Establishing Digital Trust: Don't Sacrifice Security for Convenience
At Digital Bond's SCADA Security Scientific Symposium (S4) in Miami, Cylance researchers Terry McCorkle and Billy Rios recently demonstrated security vulnerabilities in Philips' Xper Information Management system.
"The medical information management system typically connects with various types of medical equipment, including x-ray machines, in a hospital network, according to the company," writes SecurityWeek's Fahmida Y. Rashid.
"The dangerous, unpatched flaws within the Philips Xper systems allowed researchers, within two hours, to develop an exploit capable of gaining remote root access," writes SC Magazine's Darren Pauli. "From there, attackers gain administrative access to patient data stored in connected databases. The affected machine can operate any medical device which uses the ubiquitous HL7 standard."
"The attack was in part enabled by weak remote authentication supported by the system, as well weaknesses that left it open to fuzzing -- a tactic that involves throwing variable inputs at a test device until a fault condition that might be exploited occurs," writes The Register's John Leyden. "The researchers obtained the kit which had been in service at a Utah hospital from an unnamed reseller."https://o1.qnsr.com/log/p.gif?;n=203;c=204650394;s=9477;x=7936;f=201801171506010;u=j;z=TIMESTAMP;a=20392931;e=i
"In a statement, the company said the vulnerabilities were limited to an older version of the product," writes CSO's Antone Gonsalves. "'Philips continues to explore the possible impact of the vulnerability based on continued investigation and new information obtained at the security conference,' the company said."
"It's not the first time researchers have set their sights on medical device flaws," notes Dark Reading's Kelly Jackson Higgins. "Medtronic's insulin pumps were in the spotlight at Black Hat 2011 when Jerome Radcliffe -- himself a diabetic -- demonstrated how a hacker could turn off the pump remotely and also manipulate any setting on the pump without notifying the user."