The 6 lines of code that could bring down a hospital

cybersecurity, hacking illustration

Using fairly rudimentary hacking techniques, researchers have exposed vulnerabilities in a variety of medical devices, most recently in a Philips (NYSE:PHG) Xper hospital management system that buckled under the force of a mere 6 lines of code.

The Xper device often connects with hospital machines and patient databases that could be compromised by someone with the know-how and motive to infiltrate the system.

Researchers at Cylance Inc. who wrote the code warn that the software security loophole could provide malicious hackers the means to crash the hospital information device at will, take control of the system and even use it as a gateway to access other devices on the same network.

Philips initially suggested that the vulnerabilities may be limited to the older generation of the Xper information management system that the researchers tested, but company officials told MassDevice.com this week that the security holes are also a problem in current generations of the product.

Officials at the U.S. Dept. of Homeland Security and the FDA have taken an interest in the investigation and Philips is working on a fix that it can release to its customers, according to the Dutch healthcare and electronics conglomerate.

Philips declined to disclose how many Xper systems are on the market "as that is competitive and business-sensitive information," strategic healthcare communications senior manager Mario Fante told us.

The Hack

Security experts Billy Rios and Terry McCorkle, who usually test security in industrial control systems, approached the Philips Xper with no prior knowledge about the device, its software or how it might be infiltrated.

They created a copy of the software for testing purposes and began scanning for open communication channels, or "ports." They managed to "discover" and access the system by doing little more than a digital version of fumbling in the dark.

Once they established a connection, Rios devised a generic code that sent the Xper system an enormous chunk of meaningless data – in this case the letter "A," thousands of times over. Software such as web browsers and operating systems can weather this barrage of nonsense, known as "fuzzing." But the Xper system crashed completely, Rios and McCorkle told us.

"You’re getting into memory space that it’s not expecting you to, and you can take advantage of that as a hacker," McCorkle said.

"Once we detected that there was a crash, we could cause a crash at will," Rios added.

After they had spotted the vulnerability, it was a matter of days before the pair had devised an "exploit" that allowed them to manipulate the system and, by proxy, any others it might be connected to.

The transition from crashing to owning the system requires some programming savvy, but the Xper device itself would have little defense against an experienced and determined hacker. Given the proliferation of malicious threats on the Internet, including a few instances in which hospital databases were held hostage by criminals overseas, it’s safe to assume at least some Xper systems are already "owned" by hackers, McCorkle said.

More than anything, the vulnerability demonstrated to Rios and McCorkle that the Xper system didn’t get proper defense testing while it was being developed.

"That’s the piece that’s missing," McCorkle said. "You don’t have robust testing behind the scenes."

Philips Healthcare has the security mindset built into its product development globally, Fante told us. An international team of product security officers are monitoring potential vulnerabilities and the company has protocols governing risk assessment and incident response, he said. The device maker is also working on a patch for the specific vulnerability that Rios and McCorkle uncovered and has been keeping FDA official abreast of the issue.

"Once the fix is validated, it will be released through our standard FCO process and impacted customers will be informed," Fante said.

The device

The Xper system is Philips’ personalized hospital work-flow manager, with functions for lab reporting, staff scheduling, inventory coordination and more, according to the company’s website. Apart from administrative functions and database access, the Xper system interfaces with hospital equipment such as X-ray machines and vascular monitors.

The device is not intended for sale to individuals, even if they are cybersecurity researchers, but Rios and McCorkle found a reseller online who shipped it directly to Rios’ home.

When they examined the system, Rios and McCorkle discovered their Xper device had once belonged to a large Utah hospital system, which they refused to name. They also uncovered service passwords contained in the device they believe could be a universal access point for maintenance workers.

The researchers discussed their findings during a recent taped security conference, with the maintenance credentials were blocked in the publicly available videos from the presentation.

The technique

The technique Rios and McCorkle used to access and take down the Xper system are not new or difficult to devise, they noted. Port scanners, like the 1 they used to find the open communications pathway to the Xper system, are freely available on the Internet. Fuzzers, like the 1 that crashed the Xper system, might as well be Cybersecurity 101. If the medical device industry isn’t developing with security in mind, products can reach the market with weaknesses that other industries have already encountered and overcome. That could put healthcare systems more than a decade behind in terms of security.

"Software manufacturers like Microsoft and Apple and Google, when they release software they use things called ‘exploit mitigations,’" Rios told us. "If they make a mistake in their coding and they introduce a vulnerability, what they do is make it really hard to exploit that specific vulnerability, making the attacker or exploit-writer jump through a lot of different hoops to get the exploit just right so they can take over the device."

Those types of mitigations simply don’t exist in the medical device world, he noted.

"In most of the software security world, where they’ve been looking at these types of problems for a long time, you’d need a more complicated fuzzer in order to find those vulnerabilities," McCorkle said. "A 6-line fuzzer? Anybody with any kind of technical knowledge can write that."

The investigation

After Rios and McCorkle uncovered the vulnerabilities, they weren’t really sure what to do next. They turned to Homeland Security’s Industrial Control Systems Cyber Emergency Response Team, which took over the investigation and contacted Philips and the FDA.

