Medical device vulnerabilities

A series of 23 worrisome vulnerabilities in popular GE medical devices has recently been listed in an advisory by ICS-CERT – the US government agency in charge of the cybersecurity posture of critical infrastructure in the US.

The affected devices include many imaging systems as well as GE’s Centricity PACS Server – which is a core access point to sensitive medical information such as personal patient information and medical imaging data, used by many hospitals and healthcare organizations worldwide.

The vulnerabilities are very simple in essence – the vulnerable systems expose a remote access interface with default passwords (which hackers can look up online).

To make things worse the vulnerabilities are classified “network exploitable” – which means they can potentially be remotely exploitable by unsophisticated attackers who don’t need to be on, or even have access to, the hospital network they’re attacking in order to execute malicious activity and steal highly sensitive data.

These vulnerabilities belong to a category of security weaknesses called “credentials management,” and there are a few key factors to understanding these vulnerabilities and classify them by severity.

Passwords – hardcoded / default

In a default password scenario a system creates some kind of default user(s) with a default authentication password – and while it is technically possible to override these credentials, as long as this is not enforced by the system, a lot of systems remain configured with the preexisting user-password and are hence exploitable by an attacker who knows these default credentials.

Manufacturer manuals will typically instruct to override the default credentials, but according to some reports vendors are telling operators that if they change the default passwords (and thereby disrupt maintenance by their technicians) they will revoke the device’s warranty.

In a hardcoded password scenario things might get even worse – these are systems that create a user-password credentials pair that cannot be overridden and therefore might impose an unamendable threat to the system. In more complex situations the credentials are actually possible to delete, but other interdependent systems are making assumptions about the existence of the hardcoded user so interoperability might be damaged.

Mitigations and ease of exploitation

The common use case to exploiting these vulnerabilities would be the network-adjacent attack vector – in which the attacker is placed within the perimeter of the hospital network and leverages known credentials in order to take over machines within this network.

The situations is much worse when the interface to connect to the system in question is remote – meaning it’s possible to connect and authenticate from the internet and potentially compromise the system. From reasons related to patient safety the disclosure of these vulnerabilities doesn’t include all the information needed to understand how to gain access to the devices, but since the vulnerabilities were classified as “network exploitable” and not “adjacent network exploitable” we can assume that if a device was not properly configured, which based on our field experience is not uncommon, an attacker will be able to communicate with these devices from the internet.

Another very important mitigation is usage of specific encryption keys that are delivered with the devices and are unique per-site. This will avoid systems from communicating with a malicious attacker even if he has the known-credentials. For example, It seems like in the case of GE’s Centricity workstation component – that exposes a TimbuktuPro service (a remote access tool) with default credentials, according to GE’s manual the behavior is mitigated by using site-keys delivered by the vendor. Which means possessing the right credentials will not be enough for malicious actors trying to take over the device remotely as they’re lacking the encryption keys.

While many of the vulnerabilities in the advisory are known for a couple of years now, it is amazing to see that there are still more of these coming as the advisory includes four newer vulnerabilities (2017), that are still not fully disclosed. Cynerio has discovered these default passwords still being used in health organizations. This brings to mind the overwhelming challenge of keeping medical entities up-to-date security-wise whilst not interrupting with their everyday operations.

According to statistics pulled from Shodan – the IoT search engine – there are currently 1,508 active internet-facing machines that communicate healthcare information (DICOM) – 510 of which in the US.

Hackers are becoming increasingly interested in gaining access to PHI – personal health information and selling it in dark-web markets to the highest bidder.

And healthcare providers must ramp up their security posture so that they stop being a cost-efficient target for attackers.

What should hospitals do?

• Healthcare facilities’ network administrators should work in coordination with their medical-devices vendors to make sure they have the latest security patches installed

• Default credentials should be changed to more secure site-credentials while making sure device functionality and interoperability are not hindered

• Security professionals in healthcare should put in place controls that will enable full visibility of the medical entities on the network, making it possible to understand their behavior and trace and mitigate anomalies and vulnerabilities in real-time, you cannot defend what you cannot see

• By understanding the actual deployment of medical devices, and devices containing personal patient information, security professionals can apply defense-in-depth principles, leaving medical entities unexposed to the internet – and only allow internet communications to medical devices through secure VPN tunnels and according to necessity.