Trove of medical devices found to have password problems

Surgical devices, ventilators, defibrillators, and monitors are among the equipment at risk.
Written by John Fontana, Contributor

Up to 300 various medical devices from 40 vendors have been identified as vulnerable to a hard-coded password issue, and two government agencies are working to get the word out and protect against exploits.

The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) at the Department of Homeland Security and the Food and Drug Administration (FDA) are warning that the vulnerability could allow attackers to change critical settings and modify firmware.

ICS-CERT said two researchers from cybersecurity vendor Cylance — Billy Rios and Terry McCorkle — first reported the vulnerability that affects medical devices with configurable embedded computer systems. Those devices include surgical and anesthesia devices, ventilators, drug infusion pumps, external defibrillators, patient monitors, and laboratory and analysis equipment.

The manufacturers, while not identified, have been notified of the problems and are being asked to confirm vulnerabilities and investigate patches.

ICS-CERT and the FDA also are concerned that the vulnerabilities can act as a launch pad if the devices are networked, including via the internet and with smartphones. The FDA gave specific examples such as networked medical devices infected with malware, targeted mobile wireless devices where malware could ferret out implanted patient devices or patient data, and password theft that could eventually provide hackers with privileged access.

The FDA has also published recommendations to prevent unauthorized access to devices and/or modifications. Those include: Limiting access to trusted users via user authentication, biometrics, or smart cards rather than hard-coded passwords; protecting devices by keeping security patches current; and setting up processes to recapture device functionality even after an exploit.

In addition, the FDA said healthcare facilities should also take precautions such as restricting access to networks, checking for updates on anti-virus and firewall systems, and monitoring network activity.

There have not been any known exploits in regards to the vulnerabilities, according to the agencies.

Editorial standards