"Following notification by the U.S. Dept. of Homeland Security of a software security vulnerability related to the Philips Xper Information Management system, the Philips Healthcare product security team has engaged in ongoing investigation and customer notification and remediation," the company said in a press release. "Philips continues to investigate the scope and any potential impact of the identified vulnerability in the Xper IM system. Additionally, Philips continues to examine and address issues related to the public disclosure of service passwords used in healthcare products."

The company has yet to learn of any specific adverse patient events or privacy concerns related to the vulnerability exposed by Rios and McCorkle, but they’re going to be vigilant, Fante told us.

RSS From Medical Design & Outsourcing

  • Emuge expands solid carbide thread mill program with new 3XD sizes
    Emuge is now offering an expanded line of Solid Carbide Thread Mills in their popular THREADS-ALL Program, to include new 3XD sizes designed for maximum reach. A total of 17 new sizes have been added, from miniature to standard size tools, providing maximum versatility in a wide range of thread milling applications. The 3XD THREADS-ALL […]
  • Start of helpful humanoid robots? CITEC uses compact LDS component as sensor array
    Editor’s Note: LaserMicronics, a service provider for laser-based manufacturing, has released the whitepaper “Robot hand with a sensitive touch: LDS tactile sensors for sensorimotor skills.” The paper describes a 2014 project from the CITEC department at Bielefeld University in Bielefeld, Germany, where researchers created a tactile sensor resembling a human fingertip. The sensor was then […]
  • Nature meets technology: Festo’s BionicANTs cooperate to solve a common task
    Editor’s Note: Festo, an industrial control and automation company, has released the whitepaper “BionicANTs: Cooperative behavior based on a natural model.” The paper describes the BionicANT, a creation of Festo engineers that duplicates the physical anatomy of its natural counterpart and reproduces the insect’s cooperative behavior. Festo engineers have used the delicate anatomy of an […]
  • Acorn Regulatory streamlines approval process drug-device manufacturers
    Acorn Regulatory, an ISO-certified medical device and pharmaceutical consulting firm, is streamlining procedures for U.S. manufacturers of drug-device combinations with customized programs that successfully overcome challenges in meeting European regulatory approvals. Focusing on small to mid-size companies, Acorn Regulatory has put in place a comprehensive step-by-step process that provides the correct regulatory pathway for medical […]
  • Athermal laser machining cuts bioabsorbable polymers and more
    A the recent MD&M East trade show in New York, Norman Noble, discussed the capability of athermal laser manufacturer. The company has developed the Noble S.T.E.A.L.T.H. (System To Enable Ablation Laser Technology Haz-free). The athermal laser machining process was developed to create precise features in any material, including bioabsorbable polymers, shape memory metals and other […]
  • Exciting possibilities for metallic glass in the medical device world
    Researchers are exploring the potential of metallic glass as a versatile, pliable material that is stronger than steel, with a bevy of possible medical device applications. Yale University engineers have discovered a unique method for designing metallic glass nanostructures across a wide range of chemicals, a technique that could have applications for everything from watch […]
  • Strong Precision Technologies’ medical divisions to unify under MedTorque brand
    Strong Precision Technologies announced on July 2, 2015, that its two medical divisions will now go to market under a single brand, MedTorque. The move reflects the increasing integration of the division formerly known as Inland Midwest with MedTorque, its sister division in Kenosha, WI. “We will continue providing our customers with the personalized level of service […]
  • Olympus offers next-day product replacement guarantee for medical devices
    Olympus, a medical and surgical procedures solutions company, announced that it is guaranteeing next-day replacements for surgical equipment at no additional charge. Olympus is the first surgical product manufacturer to offer this type of guarantee. The service became available to customers with an Olympus Full Service Agreement earlier this year. “Canceled procedures can be costly for healthcare facilities […]
  • More accurate prediction on prognosis in multiple myeloma from SkylineDx
    SkylineDx, a biotechnology company specializing in the development and commercialization of genetic tests, is launching its MMprofiler assay. This test enables clinicians to more accurately predict the prognosis of patients with multiple myeloma (bone marrow cancer) than traditional methods. The MMprofiler measures the activity of 92 genes which are directly or indirectly related to the […]
  • Flint Mobile swaps card reader for camera, accept mobile payments anywhere
    Flint Mobile, the swipe-free mobile payments app, has significantly expanded its payment management and loyalty capabilities for small, service-centric businesses, like the ones run by on-the-go medical equipment professionals. The toggle-free mobile technology makes the process quite simple for both parties, as all transactions are conducted through the mobile device’s camera without the need of any external […]
  • Should scientists be allowed to genetically alter human embryos?
    Scientists have at their disposal, a way to explore the possible prevention of genetic diseases before birth. But should they? Currently, the most promising path forward involves editing the genes of human embryos, a procedure threaded with controversy. An article in “Chemical & Engineering News” (C&EN), the weekly newsmagazine of the American Chemical Society (ACS), parses […]

Comments

  1. says

    I just want to tell you that I’m all new to blogging and site-building and actually savored your blog site. Almost certainly I’m likely to bookmark your site . You really come with perfect well written articles. Many thanks for sharing your website page.

Trackbacks

  1. Nice article

    Apakah kamu membutuhkan obat herbal de Nature Indonesia silahkan dapat hubungi customer service kita secara langsung melalui SMS ataupun Telepon. Kami selalu online 24 jam utk melayani pembelian obat herbal de Nature.

Leave a Reply