12:27 AM
Connect Directly

Security Researchers Expose Bug In Medical System Used With X-Ray Machines, Other Devices

ICS-CERT now handling medical device vulnerability alerts in addition to SCADA/ICS vulnerabilities

[UPDATED with Philips comments and clarifying that the product interfaces with X-ray machines, but is not an X-ray machine as originally reported.]

MIAMI, FL -- S4 Conference – A pair of researchers best known for poking holes in industrial control systems (ICS) products found that medical devices suffer similar security woes after they were able to easily hack into a Philips medical information management system that directly interfaces with X-ray machines and other medical devices.

Terry McCorkle and Billy Rios, both of Cylance, today demonstrated how a rudimentary fuzzer they wrote basically gave them privileged user status on the XPER system. The machine has inherently weak remote authentication. "Anything on it or what's connected to it was owned, too," Rios said in a talk here at the S4 ICS conference. "By design, these things connect to a database" as well, he said.

The researchers at first weren't sure where to go with their findings. "We didn't know what to do with the vulnerabilities we found ... so we reached out to ICS-CERT and a couple of days later, the ICS-CERT said they would be the lead CERT" for medical device vulnerabilities, he said.

"Somehow, the FDA [Food and Drug Administration] is now involved" as well, Rios said.

Turns out there is some overlap vendor-wise with electronic medical devices and ICS products: Siemens, Philips, Honeywell, and GE all provide products to both industries. The system and other medical device security problems mirror some of the same types of shortcomings Rios and McCorkle have seen firsthand with ICS products, the researchers say.

"They don't change their habits. The mentality we see and the attitudes are exactly the same" when it comes to security, Rios said.

It's not the first time researchers have set their sights on medical device flaws. Medtronic's insulin pumps were in the spotlight at Black Hat 2011 when Jerome Radcliffe -- himself a diabetic -- demonstrated how a hacker could turn off the pump remotely and also manipulate any setting on the pump without notifying the user.

[Researchers Billy Rios and Terry McCorkle have found more than 1,000 vulnerabilities in SCADA products, of which 98 are easily exploitable. See Utilities Facing Brute-Force Attack Threat.]

The researchers wrote a simple fuzzer -- "one that throws a lot of cap As at an open port," according to Rios – to crack the XPER.

"It was a very basic fuzz case," McCorkle said in an interview. "This [machine] manages other medical devices, and you can do anything you want to it" once you're in, he says. The system is used in many hospitals, he says. "We were surprised how fast the FDA got involved," he says.

Getting their hands on the Philips medical equipment for testing wasn't easy, however. Many products, including the Philips XPER, are restricted and require licenses to purchase. But the researchers finally found a reseller who sold them the machine. When they opened it, they discovered an inventory tag on the device indicating it had come from a hospital in Utah, which they would not name.

"So I pulled out some forensics software and made an image of the hard drive," Rios says.

They fuzzed the XPER system via a virtual machine, and Philips since has collected the machine and hard drive. "They are checking if version 6 [of XPER] is vulnerable to this attack, but they don't know," Rios said. The researchers did not release an exploit: "It's a little dangerous" to do so, Rios notes.

A Philips spokesperson today said the flaw exists in an older version of XPER. "Current Xper IM systems do not use this version of software," the spokesperson said.

"If an XPER IM workstation is compromised by a potential vulnerability, that may affect the data management capability, but X-ray equipment continues to operate independently," he said.

In a follow-up statement issued to Dark Reading on Jan. 18, a spokesman added: "Following initial notification of the potential vulnerability by Homeland Security, Philips initial review indicated that the issue was limited to an older version of the product. Philips continues to explore the possible impact of the vulnerability based on continued investigation and new information obtained at the security conference."

McCorkle decided to dig deeper and see how the medical industry itself was handling security. He took a crack at an iPad app used by doctors to monitor their patients. Aside from the big no-no of using RDP to connect from the iPad to a host over the Internet, the app also offers a demo account via the App Store. "So they are sharing accounts. That tells me that they do not have that security mindset," McCorkle said.

He said the app lets an unknown user run on its app on the test server. "I would imagine the server is probably already owned," McCorkle added.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Executive Editor at She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
1/18/2013 | 3:00:04 AM
re: Security Researchers Expose Bug In Medical System Used With X-Ray Machines, Other Devices
As I recall, a good while ago - 15-20 years - an irradiation device (proton beam, I believe) was involved in at least two patient deaths. -There was a bug in the UI such that a data entry error appeared to be corrected in the UI display (probably a bunch of seven-segment LEDs) but was, in fact, NOT corrected in the dosage control system. -That is, if a tech/doc entered 150, backspaced to make it 15 then ran the machine, the erroneous 150 value (rems? roentgens? rodentwastes?) was actually delivered to the patient.

This system was 'dumb' - the controller was implemented in an 8051 MCU (quick quiz - what's an 8051, daddy?) and the UI was build in assembly language - standard practice for the day. -Now we have a nifty web-based interface and never see the actual system controller - it's just a bunch of objects - with a quivering piece of wetware at the business end. -Once more we forget the basics: understand your system and test, test, and test again - more than your life depends on it (perhaps your career?).

Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
5 Security Technologies to Watch in 2017
Emerging tools and services promise to make a difference this year. Are they on your company's list?
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.