Kaspersky Researcher Hacks A Hospital Sitting In A Car To Reveal Its Vulnerabilities
Sergey Lozhkin, a security researcher for Kaspersky, told at the Security Analyst Summit (SAS 2016) held in Tenerife, Spain as to how easy it is for a hacker to get onto a hospital network using available tools and having very little background in medical device security. Lozhkin presented a case study of a local hospital that he hacked.
โI have no information on medical equipment; I donโt know how it works,โ he said. โI started the research just to learn something. Itโs really scary. When we develop technology in software systems, engineers forget about IT security. Itโs a problem not just with medical equipment, but in a lot of areas of the industry.โ
The list of exposed medical devices @scotterven found using #Shodan #TheSAS2016 pic.twitter.com/GXNHNsl8mC
— Eugene Kaspersky (@e_kaspersky) February 9, 2016
Lozhkin’s experiment started when he accidentally discovered unprotected medical devices available online using a Shodan search. After researching deep into the results, he found that a few of the exposed devices were actually from a local nearby hospital. One search result turned up a Moscow hospital run by a friend of Lozhkinโs; among the results was a Siemens log-in portal for a CT scan machine guarded only by a default password.
The cornerstone of medical devices vulnerability @scotterven #TheSAS2016 pic.twitter.com/4kBYPi5V34
— Eugene Kaspersky (@e_kaspersky) February 9, 2016
Getting admin access to medical devices is easy. Lots of vulns, rarely patched @scotterven #TheSAS2016 pic.twitter.com/zik4KpTmyJ
— Eugene Kaspersky (@e_kaspersky) February 9, 2016
Lozhkin told his friend at the hospital about the situation and brought the issue to the institution management’s attention. He explained the problem to the people in charge and finally agreed to carry out a security audit to test if he could hack into their network.
What can happen to exposed medical devices? @scotterven #TheSAS2016 pic.twitter.com/IG1Cbeei4F
— Eugene Kaspersky (@e_kaspersky) February 9, 2016
He discovered during his initial hacking attempts that he couldn’t access any equipment from a remote connection, which meant that basic and properly configured firewalls are more than enough to keep low-skilled hackers away.
Kaspersky's Sergey Lozhkin sat in car with laptop outside hospital & got control access to devices & patient records pic.twitter.com/VU373QrsJS
— Sam Gad Jones (@samgadjones) February 9, 2016
Therefore, he started by sitting outside the hospital and cracking the facilityโs Wi-Fi. From there, he managed to hack and steal the local network key, which he said were โconfigured badly with an easy passwordโ. Once on the network, he was able to access various medical equipment connected to the building’s internal Wi-Fi network.
โYou can say I just hacked [lousy] Wi-Fi, so what?โ Lozhkin said. โThe guys who are creating software for medical devices should think about someone configuring [lousy] Wi-Fi access to the local network.โ
Once on the network, using available pen-testing tools, Lozhkin was able to find a control panel for a MRI machine that was not password protected and extracted patient records. There was also access to a C Shell in the application.
โYou could do anything you wanted; add files, get a full list of patients, information on diagnoses, all on this device,โ Lozhkin said.
Since management knew that Lozhkin was supposed to carry out a test, the records provided were dummy data. However, the experiment put forward its point and showed hospital management that their network was miserably insecure.
“There are two groups of people who need to be alarmed by this question, more specifically – the developers of medical equipment and the hospital management boards,” the Kaspersky team notes in a blog post.
“The developers should test their devices for security, search for vulnerabilities and ensure they are all patched in a timely fashion,” the cyber-security vendor continues. “The management groups should care more about their network security and be certain that no critical infrastructure equipment is connected to any public network.”