The Dept. of Homeland Security warned last month that some 300 medical devices may be vulnerable to malicious hacking thanks to manufacturers’ hard-coded default passwords. Devices at risk include external defibrillators, infusion pumps, lab and analysis equipment, ventilators and more.
The devices in question have "hard-coded" passwords that allow high-level access to the machines, designed to be used by technicians servicing the devices. The passwords are built into the software and are generally universal among all units of a particular model.
The hard-coded passwords could be used to manipulate the machines, altering critical settings or modifying the device’s firmware, according DOH’s Industrial Control Systems Cyber Emergency Response Team, or ICS-CERT.
The agency learned of the vulnerabilities from a pair of software security experts, Billy Rios and Terry McCorkle of Cylance, who submitted a report demonstrating that the hard-coded passwords made the medical devices "remotely exploitable."
As usual, the federal agency noted that no medical device cyber-exploits have yet been reported in the real-world, so far limited to research settings. Nonetheless, the ICS-CERT is working with the FDA, medical device vendors and security researchers to mitigate the risk across all devices.
"Because of the critical and unique status that medical devices occupy, ICS-CERT has been working in close cooperation with the Food and Drug Administration in addressing these issues," according to the agency report. "ICS-CERT recommends that device manufacturers, healthcare facilities, and users of these devices take proactive measures to minimize the risk of exploitation of this and other vulnerabilities."
The agency said that it has been in communication with medtech vendors, asking them to confirm the password exploit in their devices and to identify ways to mitigate the risk.
"Organizations that observe any suspected malicious activity should follow their established internal procedures and report their findings to ICS-CERT and FDA for tracking and correlation against other incidents," the agency added.
Security researchers Rios and McCorkle have had brushes with medtech cybersecurity in the past. Earlier this year the duo demonstrated a hack on a a Philips(NYSE:PHG) XPER medical management system, exploiting a security flaw to "own" the machine and remotely control and modify its settings. In an interview with MassDevice.com the researchers explained how they had written 6 lines of rudimentary code to crash the hospital information system, take control and even use it as a gateway to access other devices operating on the same network.