Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

MEDJACK: Hackers hijacking medical devices to create backdoors in hospital networks

Darlene Storm | June 9, 2015
TrapX, a deception-based cybersecurity firm, released a report about three real-world targeted hospital attacks which exploited an attack vector the researchers called MEDJACK for medical device hijack.

Although hospitals tend to install medical devices behind a firewall and the internal network runs antivirus and other endpoint and intrusion security, TrapX said medical devices are "key pivot points for attackers within healthcare networks." Healthcare IT teams cannot access the internal software in medical devices, so they depend on manufacturers to build and maintain security in those devices. Yet manufacturers have not developed "the requisite software to detect most of the software payloads delivered by the MEDJACK attack."  

Hospital radiology aka the PAC pivot attack

During a different persistent attack at another hospital, the attacker moved laterally through the networks looking for other targets. But the "source of this lateral movement was the picture archive and communications systems (PACS) that provided the radiology department with the storage and access to images derived from multiple sources. These image sources included CT scanners, MRI scanners, portable x-ray machines (c-arms), X-ray and ultrasound equipment." The PACS system also tried to act as a botnet and connect to Command and Control.

The lateral movement "appears to have enabled the infection of a key nurse's workstation" and confidential hospital data was being exfiltrated to Guiyang, China. It's believed to have all started after an end-user in the hospital surfed to a malicious website.

Malware-infected X-Ray systems

In the third real-world attack observed by TrapX, critical medical device components were again infected with advanced malware. This time the attacker installed a backdoor in one of the hospital X-ray systems. TrapX general manager Carl Wright told SCMagazine:

"Our scientists have observed that you could manufacture an attack, designed specifically for several models of a specific medical device, and then launch that attack. That, combined with the difficulty in diagnosis and remediation, and the very high value of healthcare data, create a near perfect target for organized crime."

Attacker could remotely hack hospital drug pump, tweak amount to fatal dose

We've heard about potentially lethal attacks on medical devices like insulin pumps and pacemakers, which got the feds pressed into protecting wireless medical devices from hackers; a couple years later, DHS started investigating 24 potentially deadly cyber flaws in medical devices. Now there's more bad news on the medical device scene as vulnerabilities in drug infusion pumps could be remotely exploited by an attacker who could up the dose into a fatal dose.

Security researcher Billy Rios has discovered vulnerabilities in "at least five models" of Hospira drug infusion pumps; he told Wired, "This is the first time we know we can change the dosage."

After testing the infusion pumps, Rios discovered the following Hospira models are vulnerable: the standard PCA LifeCare pumps, PCA3 LifeCare and PCA5 LifeCare pumps; the Symbiq line of pumps and the Plum A+ model of pumps. Wired added that there are "at least 325,000" Plum A+ drug infusion pumps currently installed in hospitals worldwide. Although Rios hasn't tested other models for the vulnerabilities, "he suspects that the company's Plum A+3 and its Sapphire and SapphirePlus models are equally vulnerable too."


Previous Page  1  2 

Sign up for Computerworld eNewsletters.