Over 60,000 Critical Medical Machines are Exposed to Hackers

Over 60,000 critical medical machines that are vulnerable to hacks and are out in the open, have been found online, according to independent security researchers.

Security researchers have uncovered among other sources, a “very large” U.S. healthcare organization that has exposed nearly 70,000 medical systems. The vulnerable systems and devices include Magnetic Resonance Imaging (MRI) machines, pacemakers and more, as reported to the Register.

Scott Erven and Mark Collao, two security researchers, discovered thousands of medical equipment on Shodan, a search engine for various devices connected to the open Internet.

The unnamed U.S. healthcare organization is said to have employed nearly 12,000 staff and 3,000 physicians.

The vulnerable devices exposed include:

  • 488 cardiology machines
  • 323 picture archiving devices
  • 133 infusion systems
  • 97 MRI scanners
  • 67 nuclear medical devices
  • 31 pacemakers
  • 21 anesthesia administrators and plenty more.

“Once we start changing [Shodan search terms] to target speciality clinics like radiology or podiatry or paediatrics, we ended up with thousands with misconfiguration and direct attack vectors,” said Erven who has years of experience in securing medical devices.

“Not only could your data get stolen but there are profound impacts to patient privacy.”

Collao points to outdated networking devices and admin computers that allow hackers to scavenge intelligence on healthcare organizations over time.

“[Medical devices] are all running Windows XP or XP service pack two … and probably don’t have antivirus because they are critical systems,” notes Collao, pointing to the fact that XP is an operating system no longer supported by Microsoft. Custom payloads, shell executions and switching laterally while pivoting within a network are all possible exploits, Collao added.

“You can easily craft an email and send it to the guy who has access to that [medical] device with a payload that will run on the (medical) machine.”

Proof of Concept Exploits.

Both researchers revealed that faux MRI and defibrillator machines set up to mimic real machines gained a total of 55,416 secure shell (SSH) and web logins, along with nearly 300 malware payloads.

Notably, attackers also ran 24 successful exploits of remote code execution hole MS08-067, originally exploited by the Conficker worm.

The two researchers can be seen discussing vulnerable medical devices in the following video: