Rush to Fix Medical Device Bug

Friday, June 14, 2013 @ 12:06 PM gHale

The devastating effects a cyber attack could have in the manufacturing automation sector remains a top priority, but it also appears medical devices are on the verge of gaining the same type of coverage.

That is because researchers Billy Rios and Terry McCorkle of Cylance found a hard-coded password vulnerability affecting a wide variety of medical devices.

IOServer Fixes Improper Input Validation
Schneider Mitigates PLCs Holes
Schneider Patches Quantum Holes
Siemens SCALANCE Vulnerabilities

That vulnerability could end up exploited to change critical settings and/or modify device firmware, the report said.

Along those lines, ICS-CERT is now working with the Food and Drug Administration (FDA) to find mitigations so they can rectify these problems. ICS-CERT and the FDA notified the affected vendors of the report and asked them to confirm the vulnerability and identify specific mitigations.

ICS-CERT issued this alert to provide early notice of the report and identify baseline mitigations for reducing risks to these and other cyber security attacks. Right now, it does not appear there are any exploits taking advantage of this vulnerability, according to ICS-CERT and the FDA.

The report included details for the remotely exploitable vulnerability. The affected devices have hard-coded passwords that could permit privileged access to devices, such as passwords that a service technician would normally use. In some devices, this access could allow an attacker to modify critical settings or the device firmware.

A wide range of vendors make the affected devices that fall into a broad range of categories including:
• Surgical and anesthesia devices
• Ventilators
• Drug infusion pumps
• External defibrillators
• Patient monitors
• Laboratory and analysis equipment

ICS-CERT and the FDA received a report of poor credentials management on multiple types of medical devices.

ICS-CERT reminds health care facilities to perform proper impact analysis and risk assessment prior to taking defensive measures. ICS-CERT is currently coordinating with multiple vendors, the FDA, and the security researchers to identify additional mitigations.

Leave a Reply

You must be logged in to post a comment.