According to a recent alert from the U.S. Department of Homeland Security's Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), Cylance researchers Billy Rios and Terry McCorkle are warning of hard-coded password vulnerabilities affecting approximately 300 medical devices from 40 different vendors (h/t ESET).
Rios and McCorkle say the hard-coded passwords can be leveraged to change critical settings and/or modify firmware in devices including ventilators, drug infusion pumps, external defibrillators, patient monitors, surgical and anaesthesia devices, and laboratory and analysis equipment.
"ICS-CERT is currently coordinating with multiple vendors, the FDA, and the security researchers to identify specific mitigations across all devices," the alert states. "In the interim, ICS-CERT recommends that device manufacturers, healthcare facilities, and users of these devices take proactive measures to minimize the risk of exploitation of this and other vulnerabilities. "
The FDA has also issued a safety communication advising medical device manufacturers and healthcare facilities to implement safeguards to "reduce the risk of failure due to cyber attack, which could be initiated by the introduction of malware into the medical equipment or unauthorized access to configuration settings in medical devices and hospital networks."