Your dentist is probably using horribly insecure patient software

Three separate software systems used by dentists contain hard-coded credentials, which could allow an attacker full access to patient databases.
Written by Zack Whittaker, Contributor

You might now have one extra reason not to want to go to the dentist.

Advisories have been issued over three sets of software commonly used by dentists, after a security researcher found hard-coded credentials that could give an attacker full access to patient data.

The advisories, posted in Carnegie Mellon University's public vulnerability database (CERT), said that in all cases an attacker could remotely get administrative or root access to the software if they know the credentials.

CERT said in Tuesday's advisories that all versions of Dentsply Sirona CDR DICOM, a dental records management software, are affected by the issue. Similarly, Open Dental, which also manages dental records, uses a MySQL database that also comes with a default blank password.

On Wednesday, CERT issued its third near-identical advisory for Dexis Imaging Suite 10. The company advised users to update the database's credentials. Newer versions of the software don't use hard-coded credentials.

The scale of the problem could be huge, given how many dentists' offices use the named software.

According to Sirona's website, the company serves dozens of government customers, including Navy clinics, Veteran Affairs medical centers, the US Army, and the US Air Force, which combined could come to several hundred thousand patients.

Meanwhile, Open Dental, as free and open-source software, is available for anyone to download. It's reported that over 4,000 dental offices use the software.

It's not clear exactly why the software suites designed their software's security in that way.

We reached out to Sirona but didn't hear back at the time of writing. According to both advisories, there were no statements from the companies ahead of disclosure, about a month earlier.

Open Dental Chief Executive Nathan Sparks disputed the findings in an email to ZDNet, calling them "factually false", arguing that the default blank password can be changed.After publication, CERT updated its advisory to reflect that the issue related to a "blank" default password rather than a "hard-coded" password.

"We do still consider default blank passwords a security issue that may be corrected in other ways," said Garret Wassermann, a CERT vulnerability analyst, in an email.

Justin Shafer, a Texas-based dental computer technician, was credited with finding the three flaws.

Shafer earlier this year made headlines when the FBI conducted a raid on his home after he disclosed a flaw in Dentrix dental software.

Updated at 4:20pm: New comments and statement from CERT and Open Dental.

Editorial standards