Two popular industrial control system (ICS) researchers this week demonstrated how easily medical devices, including a Philips-branded machine that regularly interacts with x-ray machines and other hospital equipment, can be hacked.
At Digital Bond’s annual SCADA Security Scientific Symposium (S4) conference in Miami yesterday, while other researchers delved into SCADA security and other ICS-related issues, Billy Rios and Terry McCorkle, now both with technology startup Cylance, discussed vulnerabilities that affect medical products. Well-known ICS companies like Siemens, Honeywell, and GE were discussed while in particular, an early version of Philips’ Xper Information Management Physiomonitoring 5, a tool used in hospitals to process data from x-ray machines and other medical devices was hacked.
According to a report by Dark Reading, the two were able to use a “rudimentary fuzzer” to gain privileged user access to the device and “own” anything connected to the machine.
“Anything on it or what’s connected to it was owned, too… by design, these things connect to a database,” Rios said during their talk, “Security of Medical Devices,” according to Dark Reading.
Philips has stepped up, asserting that only early builds of the software are affected and current builds are safe. Regardless, the pair has contacted ICS-CERT about the vulnerabilities and according to Rios, the FDA has even gotten involved.
Rios and McCorkle have long documented flaws in ICS software. The two pointed out bugs in Tridium’s software environment NiagaraAX late last summer, a stack buffer overflow vulnerability in an ABB product last spring and a vulnerability in Siemens’ SIMATIC software in 2011. Last winter, at the Kaspersky-Threatpost Security Analyst Summit in Cancun, McCorkle described the state of ICS security as laughable, claiming it seemed many vendors were “stuck in the nineties.”