How to Hack Medical Devices (It’s Not That Hard)
28 May , 2021
Hacking the Vice President
On September 11th, 2001, Vice President Dick Cheney was running the United States from a bunker under the East Wing of the White House. The President was in Florida, so it was up to Dick to handle the country’s most significant day since Pearl Harbor. To manage intelligence and, if it came to it, shoot down passenger airplanes.
With the weight of a nation on his shoulders, his body began to spin out of control. According to a test taken that day, there was a deadly amount of potassium in his bloodstream. The condition, hyperkalemia, could’ve incited cardiac arrest. Cheney’s cardiologist later recalled getting those results:
“I laid awake that night, watching the replay of the Towers come down and now thinking that: ‘Oh great, the Vice President’s gonna die tonight of hyperkalemia.”
It would have taken very little to tip Dick over the edge that day. For instance, terrorists of a different mold might have taken note of a tiny electronic device surgically inserted into the Vice President’s skin, by his heart. An implantable cardioverter-defibrillator (ICD)–or, as Dick himself called it, a “pacemaker plus”–that regulated his heartbeat (and probably saved his life that day). It was a device that could be monitored by his cardiologist or, potentially, remotely controlled by anyone else.
It took years, and a forward-thinking doctor, to come to that realization. In 2007, Cheney was set to have his implant replaced when his cardiologist special-ordered a replacement without wireless connectivity. He told 60 Minutes:
“It seemed to me to be a bad idea for the vice president of the United States to have a device that maybe somebody … might be able to get into, hack into. I worried that someone could kill [him].”
If only that doctor knew then how right he was.
Medical Devices on the Web
Beginning around 2014, two cybersecurity researchers–Scott Erven and Mark Collao–began a kind of experiment.
Their instrument of choice was “Shodan”–kind of like Google, but for internet-connected computers. Using Shodan, any researcher (or, crucially, any hacker) can search for devices that have open connections to the internet. And there’s no limit to the kinds of devices you can find: personal computers, data servers, industrial control systems.
With Shodan in hand, Erven and Collao wanted to know: could they find medical devices?
In other words, were there medical devices so exposed that they could be found, accessed and hacked from the open internet?
The answer, it turned out, was not “whether” but “how many.” And the answer to “how many” was “too many”–literally, there were far more devices than the two researchers could count. Thousands of healthcare organizations, each with hundreds or thousands of exposed machines. As an example, at one unnamed U.S. organization, the researchers found more than 68,000 exposed medical systems. Among those 68,000 were “21 anaesthesia, 488 cardiology, 67 nuclear medical, and 133 infusion systems, 31 pacemakers, 97 MRI scanners, and 323 picture archiving and communications gear.”
It’s worth sitting with this for one more moment. At this one organization alone, over 100 infusion pumps and dozens of pacemakers were readily accessible from the open internet. Hundreds of people were being pumped with drugs, or their hearts kept alive, by machines about as protected as the “Taxes” folder on your roommate’s computer. One of the researchers commented on just how easy it would be to tamper with these devices, if that were their intention.
“Once we start[ed] changing [search terms] to target specialty clinics like radiology or podiatry or paediatrics, we ended up with thousands with misconfiguration and direct attack vectors.”
And it wasn’t just the critical devices that worried the researchers. They found ordinary computers on hospital IT networks which contained information about hospital staff, patients, and the other machines in the building. Collao noted:
“You can easily craft an email and send it to the guy who has access to that [medical] device with a payload that will run on the (medical) machine[.]”
It is no stretch to say that, with the information they gathered, Erven and Collao could’ve killed people.
It’s Hard to Secure Medical Machines
Unfortunately, some of what makes medical devices so vulnerable may be unavoidable. We’re simply not dealing with Macbooks here–there are security concerns that can’t be fixed quickly and easily. You can’t, for example, throw commercial antivirus onto a critical medical device.
Or consider software updates. One of the most important methods of cyber hygiene is to update as soon as possible when new patches come out. This is easy to do for a personal laptop or smartphone–you simply run the process in the background, or while you’re not using the device. But are you ever not using a pacemaker? You can’t just shut down that device, load new software for 15 minutes and then restart. And, furthermore, what if the update is itself buggy? Not such a big deal for the apps on your phone, a very big deal for the app controlling your heart.
Healthcare tech also has the disadvantage of skewing old. Hospitals don’t swap out their MRI machines like you get a new iPhone every year–these are six- and seven-figure investments that they need to use for many years in order to get their money’s worth. You can’t blame the hospitals for doing this, but old machines simply weren’t built to handle modern threats. They weren’t designed in a time when everything was connected, and cyberattacks could happen to hospitals. Thus they’re not equipped to combat these threats.
