The 6 lines of code that could bring down a hospital

cybersecurity, hacking illustration

Using fairly rudimentary hacking techniques, researchers have exposed vulnerabilities in a variety of medical devices, most recently in a Philips (NYSE:PHG) Xper hospital management system that buckled under the force of a mere 6 lines of code.

The Xper device often connects with hospital machines and patient databases that could be compromised by someone with the know-how and motive to infiltrate the system.

Researchers at Cylance Inc. who wrote the code warn that the software security loophole could provide malicious hackers the means to crash the hospital information device at will, take control of the system and even use it as a gateway to access other devices on the same network.

Philips initially suggested that the vulnerabilities may be limited to the older generation of the Xper information management system that the researchers tested, but company officials told this week that the security holes are also a problem in current generations of the product.

Officials at the U.S. Dept. of Homeland Security and the FDA have taken an interest in the investigation and Philips is working on a fix that it can release to its customers, according to the Dutch healthcare and electronics conglomerate.

Philips declined to disclose how many Xper systems are on the market "as that is competitive and business-sensitive information," strategic healthcare communications senior manager Mario Fante told us.

The Hack

Security experts Billy Rios and Terry McCorkle, who usually test security in industrial control systems, approached the Philips Xper with no prior knowledge about the device, its software or how it might be infiltrated.

They created a copy of the software for testing purposes and began scanning for open communication channels, or "ports." They managed to "discover" and access the system by doing little more than a digital version of fumbling in the dark.

Once they established a connection, Rios devised a generic code that sent the Xper system an enormous chunk of meaningless data – in this case the letter "A," thousands of times over. Software such as web browsers and operating systems can weather this barrage of nonsense, known as "fuzzing." But the Xper system crashed completely, Rios and McCorkle told us.

"You’re getting into memory space that it’s not expecting you to, and you can take advantage of that as a hacker," McCorkle said.

"Once we detected that there was a crash, we could cause a crash at will," Rios added.

After they had spotted the vulnerability, it was a matter of days before the pair had devised an "exploit" that allowed them to manipulate the system and, by proxy, any others it might be connected to.

The transition from crashing to owning the system requires some programming savvy, but the Xper device itself would have little defense against an experienced and determined hacker. Given the proliferation of malicious threats on the Internet, including a few instances in which hospital databases were held hostage by criminals overseas, it’s safe to assume at least some Xper systems are already "owned" by hackers, McCorkle said.

More than anything, the vulnerability demonstrated to Rios and McCorkle that the Xper system didn’t get proper defense testing while it was being developed.

"That’s the piece that’s missing," McCorkle said. "You don’t have robust testing behind the scenes."

Philips Healthcare has the security mindset built into its product development globally, Fante told us. An international team of product security officers are monitoring potential vulnerabilities and the company has protocols governing risk assessment and incident response, he said. The device maker is also working on a patch for the specific vulnerability that Rios and McCorkle uncovered and has been keeping FDA official abreast of the issue.

"Once the fix is validated, it will be released through our standard FCO process and impacted customers will be informed," Fante said.

The device

The Xper system is Philips’ personalized hospital work-flow manager, with functions for lab reporting, staff scheduling, inventory coordination and more, according to the company’s website. Apart from administrative functions and database access, the Xper system interfaces with hospital equipment such as X-ray machines and vascular monitors.

The device is not intended for sale to individuals, even if they are cybersecurity researchers, but Rios and McCorkle found a reseller online who shipped it directly to Rios’ home.

When they examined the system, Rios and McCorkle discovered their Xper device had once belonged to a large Utah hospital system, which they refused to name. They also uncovered service passwords contained in the device they believe could be a universal access point for maintenance workers.

The researchers discussed their findings during a recent taped security conference, with the maintenance credentials were blocked in the publicly available videos from the presentation.

The technique

The technique Rios and McCorkle used to access and take down the Xper system are not new or difficult to devise, they noted. Port scanners, like the 1 they used to find the open communications pathway to the Xper system, are freely available on the Internet. Fuzzers, like the 1 that crashed the Xper system, might as well be Cybersecurity 101. If the medical device industry isn’t developing with security in mind, products can reach the market with weaknesses that other industries have already encountered and overcome. That could put healthcare systems more than a decade behind in terms of security.

"Software manufacturers like Microsoft and Apple and Google, when they release software they use things called ‘exploit mitigations,’" Rios told us. "If they make a mistake in their coding and they introduce a vulnerability, what they do is make it really hard to exploit that specific vulnerability, making the attacker or exploit-writer jump through a lot of different hoops to get the exploit just right so they can take over the device."

Those types of mitigations simply don’t exist in the medical device world, he noted.

"In most of the software security world, where they’ve been looking at these types of problems for a long time, you’d need a more complicated fuzzer in order to find those vulnerabilities," McCorkle said. "A 6-line fuzzer? Anybody with any kind of technical knowledge can write that."

The investigation

After Rios and McCorkle uncovered the vulnerabilities, they weren’t really sure what to do next. They turned to Homeland Security’s Industrial Control Systems Cyber Emergency Response Team, which took over the investigation and contacted Philips and the FDA.

