SAN FRANCISCO – If you’re a smart hacker and know where to look, you can gain access to unsecured ambulance-based defibrillators just by surfing the internet.
Keep exploring, and you can gain access to entire hospital networks via vulnerable in medical devices, said Adam Brand, director of privacy and security at consulting firm Protiviti.
That problem is not going to get any easier, Brand said at the HIMSS and Healthcare IT News Privacy and Security Forum.
So given that reality, researchers at Protiviti decided to set up an experiment to see how the internet would react to unsecured devices, easily findable for hackers the world over to exploit.
“The internet was not kind,” said Brand.
The experiment involved so-called honeypots – fake medical devices put online for bad actors to find and exploit, offering a window into their behavior when confronted with the real thing.
“We had 10 systems that were emulating medical devices, so we put services on the network that were similar to what you might find with that medical device,” said Brand. “We had given it vulnerabilities that we had seen in other medical devices, like hard-coded passwords, things like that. We made it Windows XP, an outdated operating systems. So we put those on the internet and then we just sat back and watched what happened.
Over the course of the next six months, attackers swarmed into the honeypots, taking advantage of the default credentials to exploit their vulnerabilities, he said.
There were 55,416 successful logins using those credentials, with 24 successful exploits. Hackers – mostly from the Netherlands, China and South Korea – dropped 299 malware samples into the spoofed devices.
“We weren’t surprised that when you put something vulnerable on the internet, it gets compromised,” said Brand. “That’s pretty understood.” But this exercise offered a “validation” of what he and his researchers had long suspected: “There’s medical devices on the Internet; there’s vulnerabilities in medical devices, so there must be compromised medical devices.”
The good news, if you can call it that, is that Protiviti didn’t see any signs or activity indicating that hackers knew they were toying with a medical device specifically.
“They just saw it as another thing they could control on the Internet and they could do what they wanted with it,” said Brand. “They could make it participate in a denial of service attack, they could make it send spam, all these typical compromised venues.”
In fact, much of the exploitation was automated, in the form of bots, rather than teenage hackers amped-up on Jolt Cola: “The malware gets executed and calls back the mothership so they can control the system, but it’s not a human it’s a machine A lot of the exploitation attempts didn’t look like humans at all.”
There was plenty of human activity though. In fact, eight hackers availed themselves of specific credentials the Protiviti team had shared on Pastebin, free to be found and put to use – indicating that much more effort was put into that particular exploit than most.
“But we didn’t see anything to make us think there was a targeted attacker in there trying to target a medical device,” said Brand.
So, no hacking-the-Vice-President’s-pacemaker scenarios, a la Homeland. At least not this time. That’s not to say it couldn’t happen, though.
“And that’s kind of the point,” said Brand. “What are you basing your security on? Are you basing it on the guess that nobody on the Internet would do something that bad? Is that a bet you want to make?
“The fact that it’s possible means it’s going to happen at some point,” he said. “To date we haven’t seen an attacker go after patients in a hospital and do harm on purpose. Or held the device hostage with ransomware on purpose. But there’s not a whole lot preventing that from happening.”