Follow Slashdot blog updates by subscribing to our blog RSS feed


Forgot your password?
Security Medicine Technology

Researchers: Thousands of Medical Devices Are Vulnerable To Hacking 29

itwbennett writes: At the DerbyCon security conference, researchers Scott Erven and Mark Collao explained how they located Internet-connected medical devices by searching for terms like 'radiology' and 'podiatry' in the Shodan search engine. Some systems were connected to the Internet by design, others due to configuration errors. And much of the medical gear was still using the default logins and passwords provided by manufacturers. 'As these devices start to become connected, not only can your data gets stolen but there are potential adverse safety issues,' Erven said.
This discussion has been archived. No new comments can be posted.

Researchers: Thousands of Medical Devices Are Vulnerable To Hacking

Comments Filter:
  • every-damn-thing is, IF it's connected. once.
  • DUH... (Score:4, Informative)

    by Lumpy ( 12016 ) on Wednesday September 30, 2015 @08:46PM (#50632651) Homepage

    Most anyone that has dealt with these devices have known this for a decade. Almost all MRI machines are insecure in every way. Hell even the little drug dose meter boxes have an open serial port on them.

    • But the people who have the power to change the situation either don't know, don't think it is important, or don't care enough to act. Research like this can change one of the above.

      • by Lumpy ( 12016 )

        The real answer is that they do know and they don't care at all in any way. IT has been shown to them in plush meeting rooms on the big projector screen while they sit in their $12,000 chair. They are told about every problem and they just do not care in any way.

        The fix is to make Hospital Administrators Personally liable for any data breach, and to allow suing the Executives and Board members of companies directly for selling highly vulnerable equipment.

    • The serial port can be secured with chewing gum.

  • Meanwhile, Win 10 is pushing updates without asking that have bricked some computers.

    Heck, would you like to post how any car since 1992 can easily be hacked remotely?

  • IT in health (Score:5, Interesting)

    by Anonymous Coward on Wednesday September 30, 2015 @09:36PM (#50632837)
    Speaking as a contractor that looks after a number of health organisation in Australia.
    All devices that we are putting in are vlaned and have specific firewall rules so that
    a. They can only contact the IP and port of the govt server that requires the information from the device.
    b. Nothing on both the internal network and the external network cannot get access to it all.

    Other than that, there is nothing we can do. The govt IT manages those devices including passwords.
    We also have to deal with computer illiterate health professionals which certainly doesn't help with the whole situation.
  • Medical devices really get put through a very very anal (no pun intended, eww) process before receiving regulatory approval. While I am not claiming that processi s perfect they are some of the safest and most tamper and foolproof devices produced. So I conclude this article is basically FUD.

    • If only.

      I wear a few medical devices which talk to each other, and other things, wirelessly. I have seen firsthand that the main device can connect to a computer and obey a command to download its history without any indication showing on the screen, no beep or other indication that anything is going on. If it can do that without my permission, what else is it open to? Could it obey a command to, say, silently overdose me?

      It is clear from my experience that these devices were designed with convenience in

    • by Anonymous Coward

      Totally not from a security perspective. The review process (at least here) is mostly how the device handles faults, how it is effective, and how it will not damage the patient.

      Software review is basically providing a trace document that you make yourself and is rubber stamped. Security holes are exempt, since the device is only required to be resistant against accidental errors, not malicious things.

  • "this show is amazing. it's like the howard the duck of tv shows. it's a show about technology that uses 0% real technology." ref []
  • Perhaps this is my failure to truly understand the scope of the problem, but where is the real motivation for hackers to compromise MRI machines and CAT scanners? Seriously. Why would somebody go to any level of effort and for that matter risk the felony charges that would come as a result?

    I am not questioning that such a thing would be a violation of privacy. I am also not questioning that there is potential for serious harm to be maliciously done to or against somebody. I merely question the scope of t

    • So, you believe hackers are all acting rationally. How do you explain Mafia Boy and the likes? What did he gain from flooding Yahoo and other with a DDoS attack? Would you trust a medical result from a poorly protected medical device which may lead to a cancer diagnostic or something which in turn may lead to very bad, costly and inconvenient side effects? Hacking doesn't just mean the medical device is out of service, it can be much more subtle. You may just gather medical data to resell, blackmail, etc.
    • Multiple reasons why somebody would target these servers (BTW: I was at the talk. Their video is at [] . )

      Anyways, IMHO, reasons:
      1) As a gateway into the hospital so you can pwn servers to DDOS others
      2) As a gateway into medical records so you can better phish, or possibly blackmail your targets

    • by hink ( 89192 )
      That's exactly the problem - they can do it easily, and they might not get caught. The process can be scripted, then it can be automated to be done RAPIDLY. Perhaps even using a server inside the hospital.

      Never underestimate the willingness of bored stupid self-absorbed idiots to do something that makes them feel powerful for little investment on their part.
  • And I'm pretty sure it was made in the 90s.
  • Medical devices are highly regulated. Clinical trials are extremely expensive to run, and the FDA can demand new clinical trials every time you push through a software update. At the very least, you have to file with the FDA (for every single software update) a document demonstrating that nothing substantial was changed in the operating of the device.

They are called computers simply because computation is the only significant job that has so far been given to them.