Researchers have exploited critical vulnerabilities in two popular medical management platforms used in a host of services including assisting surgeries and generating patient reports.
The dangerous unpatched flaws within the Philips Xper systems allowed researchers to develop an exploit within two hours capable of gaining remote root access on the device.
The affected machine can operate any medical device which uses the ubiquitous HL7 standard.From there, attackers would have administrative access to a host of patient data stored in connected databases.
"We have a remote unauthenticated exploit for Xper, so if you same see an Xper machine on a network, then you can own it," Cylance researcher Billy Rios told SC.
The holes were so severe that the US Department of Homeland Security (DHS) and Food and Drug Administration (FDA) stepped in to pressure Philips to fix the system.
"We've dropped exploits before on medical systems like Honeywell and Artridum, but we've never seen the FDA move like that," he says.
"It was quicker than anything else I’ve seen before."
After initial bids to contact Philips failed, researchers Rios and colleague Terry McCorkle sought assistance from the DHS, the FDA and the country's Industrial Control Systems Cyber Emergency Response Team (ICS CERT).
Two days later, DHS control system director Marty Edwards told the researchers the agency would from then on handle all information security vulnerabilities found in medical devices and software.
The announcement comes month after the US Government Accountability Office said in a report (pdf) that action was required to address medical device flaws, adding that the FDA did not consider such security risks "a realistic possibility until recently".
Once an extensive 200Gb forensic imaging process of the Windows-based platform had completed and the system was booted into a virtual machine, it took the researchers "two minutes" to find the first vulnerability.
"We noticed there was a port open, and we started basic fuzzing and found a heap overflow and wrote up a quick exploit for it," Rios said.
"The exploit runs as a privileged service, so we owned the entire box - we owned everything that it could do."
The researchers suspect the authentication logins for the system, one with a username Philips and password Service01, are hardcoded and unchangeable by users, but when they warned Philips the company refuted the claim.
The Xper Physio monitoring 5 platform was formerly used by an Ohio hospital and purchased from an unnamed reseller which sold the Dell Blade-like machine for a cut-rate of $200, delivered to Rios' home address.
That move broke the resellers' contractual obligations with Philips which requires the return of unwanted devices ostensibly to safeguard against such security gaffes.
"That you need to jump through some hoops to get the hardware is not some sort of defence," Rios said. "That's security through obscurity."
The dealer was reported to the DHS and the equipment was returned to Philips.
Further holes were found in patient monitoring tool SpaceLabs ICS-Xprezz. The iOS application allowed doctors and medical practitioners to access a string of devices that monitor patient vitals.
"It uses RDP into a Windows box, but you can change that box to whatever you want: I ran cmd.exe and a who am I and was amazed," McCorkle said.But the app could also allow attackers to access corporate networks.
"I can't imagine what they are actually deploying in hospitals."
It also stored passwords to allow users to instantly log-in, a feature that could become a security risk should devices be lost or stolen.
Research into medical device and software flaws has blossomed in recent years and caused stirs outside of security circles due to the potential deadly consequences of the vulnerabilities.
Last year, Barnaby Jack, a forefront researcher in the field recently showed at the BreakPoint conference in Melbourne that a tampered pacemaker transmitter could deliver deadly electric shocks to pacemakers within about 10 metres.
Attackers could also rewrite the software running the devices and infect other pacemakers within wireless range.
And in 2011 a security researcher demonstrated how commands could be sent wirelessly to disable insulin pumps within a distance of about 45 metres. Other pumps have been made to dump their entire contents of insulin into a patient.