From SC Magazine comes a new tale of a medical device being hacked:
A couple of experts at finding vulnerabilities in industrial control systems decided to take a look at medical devices. They purchased a Philips Xper Physiomonitoring 5, made an image of the hard drive contents (the software is Windows based), booted the image in a virtual machine, and found a vulnerability in minutes:
“We noticed there was a port open, and we started basic fuzzing and found a heap overflow and wrote up a quick exploit for it,” Rios said.
“The exploit runs as a privileged service, so we owned the entire box – we owned everything that it could do.”
The researchers suspect the authentication logins for the system, one with a username Philips and password Service01, are hardcoded and unchangeable by users, but when they warned Philips the company refuted the claim.
Next step: notifying FDA and DHS.
“Two days later, DHS control system director Marty Edwards told the researchers the agency would from then on handle all information security vulnerabilities found in medical devices and software.”
So now we have a new player in medical devices: DHS. Hopefully they’ll work through the FDA rather than as totally separate agency that device makers will need to establish a relationship with.
Clearly demonstrated by this and other recent episodes, as medical devices become more integrated with computer networks, the medical device industry needs to gain expertise in cybersecurity. Last August, the Government Accountability Office (GAO) issued a report recommending “that FDA develop and implement a plan expanding its focus on information security risks.”