Combine the problem of age with the problem of software updates and you’ve got a recipe for failure. One study from 2016 found that 90% of hospitals in the U.K.–relatively modern, advanced countries–used machines still running Windows XP. Windows XP! An OS that had already been discontinued for two years prior to the study.
Newer medical tech may circumvent some of these issues, but it is by no means safe. In fact, some of the very features that make modern devices so effective also make them vulnerable.
Imagine this: you have a bad heart, so your doctor surgically implants a wireless-enabled ICD in your chest. You may feel like a walking cell phone, but the ICD keeps your heart going and sends data back to your doctor. With that data, your doctor can always tell whether you’re doing okay, and possibly identify problems even before you feel them.
If that sounds too far off then just imagine being sick in the hospital. The average hospital bed has 10 to 15 devices hooked up–infusion machines, heart monitors, even that little button that calls the nurse. Some of these machines might stream data to a central command, so that nurses and doctors can keep tabs even when they’re not in the room with you.
Simply put, connectivity helps medical professionals take better care of patients. Connectivity is a cyber risk, yes, but the benefit in this case outweighs the risk.
Except when that privilege is abused. No medical devices have to be connected to the open internet, discoverable by Shodan. Many of them are just misconfigured. Some are open to the internet out of convenience. Certain doctors, for instance, use their smartphones to communicate with medical systems and access patient records.
In alarmingly many cases, though, it’s simply that the people who set up these machines weren’t thinking about cybersecurity. Consider, as evidence, what Erven and Collao found when they analyzed machines manufactured by GE Healthcare. Not only were healthcare organizations leaving their GE machines on the web, but they weren’t configuring them at all. From The Security Ledger:
The systems could be accessed using default administrator credentials that was published in GE’s documentation.
“All this information was publicly available and sitting out on GE’s website in the documentation,” Erven said. Even worse, some of the information had been public since 2006, he said. Credentials for services like Telnet and FTP as well as root accounts and service logins were discovered. Passwords were typically weak or easily guessed, the researchers said. In all, the researchers found 130 sets of credentials used across GE Healthcare’s product line. Among the most common passwords was the word “bigguy.”
While GE’s response to Erven and Collao’s discovery earned the company praise from the researchers, the company’s investigation merely concluded that the credentials were the default values and were, therefore, designed to be changed. But Erven said that GE’s own documentation advises customers not to change credentials or allow password resetting in some instances.
(image via The Register)
Would you feel comfortable, hooked up to a life-saving machine whose password is “bigguy1”?
Why Haven’t People Died?
Dick Cheney’s cardiologist ordered him a secure pacemaker in 2007. Erven and Collao did most of their research around 2014-15. Surely, by now, hacking medical devices should be a regular occurrence.
Why isn’t it?
The answer is not that we’ve fixed the vulnerabilities. In fact, little demonstrable, industry-wide progress has been made. Every year or so, the same researchers go on news shows to make the same arguments all over again.
Perhaps the reason cybercriminals aren’t hotwiring pacemakers is because there are all kinds of disincentives to doing so.
You’re not Dick Cheney. An attacker would gain nothing from killing you, and probably attract quite a bit of attention to themselves in the process. Furthermore, hackers are just people–there are sociopaths in the bunch but, generally, they don’t want to kill you.
That could be part of the explanation for one of Erven and Collao’s most interesting findings.
To demonstrate the real-world risk in insecure medical machines, the researchers created a honeypot–fake MRI and defibrillator machines. They mimicked the properties of real MRIs and defibrillators, then spread the word in online hacker circles. How many cybercriminals would take the bait?
In six months, their honeypot attracted a full 55,416 login attempts, and 299 malware payloads. Imagine that! 300 different malwares, all running on just two (fake) devices.
But the attackers hardly went further than that. They deployed the malware necessary to manipulate these devices, yes, but didn’t actually go through with the act. Perhaps they weren’t interested in doing so. Perhaps they didn’t know what they’d achieved.
“They come in, do some enumeration, drop a payload for persistence and connect to a command and control server. We can [deduce] that [. . .] there is an attacker out there who does not know what they [are] sitting on.”
The best security for medical devices is that they’re simply not as attractive as your laptop, your bank account, or your company’s IT network. Perhaps there’s a bit of comfort in that. As long as you keep reusing passwords, visiting sleazy websites and clicking on phishing links, the hackers will probably stay away from your heart.
