ICS-CERT issues warning about unsafe medical devices
Industrial Control System CERT (ICS-CERT) of US-CERT and the US Food and Drug Administration (FDA) have published an advisory that some 300 medical devices from around 40 firms can be easily manipulated because they use hard-coded passwords. A growing number of medical devices have embedded web servers that are connected to the internet or the hospital's network and could potentially be open to attack.
ICS-CERT and the FDA base their warning on a still-unpublished report by Billy Rios and Terry McCorkle of security firm Cylance. The FDA says that some known vulnerabilities and incidents indicate that medical devices could be seriously compromised. Up to now, there have only been relatively minor events in which medical devices were accessed and data may have been extracted, but the health of patients has not yet been affected, and no deaths have been caused.
The devices at risk include insulin pumps, defibrillators, patient monitors, medical pumps, and analysis devices. As with industrial control systems, the ICS-CERT and the FDA recommend close monitoring of networks the devices are attached to and closing ports as part of steps to limit unauthorised access to them. The vendors have been contacted so that firmware on the devices can be updated. As is often the case, the backdoors on the devices were created for technical support purposes.