The 6 lines of code that could bring down a hospital

cybersecurity, hacking illustration

Using fairly rudimentary hacking techniques, researchers have exposed vulnerabilities in a variety of medical devices, most recently in a Philips (NYSE:PHG) Xper hospital management system that buckled under the force of a mere 6 lines of code.

The Xper device often connects with hospital machines and patient databases that could be compromised by someone with the know-how and motive to infiltrate the system.

Researchers at Cylance Inc. who wrote the code warn that the software security loophole could provide malicious hackers the means to crash the hospital information device at will, take control of the system and even use it as a gateway to access other devices on the same network.

Philips initially suggested that the vulnerabilities may be limited to the older generation of the Xper information management system that the researchers tested, but company officials told this week that the security holes are also a problem in current generations of the product.

Officials at the U.S. Dept. of Homeland Security and the FDA have taken an interest in the investigation and Philips is working on a fix that it can release to its customers, according to the Dutch healthcare and electronics conglomerate.

Philips declined to disclose how many Xper systems are on the market "as that is competitive and business-sensitive information," strategic healthcare communications senior manager Mario Fante told us.

The Hack

Security experts Billy Rios and Terry McCorkle, who usually test security in industrial control systems, approached the Philips Xper with no prior knowledge about the device, its software or how it might be infiltrated.

They created a copy of the software for testing purposes and began scanning for open communication channels, or "ports." They managed to "discover" and access the system by doing little more than a digital version of fumbling in the dark.

Once they established a connection, Rios devised a generic code that sent the Xper system an enormous chunk of meaningless data – in this case the letter "A," thousands of times over. Software such as web browsers and operating systems can weather this barrage of nonsense, known as "fuzzing." But the Xper system crashed completely, Rios and McCorkle told us.

"You’re getting into memory space that it’s not expecting you to, and you can take advantage of that as a hacker," McCorkle said.

"Once we detected that there was a crash, we could cause a crash at will," Rios added.

After they had spotted the vulnerability, it was a matter of days before the pair had devised an "exploit" that allowed them to manipulate the system and, by proxy, any others it might be connected to.

The transition from crashing to owning the system requires some programming savvy, but the Xper device itself would have little defense against an experienced and determined hacker. Given the proliferation of malicious threats on the Internet, including a few instances in which hospital databases were held hostage by criminals overseas, it’s safe to assume at least some Xper systems are already "owned" by hackers, McCorkle said.

More than anything, the vulnerability demonstrated to Rios and McCorkle that the Xper system didn’t get proper defense testing while it was being developed.

"That’s the piece that’s missing," McCorkle said. "You don’t have robust testing behind the scenes."

Philips Healthcare has the security mindset built into its product development globally, Fante told us. An international team of product security officers are monitoring potential vulnerabilities and the company has protocols governing risk assessment and incident response, he said. The device maker is also working on a patch for the specific vulnerability that Rios and McCorkle uncovered and has been keeping FDA official abreast of the issue.

"Once the fix is validated, it will be released through our standard FCO process and impacted customers will be informed," Fante said.

The device

The Xper system is Philips’ personalized hospital work-flow manager, with functions for lab reporting, staff scheduling, inventory coordination and more, according to the company’s website. Apart from administrative functions and database access, the Xper system interfaces with hospital equipment such as X-ray machines and vascular monitors.

The device is not intended for sale to individuals, even if they are cybersecurity researchers, but Rios and McCorkle found a reseller online who shipped it directly to Rios’ home.

When they examined the system, Rios and McCorkle discovered their Xper device had once belonged to a large Utah hospital system, which they refused to name. They also uncovered service passwords contained in the device they believe could be a universal access point for maintenance workers.

The researchers discussed their findings during a recent taped security conference, with the maintenance credentials were blocked in the publicly available videos from the presentation.

The technique

The technique Rios and McCorkle used to access and take down the Xper system are not new or difficult to devise, they noted. Port scanners, like the 1 they used to find the open communications pathway to the Xper system, are freely available on the Internet. Fuzzers, like the 1 that crashed the Xper system, might as well be Cybersecurity 101. If the medical device industry isn’t developing with security in mind, products can reach the market with weaknesses that other industries have already encountered and overcome. That could put healthcare systems more than a decade behind in terms of security.

"Software manufacturers like Microsoft and Apple and Google, when they release software they use things called ‘exploit mitigations,’" Rios told us. "If they make a mistake in their coding and they introduce a vulnerability, what they do is make it really hard to exploit that specific vulnerability, making the attacker or exploit-writer jump through a lot of different hoops to get the exploit just right so they can take over the device."

Those types of mitigations simply don’t exist in the medical device world, he noted.

"In most of the software security world, where they’ve been looking at these types of problems for a long time, you’d need a more complicated fuzzer in order to find those vulnerabilities," McCorkle said. "A 6-line fuzzer? Anybody with any kind of technical knowledge can write that."

The investigation

After Rios and McCorkle uncovered the vulnerabilities, they weren’t really sure what to do next. They turned to Homeland Security’s Industrial Control Systems Cyber Emergency Response Team, which took over the investigation and contacted Philips and the FDA.

