Thousands of Critical Medical Devices Exposed Online

At the DerbyCon security conference in Louisville, Kentucky, security researchers Scott Erven and Mark Collao recently stated that thousands of critical medical devices are connected to the Internet and vulnerable to attack, The Register reports.

At one unnamed U.S. healthcare organization with 12,000 staff and 3,000 physicians, Erven and Collao said, more than 68,000 devices are exposed online, including 21 anaesthesia systems, 488 cardiology systems, 67 nuclear medical systems, 133 infusion systems, 31 pacemakers, 97 MRI scanners, and 323 picture archiving and communications devices.

The researchers discovered the linked devices through the Shodan device search engine. “Once we [started] changing [search terms] to target speciality clinics like radiology or podiatry or pediatrics, we ended up with thousands with misconfiguration and direct attack vectors,” Erven said.

MRI and defibrillator machine honeypots placed by Erven and Collao attracted 55,416 successful SSH and Web logins and 299 malware payloads. As a result, they said, it’s reasonable to assume that there are infected medical devices connecting to command and control servers on a regular basis.

“These devices are getting owned repeatedly, and now that more devices and hospitals are Wi-Fi enabled, it’s pretty prevalent,” Collao said, SC Magazinereports. “Next time you’re in a hospital and you’re getting hooked up to a machine and you see Ethernet going into a wall, it makes you think twice — is this connected to a command and control server somewhere?”

“The Internet of Things is already here, and some of its denizens are already in critical condition,” Tripwire director of IT security and risk strategy Tim Erlin told eSecurity Planet by email. “Embedded devices are nothing new, and the expansion of Internet connectivity has turned networked embedded devices, from energy to healthcare, into internetworked embedded devices. As the forward end of the industry works to bring the ‘things’ to the Internet, the Internet has already been brought to the ‘things’ that were out there.”

“With embedded devices, it’s often not as simple as applying the latest updates,” Erlin added. “When those devices interact directly with a human being in a therapeutic task, it’s even more complicated to make changes. This isn’t a challenge that’s likely to go away. It’s likely to get worse, and make headlines, when someone hacks a medical device to make a point.”

Recent eSecurity Planet articles have examined security requirements for the Internet of Things and offered tips for developing secure IoT apps.

Jeff Goldman
Jeff Goldman
Jeff Goldman has been a technology journalist for more than 20 years and an eSecurity Planet contributor since 2009.

Top Products

Related articles