The dangerous, unpatched flaws within the Philips Xper systems allowed researchers, within two hours, to develop an exploit capable of gaining remote root access.
 |
From there, attackers gain administrative access to patient data stored in connected databases.
The affected machine can operate any medical device which uses the ubiquitous HL7 standard.
"We have a remote unauthenticated exploit for Xper, so if you same see an Xper machine on a network, then you can own it," Billy Rios, a researcher at security start-up Cylance, told SC Magazine Australia.
The holes were so severe that the U.S. Department of Homeland Security (DHS) and Food and Drug Administration (FDA) stepped in to pressure Philips to fix the system.
"We've dropped exploits before on medical systems like Honeywell and Artridum, but we've never seen the FDA move like that," he said. "It was quicker than anything else I've seen before."
After initial bids to contact Philips failed, Rios and colleague Terry McCorkle sought assistance from DHS, the FDA and the U.S. Industrial Control Systems Cyber Emergency Response Team (ICS-CERT).
Two days later, Marty Edwards, director of the control systems security program at DHS, told the researchers the agency would from then on handle all information security vulnerabilities found in medical devices and software.
The announcement comes five months after the U.S Government Accountability Office said in a report (PDF) that action was required to address medical device flaws, adding that the FDA did not consider such security risks "a realistic possibility until recently".
How they did it
Once an extensive 200Gb forensic imaging process of the Windows-based platform had completed and the system was booted into a virtual machine, it took the researchers "two minutes" to find the first vulnerability.
"We noticed there was a port open, and we started basic fuzzing and found a heap overflow and wrote up a quick exploit for it," Rios said. "The exploit runs as a privileged service, so we owned the entire box - we owned everything that it could do."
The researchers suspect the authentication logins for the system, one with a username Philips and password Service01, are hardcoded and unchangeable by users, but when they warned Philips, the company refuted the claim.
The Xper Physio monitoring 5 platform was formerly used by a Utah hospital and purchased from an unnamed reseller, which sold the Dell Blade-like machine for a cut-rate of $200, delivered to Rios' home address.
That move broke the resellers' contractual obligations with Philips, which requires the return of unwanted devices ostensibly to safeguard against such security gaffes.
"That you need to jump through some hoops to get the hardware is not some sort of defense," Rios said. "That's security through obscurity."
The dealer was reported to the DHS, and the equipment was returned to Philips.
This story originally appeared on SCMagazine.com.au.
[An earlier version of this story incorrectly listed the hospital as being in Ohio, but it is actually Utah].
