn’t know they were on medical devices. And once they were on a device, the attackers sat still.

“They do nothing once they’re on a device,” he said.

But that doesn’t mean that security should be ignored on these devices. Far from it, Erven said.

“There are lots of weak and default credentials. Many of these were intentionally designed into the device, and there are clinical reasons in some cases,” he said. “But we have to stop the bleeding. We have to stop bringing this stuff into our environments. We don’t always know the perfect solution going forward, but we clearly know what’s failed in the past. We can’t continue to use hard codes credentials.”

Erven also stressed that a compromise of a device doesn’t have to have some larger purpose in order to have undesirable consequences for a patient.

“Malicious intent isn’t a prerequisite for adverse patient outcomes,” he said.