"Following notification by the U.S. Dept. of Homeland Security of a software security vulnerability related to the Philips Xper Information Management system, the Philips Healthcare product security team has engaged in ongoing investigation and customer notification and remediation," the company said in a press release. "Philips continues to investigate the scope and any potential impact of the identified vulnerability in the Xper IM system. Additionally, Philips continues to examine and address issues related to the public disclosure of service passwords used in healthcare products."

The company has yet to learn of any specific adverse patient events or privacy concerns related to the vulnerability exposed by Rios and McCorkle, but they’re going to be vigilant, Fante told us.

RSS From Medical Design & Outsourcing

  • GlobTek presents its latest level VI AC/DC adapter and connverter
    T-43086-WWVV-X.X-Q Model is an addition to GlobTek’s Level VI compliant GT-43086 family and represents GlobTek’s 6 Watt wall plug-in series of AC/DC adapters (power supplies and chargers) with International Interchangeable blades. GlobTek’s changeable input blade system with individual field replaceable input plugs, including: North America and Japan NEMA 1-15P, Australian, UK BS 1363, European CEE […]
  • Sanmina’s familiarity with FDA gets skin treatment product to market fast
    The medical market for cosmetic devices is booming. However, quickly launching new products to meet demand is becoming more challenging because device manufactures face increased regulatory scrutiny. To help meet regulatory requirements, aesthetic and other medical-device OEMs are partnering with electronics manufacturing services (EMS) companies that also offer expertise with the FDA filings necessary to […]
  • Fluid connectors and quick disconnects for IVD equipment from CPC
    Colder Products Company (CPC) offers thousands of tubing connectors, quick disconnects and fittings for smart fluid handling in IVD and analytical equipment. Non-spill connectors speed testing throughput by eliminating drips, preventing air inclusion and increasing operator safety. Panel mount connectors can be added to existing equipment or bottle caps to provide secure, leak-free connections. Puncture […]
  • 310 Watt desktop medical power supply meets efficiency level VI requirements
    Power Partners releases a new 310 Watt medical grade desktop power supply from their PEAMD Series of AC and DC adapters. The 310 Watt unit is packed for ideal performance inside a compact case measuring 7.8 x 4 x 2 in. with a weight of only 3 lbs. The PEAMD310 Series is approved to the latest […]
  • Saelig introduces Multiple Instrument System MIS4 universal test system
    Saelig Company has introduced the ABI Electronics’ Multiple Instrument Station MIS4, an all-in-one testing tool that provides all commonly required test instruments in one compact programmable hardware module, mounted in a compact case or installed in a PC-drive bay. Controlled by ABI’s sophisticated SYSTEM 8 Ultimate PC software with a simple yet programmable operator interface, […]
  • AssurX announces document management software update for small to mid-size companies in FDA regulated industries
    AssurX, an enterprise quality management, risk and regulatory compliance solution provider, announces the release of the latest update to their AssurX document management software. The document management solution provides a cost-effective solution for small to medium sized companies faced with streamlined operations and is fully compliant for FDA regulated industries. Ideal solution for small to […]
  • Saelig presents new Amplicon Impact-R 1100F series computer
    Saelig Company announces the Amplicon Impact-R 1100F series, a fanless system powered by the Intel ATOM D2550 processor. Configured with a high performance 2.5 in. MLC Solid State Drive (SSD), the Impact-R 1100F series is a silent controller system. With options for multiple serial communication ports, the Impact-R 1100F can offer up seven DB9 connections […]
  • Gerresheimer to acquire Centor
    Gerresheimer AG, a partner to the global pharmacy and healthcare industry, will further extend its pharmaceutical packaging business with the acquisition of Centor. Gerresheimer has reached an agreement with Nemera Development S.A. to acquire 100% of the share capital of Centor US Holding. “Centor is the highly profitable market leader for plastic vials and closures in […]
  • Methods Machine Tools presents the new Nakamura-Tome NTRX-300
    Methods Machine Tools, a developer of precision machine tools and automation, has introduced the new Nakamura-Tome NTRX-300, a multitasking turning center featuring complete parts machining in one operation, with a built-in load and unload automation system and advanced operator recognition management software. The NTRX-300 features true opposing twin spindles: an 8 in. A2-6 25 HP or […]
  • MSC Apex Diamond Python and Smart Midsurface speeds modeling to validation
    MSC Software announced a new release of MSC Apex, the company’s award-winning next generation Computer Aided Engineering (CAE) platform. The MSC Apex Diamond Python release introduces: · The fourth release of MSC Apex Modeler is a CAE Specific direct modeling and meshing solution that streamlines CAD clean-up, simplification and meshing workflow. New in this release is […]
  • Quality Metrics: FDA’s plan for a key set of measurements to help ensure manufacturers are producing quality medications
    Editor’s Note: This article is written by Ashley Boam and Mary Malarkey from the “FDA Voice” blog. Boam is an FDA’s acting Director of the Office of Policy for Pharmaceutical Quality, the Office of Pharmaceutical Quality and the Center for Drug Evaluation and Research. Malarkey is an FDA’s Director if the Office of Compliance and Biologics Quality […]

Leave a Reply