Vast array of medical devices vulnerable to serious hacks, feds warn

[CyberAbc 290]

A vast array of heart defibrillators, drug infusion pumps, and other medical devices contain backdoors that make them vulnerable to potentially life-threatening hacks, federal officials have warned.

The devices, which also include ventilators, patient monitors, and surgical and anesthesia devices, contain hard-coded password vulnerabilities, according to an advisory issued Thursday by the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), a liaison group between the US Department of Homeland Security and private industry. Attackers who know the default passwords of the devices can exploit these backdoors and change critical settings or replace the authorized firmware altogether.

The advisory came the same day that the Food and Drug Administration released its own notice on the same topic. Both warnings said there was no indication attacks were being carried out in the wild, and neither warning disclosed the affected device models or the manufacturers. But Terry McCorkle, one of the researchers who uncovered the vulnerabilities, said few if any are immune.

"It's safe to say most medical device manufacturers are affected," McCorkle, who is technical director at security firm Cylance, told Ars. "It's kind of an industry-wide issue."

He declined to name specific companies or products. He went on to say no reverse engineering is required to acquire the device passwords.

"The affected devices have hard-coded passwords that can be used to permit privileged access to devices, such as passwords that would normally be used only by a service technician," the ICS-CERT warning stated. "In some devices, this access could allow critical settings or the device firmware to be modified."

Security concerns have risen over the past decade as more and more medical devices incorporate configurable computer systems that are susceptible to tampering by malicious hackers. The amount of damage that can be done is magnified because many pacemakers, insulin pumps, and other devices implanted in or attached to a patient's body can be remotely controlled using radio signals. Security researchers have proposed various measures to make unauthorized changes harder. The most effective way for manufacturers to prevent tampering is to remove backdoor accounts, followed by requiring all firmware to be digitally signed, McCorkle said.