Patient data revealed in medical device hack

Share this article:
Researchers have exploited critical vulnerabilities in two popular medical management platforms used in a host of services, including assisting surgeries and generating patient reports.

The dangerous, unpatched flaws within the Philips Xper systems allowed researchers, within two hours, to develop an exploit capable of gaining remote root access.

From there, attackers gain administrative access to patient data stored in connected databases.

The affected machine can operate any medical device which uses the ubiquitous HL7 standard.

"We have a remote unauthenticated exploit for Xper, so if you same see an Xper machine on a network, then you can own it," Billy Rios, a researcher at security start-up Cylance, told SC Magazine Australia.

The holes were so severe that the U.S. Department of Homeland Security (DHS) and Food and Drug Administration (FDA) stepped in to pressure Philips to fix the system.

"We've dropped exploits before on medical systems like Honeywell and Artridum, but we've never seen the FDA move like that," he said. "It was quicker than anything else I've seen before."

After initial bids to contact Philips failed, Rios and colleague Terry McCorkle sought assistance from DHS, the FDA and the U.S. Industrial Control Systems Cyber Emergency Response Team (ICS-CERT). 

Two days later, Marty Edwards, director of the control systems security program at DHS, told the researchers the agency would from then on handle all information security vulnerabilities found in medical devices and software.

The announcement comes five months after the U.S Government Accountability Office said in a report (PDF) that action was required to address medical device flaws, adding that the FDA did not consider such security risks "a realistic possibility until recently".

How they did it

Once an extensive 200Gb forensic imaging process of the Windows-based platform had completed and the system was booted into a virtual machine, it took the researchers "two minutes" to find the first vulnerability.

"We noticed there was a port open, and we started basic fuzzing and found a heap overflow and wrote up a quick exploit for it," Rios said. "The exploit runs as a privileged service, so we owned the entire box - we owned everything that it could do."

The researchers suspect the authentication logins for the system, one with a username Philips and password Service01, are hardcoded and unchangeable by users, but when they warned Philips, the company refuted the claim.

The Xper Physio monitoring 5 platform was formerly used by a Utah hospital and purchased from an unnamed reseller, which sold the Dell Blade-like machine for a cut-rate of $200, delivered to Rios' home address.

That move broke the resellers' contractual obligations with Philips, which requires the return of unwanted devices ostensibly to safeguard against such security gaffes.

"That you need to jump through some hoops to get the hardware is not some sort of defense," Rios said. "That's security through obscurity."

The dealer was reported to the DHS, and the equipment was returned to Philips.

This story originally appeared on

[An earlier version of this story incorrectly listed the hospital as being in Ohio, but it is actually Utah].

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

CryptoWall surpasses CryptoLocker in infection rates

CryptoWall surpasses CryptoLocker in infection rates

A threat analysis from Dell SecureWorks CTU says that CryptoWall has picked up where its famous sibling left off.

Professor says Google search, not hacking, yielded medical info

Professor says Google search, not hacking, yielded medical ...

A professor of ethical hacking at City College San Francisco came forward to clarify that he did not demonstrate hacking a medical center's server in a class.

Syrian Malware Team makes use of enhanced BlackWorm RAT

Syrian Malware Team makes use of enhanced BlackWorm ...

FireEye analyzed the hacking group's use of the malware, dubbed the "Dark Edition" of BlackWorm.