The weakness gave the hackers complete control of the machine, one which they had purchased for testing purposes, and gave them access to any devices subsequently connected to it, which may include patient data, they told reporters.
"Anything on it or what’s connected to it was owned, too," Cylance’s Billy Rios told tech security news site Dark Reading. "By design, these things connect to a database."
Philips’ XPER system "manages other devices," Rios added, which means that a hole in its security compromises other technologies that deliver information to or take orders from the system.
Once hacked, "you can do anything you want to it," he said.
Rios and fellow researcher/hacker Terry McCorkle attempted to contact Philips with their findings, but turned instead to regulators when the company ignored their warnings.
"Somehow, the FDA is now involved," Rios said, adding that he was surprised at how fast the federal watchdogs took over the situation.
Philips representatives told Dark Reading that the machine in question was running older software and that the security hole they exploited isn’t present in newer devices.
Philips XPER systems are not commonly available for researchers and hackers to meddle with. McCorkle and Rios stumbled on an unauthorized vendor who sold them a 2nd-hand machine. Labels on the system indicated that the machine originally belonged to a Utah hospital, which the researchers declined to name. Philips has since collected the XPER system.
Non-malicious hackers, also known as "white hat" hackers, have become increasingly interested in medical device security as more researchers have reported that such security is minimal at best in the industry.
Although no medical device cyber-attacks have yet been reported, security experts warn that it’s just a matter of time. Last month researchers warned that it may soon take little more than a smartphone and some savvy to take down modern medical devices.