Commonly used medical equipment is vulnerable to online hackers, researchers have warned.

The warning comes after the researchers presented their findings at the Derbycon conference in Louisville, Kentucky. The researchers also set up up fake “honeypot” medical devices that attracted thousands of hackers.

Medical Flaws

White hat researchers Scott Erven and Mark Collao reportedly told the conference that at least 68,000 medical systems from a large unnamed US health group are exposed to hackers. Devices that are vulnerable include MRI machines, infusion systems, and pacemakers.

This is not the first time that there has been warnings about the threat to medical equipment from hackers.

In 2012, researchers from McAfee showed that they could take control of insulin pumps implanted inside diabetes patients. Scientists at the University of Massachussetts also showed that they can use radio attacks to turn off defibrillators inside heart patients.

Erven and Collao uncovered the fact that interfaces to medical equipment can be located via search engine Shodan. This is a search engine that lets the user find specific types of computers (routers, servers, etc) connected to the internet using a variety of filters.

The researchers warned that critical hospital machinery can be accessed by hackers.

“Once we start changing [Shodan search terms] to target speciality clinics like radiology or podiatry or paediatrics, we ended up with thousands with misconfiguration and direct attack vectors,” Erven was quoted by The Register as saying.

“Not only could your data get stolen but there are profound impacts to patient privacy,” he added.

And it seems that hackers can build up detailed intelligence about healthcare organisations, thanks to vulnerable networking gear and admin computers, which can expose patient records and even where medical equipment is located.

“You can easily craft an email and send it to the guy who has access to that [medical] device with a payload that will run on the (medical) machine,” Collao was quoted as saying. He pointed out that medical devices run Windows XP or XP service pack two and don’t have antivirus protection, which means hackers can install custom payloads or other nastiness on vulnerable equipment.

The researchers have reported dozens of vulnerabilities to big-name medical device manufacturers that could give hackers  remote administrative access to critical medical devices and supporting systems, said The Register. Indeed, the researchers reportedly discovered 30 very serious flaws in GE medical equipment alone, which they said that GE tends to be most of the most proactive when fixing flaws. Flaws in all makers gear included weak default passwords and badly patched vulnerabilities on older equipment.

Honeypot Trap

The researchers also setup fake medical equipment to gauge how active the hacker community is in targeting medical devices.

For six months they ran used software to emulate genuine MRI and defibrillator machines, and worryingly the two fake machines attracted tens of thousands of login attempts and hundreds of attempts to download malware.

In total, the fake medical  kit attracted 55,416 successful SSH and web logins and some 299 malware payloads.

How well do you know data security? Take our quiz!

Tom Jowitt

Tom Jowitt is a leading British tech freelancer and long standing contributor to Silicon UK. He is also a bit of a Lord of the Rings nut...

Recent Posts

Craig Wright Sentenced For Contempt Of Court

Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…

2 days ago

El Salvador To Sell Or Discontinue Bitcoin Wallet, After IMF Deal

Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…

2 days ago

UK’s ICO Labels Google ‘Irresponsible’ For Tracking Change

Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…

2 days ago

EU Publishes iOS Interoperability Plans

European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…

3 days ago

Momeni Convicted In Bob Lee Murder

San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…

3 days ago