Trove of medical devices found to have password problems

Summary:Surgical devices, ventilators, defibrillators, and monitors are among the equipment at risk.

Up to 300 various medical devices from 40 vendors have been identified as vulnerable to a hard-coded password issue, and two government agencies are working to get the word out and protect against exploits.

The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) at the Department of Homeland Security and the Food and Drug Administration (FDA) are warning that the vulnerability could allow attackers to change critical settings and modify firmware.

ICS-CERT said two researchers from cybersecurity vendor Cylance — Billy Rios and Terry McCorkle — first reported the vulnerability that affects medical devices with configurable embedded computer systems. Those devices include surgical and anesthesia devices, ventilators, drug infusion pumps, external defibrillators, patient monitors, and laboratory and analysis equipment.

The manufacturers, while not identified, have been notified of the problems and are being asked to confirm vulnerabilities and investigate patches.

ICS-CERT and the FDA also are concerned that the vulnerabilities can act as a launch pad if the devices are networked, including via the internet and with smartphones. The FDA gave specific examples such as networked medical devices infected with malware, targeted mobile wireless devices where malware could ferret out implanted patient devices or patient data, and password theft that could eventually provide hackers with privileged access.

The FDA has also published recommendations to prevent unauthorized access to devices and/or modifications. Those include: Limiting access to trusted users via user authentication, biometrics, or smart cards rather than hard-coded passwords; protecting devices by keeping security patches current; and setting up processes to recapture device functionality even after an exploit.

In addition, the FDA said healthcare facilities should also take precautions such as restricting access to networks, checking for updates on anti-virus and firewall systems, and monitoring network activity.

There have not been any known exploits in regards to the vulnerabilities, according to the agencies.

Topics: Health, Networking, Security

About

John Fontana is a journalist focusing on access control, identity, privacy and security issues. Currently, he is the Identity Evangelist for strong authentication vendor Yubico, where he writes and edits a blog, as well as, directs several social media channels and represents Yubico at the FIDO Alliance. Prior to Yubico, John spent five y... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.