Using fairly rudimentary hacking techniques, researchers have exposed vulnerabilities in a variety of medical devices, most recently in a Philips (NYSE:PHG) Xper hospital management system that buckled under the force of a mere 6 lines of code.
The Xper device often connects with hospital machines and patient databases that could be compromised by someone with the know-how and motive to infiltrate the system.
Researchers at Cylance Inc. who wrote the code warn that the software security loophole could provide malicious hackers the means to crash the hospital information device at will, take control of the system and even use it as a gateway to access other devices on the same network.
Philips initially suggested that the vulnerabilities may be limited to the older generation of the Xper information management system that the researchers tested, but company officials told MassDevice.com this week that the security holes are also a problem in current generations of the product.
Officials at the U.S. Dept. of Homeland Security and the FDA have taken an interest in the investigation and Philips is working on a fix that it can release to its customers, according to the Dutch healthcare and electronics conglomerate.
Philips declined to disclose how many Xper systems are on the market "as that is competitive and business-sensitive information," strategic healthcare communications senior manager Mario Fante told us.
The Hack
Security experts Billy Rios and Terry McCorkle, who usually test security in industrial control systems, approached the Philips Xper with no prior knowledge about the device, its software or how it might be infiltrated.
They created a copy of the software for testing purposes and began scanning for open communication channels, or "ports." They managed to "discover" and access the system by doing little more than a digital version of fumbling in the dark.
Once they established a connection, Rios devised a generic code that sent the Xper system an enormous chunk of meaningless data – in this case the letter "A," thousands of times over. Software such as web browsers and operating systems can weather this barrage of nonsense, known as "fuzzing." But the Xper system crashed completely, Rios and McCorkle told us.
"You’re getting into memory space that it’s not expecting you to, and you can take advantage of that as a hacker," McCorkle said.
"Once we detected that there was a crash, we could cause a crash at will," Rios added.
After they had spotted the vulnerability, it was a matter of days before the pair had devised an "exploit" that allowed them to manipulate the system and, by proxy, any others it might be connected to.
The transition from crashing to owning the system requires some programming savvy, but the Xper device itself would have little defense against an experienced and determined hacker. Given the proliferation of malicious threats on the Internet, including a few instances in which hospital databases were held hostage by criminals overseas, it’s safe to assume at least some Xper systems are already "owned" by hackers, McCorkle said.
More than anything, the vulnerability demonstrated to Rios and McCorkle that the Xper system didn’t get proper defense testing while it was being developed.
"That’s the piece that’s missing," McCorkle said. "You don’t have robust testing behind the scenes."
Philips Healthcare has the security mindset built into its product development globally, Fante told us. An international team of product security officers are monitoring potential vulnerabilities and the company has protocols governing risk assessment and incident response, he said. The device maker is also working on a patch for the specific vulnerability that Rios and McCorkle uncovered and has been keeping FDA official abreast of the issue.
"Once the fix is validated, it will be released through our standard FCO process and impacted customers will be informed," Fante said.
The device
The Xper system is Philips’ personalized hospital work-flow manager, with functions for lab reporting, staff scheduling, inventory coordination and more, according to the company’s website. Apart from administrative functions and database access, the Xper system interfaces with hospital equipment such as X-ray machines and vascular monitors.
The device is not intended for sale to individuals, even if they are cybersecurity researchers, but Rios and McCorkle found a reseller online who shipped it directly to Rios’ home.
When they examined the system, Rios and McCorkle discovered their Xper device had once belonged to a large Utah hospital system, which they refused to name. They also uncovered service passwords contained in the device they believe could be a universal access point for maintenance workers.
The researchers discussed their findings during a recent taped security conference, with the maintenance credentials were blocked in the publicly available videos from the presentation.
The technique
The technique Rios and McCorkle used to access and take down the Xper system are not new or difficult to devise, they noted. Port scanners, like the 1 they used to find the open communications pathway to the Xper system, are freely available on the Internet. Fuzzers, like the 1 that crashed the Xper system, might as well be Cybersecurity 101. If the medical device industry isn’t developing with security in mind, products can reach the market with weaknesses that other industries have already encountered and overcome. That could put healthcare systems more than a decade behind in terms of security.
"Software manufacturers like Microsoft and Apple and Google, when they release software they use things called ‘exploit mitigations,’" Rios told us. "If they make a mistake in their coding and they introduce a vulnerability, what they do is make it really hard to exploit that specific vulnerability, making the attacker or exploit-writer jump through a lot of different hoops to get the exploit just right so they can take over the device."
Those types of mitigations simply don’t exist in the medical device world, he noted.
"In most of the software security world, where they’ve been looking at these types of problems for a long time, you’d need a more complicated fuzzer in order to find those vulnerabilities," McCorkle said. "A 6-line fuzzer? Anybody with any kind of technical knowledge can write that."
The investigation
After Rios and McCorkle uncovered the vulnerabilities, they weren’t really sure what to do next. They turned to Homeland Security’s Industrial Control Systems Cyber Emergency Response Team, which took over the investigation and contacted Philips and the FDA.
"Following notification by the U.S. Dept. of Homeland Security of a software security vulnerability related to the Philips Xper Information Management system, the Philips Healthcare product security team has engaged in ongoing investigation and customer notification and remediation," the company said in a press release. "Philips continues to investigate the scope and any potential impact of the identified vulnerability in the Xper IM system. Additionally, Philips continues to examine and address issues related to the public disclosure of service passwords used in healthcare products."
The company has yet to learn of any specific adverse patient events or privacy concerns related to the vulnerability exposed by Rios and McCorkle, but they’re going to be vigilant, Fante told us.