"Following notification by the U.S. Dept. of Homeland Security of a software security vulnerability related to the Philips Xper Information Management system, the Philips Healthcare product security team has engaged in ongoing investigation and customer notification and remediation," the company said in a press release. "Philips continues to investigate the scope and any potential impact of the identified vulnerability in the Xper IM system. Additionally, Philips continues to examine and address issues related to the public disclosure of service passwords used in healthcare products."

The company has yet to learn of any specific adverse patient events or privacy concerns related to the vulnerability exposed by Rios and McCorkle, but they’re going to be vigilant, Fante told us.

RSS From Medical Design & Outsourcing

  • Molex delivers ISO 13485-compliant, medical-grade surgical cables from its class 100,000 clean room facility
    Molex, LLC operates a fully ISO 146441-1:1999 Class 8-certified clean room, satisfying strict particulate contamination levels specified by ISO-compliant requirements. Located in Thailand, the facility has less than 100,000 particulates (≥0.5µm) per cubic foot of air and manufactures a variety of ISO 13485-compliant medical cables and surgical cables used in operating theatres, hospitals, laboratories and […]
  • Swept-Source OCT: Patent license agreement between Massachusetts General Hospital and Heidelberg Engineering
    Heidelberg Engineering has entered into a patent license agreement with Massachusetts General Hospital (MGH) in Boston. The agreement grants global and exclusive rights to 77 basic patents and patent applications which relate to swept-source OCT technology and its application in ophthalmology. Spectral domain OCT has become indispensable to eye care professionals worldwide to diagnose and […]
  • MIT’s MultiFab presents a stark challenge to incumbent 3D Printer manufacturers’ hardware, software, and business Models
    MIT’s Computational Fabrication Group recently announced the MultiFab, a low-cost 3D printer that can combine up to 10 different resins in one part and also includes a 3D scanning system to identify and fix errors during production. According to Lux Research, these capabilities are rare in commercial 3D printers today due to the manufacturers’ need […]
  • AVX releases Accu-P MP medical grade film chip capacitors for medical devices
    AVX Corporation, a leading manufacturer of passive components and interconnect solutions, has released a new series of thin film chip capacitors specifically designed to meet the demanding performance specifications for implantable medical devices. Delivering extremely tight capacitive tolerances, exceptionally repeatable performance, and remarkably low ESR and high Q at high frequencies—including VHF, UHF, and RF […]
  • RIVANNA commences manufacturing of its Accuro device
    Rivanna Medical announced that it has begun manufacturing its FDA-cleared Accuro device, a handheld and untethered smart-phone-sized device that is designed to guide spinal anesthesia with automated 3D navigation technology in addition to ultrasound imaging of abdominal, musculoskeletal, cardiac and peripheral vascular anatomies. The product will be launched at the ASA annual meeting in San […]
  • FDA seeks public input on Quality Metrics guidance
    by Oliver Wolf, Senior Product Manager, MasterControl In line with the general shift towards risk-driven approaches in the quality management world, FDA is now taking steps towards applying those same principles to its own auditing schedule. At the end of July, the Center for Drug Evaluation and Research (CDER) and the Center for Biologics Evaluation […]
  • First ‘Ear Wear’ for Active Adults Debuts with MDHearingAid FIT
    If you’ve burned out your ears with earbuds, headphones or decades of other audio abuse but aren’t ready for your grandmother’s hearing aids, not to worry! The new MDHearingAid FIT gets you back in the game with a tiny, FDA-registered, one-size-fits-most solution that doesn’t block your ear canal like old-fashioned in-the-ear hearing aids. The FIT feels […]
  • CardioGenics enters into manufacturing agreement with Ontario-based Plasticap
    CardioGenics Holdings, developer for the In-Vitro-Diagnostics (“IVD”) testing market, announced that it has entered into a manufacturing agreement with Plasticap of Ontario, Canada, pursuant to which Plasticap will manufacture CardioGenics’ proprietary self-metering cartridges for its QL Care analyzer. The term of the agreement is three years and the purchase price for each cartridge shall be […]
  • MTD Micro Molding releases micro materials menu
    MTD Micro Molding, a long-time leader in micro-injection molding, has released an updated “Materials Menu” of materials that can be successfully micromolded to help guide engineers at medical device companies. Material selection is a crucial step in product manufacturability. The correct material drives tolerance, dimension, strength, usabality, speed-to-market, design, critical features, and cost. Through MTD’s […]
  • MedTech Chat: Elastic technology for drug delivery
    Dr. Zhen Gu and Dr. Yong Zhu from North Carolina State University are both co-senior authors of a research paper describing their recent work. Dr. Gu, Dr. Zhu and other researchers from North Carolina State University and the University of North Carolina at Chapel Hill have developed a drug delivery technology that consists of an […]
  • B. Braun’s OEM Division offers large bore normally closed low-pressure check valves
    Infusion therapy and pain management device manufacturer B. Braun said today it is offering normally closed large-bore low-pressure check valves through its valve-focused contract manufacturing OEM division. The valves, offered by Bethlehem, Pa.-based B. Braun, are designed for the intermittent injection of fluids during medical treatment and open automatically when pressure is applied. The newly […]

Leave a Reply