Tuesday, September 29, 2015

Thousands of medical devices reachable from the Internet

I'm shocked, shocked to find this:
Security researchers Scott Erven and Mark Collao found, for one example, a "very large" unnamed US healthcare organization exposing more than 68,000 medical systems. That US org has some 12,000 staff and 3,000 physicians.

Exposed were 21 anaesthesia, 488 cardiology, 67 nuclear medical, and 133 infusion systems, 31 pacemakers, 97 MRI scanners, and 323 picture archiving and communications gear.

The healthcare org was merely one of "thousands" with equipment discoverable through Shodan, a search engine for things on the public internet.
But fear not, no doubt these devices are all configured securely.  Oh, wait:
"[Medical devices] are all running Windows XP or XP service pack two … and probably don't have antivirus because they are critical systems."

Executing custom payloads, establishing shells, and lateral pivoting within a network, are all possible, he said.
You see, this is why we can't have nice things on the Internet ...

1 comment:

burt said...

"...and probably don't have antivirus because they are critical systems..."

(head explodes)