Two security researchers uncovered thousands of medical systems exposed online that are vulnerable to web attacks. On Saturday, September 26, researchers Scott Erven and Mark Collao presented their findings at Derby Con 5.0 in a presentation entitled "Medical Devices: Pwnage and Honeypots."
"We know medical devices are exposed to the Internet both directly and indirectly, so just how hard is it to take it to the next step in an attack and gain remote administrative access to these critical life saving devices? We will discuss over 20 CVE’s Scott has reported over the last year that will demonstrate how an attacker can gain remote administrative access to medical devices and supporting systems," reads a description for the researchers' talk. "Over 100 remote service and support credentials for medical devices will be presented. So is an attack against medical devices a reality or just a myth? Now that we know these devices have Internet facing exposure and are vulnerable to exploit, are they being targeted? We will release and present six months of medical device honeypot research showing the implications of these patient care devices increasing their connectivity."
As reported by The Register, the researchers spotted 68,000 vulnerable medical systems online belonging to an unnamed U.S. health organization via the use of Shodan. The exposed devices included 488 cardiology machines, 323 picture archiving and communication gear, 133 infusion systems, and 97 MRI scanners. Using their "real life" MRI and defibrillator honeypots, Erven and Collao were able to observe the types of attacks that are typically launched against those devices if exposed. Over a period of six months, they spotted 55,416 successful SH and web logins and 299 malware payloads. In the case of the malware-based attacks, many of the attackers apparently never realized the value of what they had compromised.
"They come in, do some enumeration, drop a payload for persistence and connect to a command and control server," Collao said. "We can deduce that there is owned medical devices calling back to a C2 (command and control server) and that there is an attacker out there who does not know what they sitting on. These devices are getting owned repeatedly now that more hospitals are WiFi-enabled and no longer support arcane protocols."
You can view a video of Erven and Collao's presentation at Derby Con below: These findings come on the heels of two reports, one by KPMG and another by Ratheon|Websense, which found that healthcare organizations are not adequately mitigating security and are four times more likely to suffer advanced malware attacks, respectively. To learn more about the various presentations at this year's Derby Con, please click here.