back to article Paging Dr Evil: Philips medical device control kit 'easily hacked'

Researchers have discovered security problems in management systems used to control X-ray machines and other medical devices. Terry McCorkle and Billy Rios of security start-up Cylance used fuzzing approaches previously applied to unearth security holes in industrial control systems to find a way into the Xper Information …


This topic is closed for new posts.
  1. Dave 126 Silver badge

    The second series of the TV show Homeland has brought the possibility of compromised medical equipment to wider awareness, though the details were unrealistic.

    1. LarsG

      I'm sure the CIA will also have an interest in being able to turn off medical equipment from a distance.

      I wonder who might be on their list?

      1. Anonymous Coward
        Anonymous Coward

        I wonder who might be on their list?

        If only there was someone on their wanted list using cave-based kidney dialysis...

  2. This post has been deleted by its author

  3. Tom Maddox Silver badge

    There's your problem

    Both the US Department of Homeland Security (DHS) ICS-CERT, which normally deals with security issues involving industry control kit, and the US Food and Drug Administration (FDA) are reportedly taking an interest in the issue.

    Clearly the problem is excessive regulation by the federal authorities. They shouldn't bother the poor manufacturer with their intrusive regulations and requirements; they should just let the free market sort it out!

    (This is what some people actually believe.)

  4. John Smith 19 Gold badge
    Thumb Down

    "Current Xper IM systems do not use this version of software"

    Because of course medical organisations always update their software to the latest version.

    Yeah right.

  5. NoneSuch Silver badge

    "Current Xper IM systems do not use this version of software," a Philips spokesman told Dark Reading.

    "Current" meaning anything coming off the assembly line from now since they patched the hole last last night.

  6. This post has been deleted by its author

  7. koolholio

    What they didnt mention was a hidden rootkit from the programming machine which fixes "the bug"

  8. Anonymous Coward
    Anonymous Coward

    Jackpotting an ATM ..

    `Last year Barnaby Jack, the security researcher best known for "jackpotting" an ATM live on stage at BlackHat 2010'

    July 2010: Barnaby Jack hits ATM jackpot at Black Hat

    "according to Jack there's an easier, much more alarming way to get the money out. Criminals can connect to the machines by dialing them up"

    April 1988: Dial-Back Modem Security

    "An increasingly popular technique for protecting dial-in ports from the ravages of hackers and other more sinister system penetrators is dial back operation wherein a legitimate user initiates a call to the system he desires to connect with, types in his user ID and perhaps a password, disconnects and waits for the system to call him back at a prearranged number"

  9. Anonymous Coward
    Anonymous Coward

    bit more complicated than that

    Once a device has been certified by the FDA then the manufacturer has no real liability should it be proven to be wide open to attack and the FDA has not seen security as an issue worth looking into -even now that all these devices are becoming network aware.

    Most devices started appearing with ethernet ports over the last 15 years and it was ~10 years ago when the first devices with "wifi" logos turned up in the hospital that i worked in. The ECG machine next to me has 802.11g with WEP and a well old version of telnet on it.

    I predict that as soon as people start doing formal testing of any kit then, like Barnaby et al, they will discover that it is all pwnable. It is just that the kit is very expensive to buy and tends to be traded on when it reaches eol.

This topic is closed for new posts.