Security researchers Scott Erven and Mark Collao found, for one example, a "very large" unnamed US healthcare organization exposing more than 68,000 medical systems. That US org has some 12,000 staff and 3,000 physicians.But fear not, no doubt these devices are all configured securely. Oh, wait:
Exposed were 21 anaesthesia, 488 cardiology, 67 nuclear medical, and 133 infusion systems, 31 pacemakers, 97 MRI scanners, and 323 picture archiving and communications gear.
The healthcare org was merely one of "thousands" with equipment discoverable through Shodan, a search engine for things on the public internet.
"[Medical devices] are all running Windows XP or XP service pack two … and probably don't have antivirus because they are critical systems."You see, this is why we can't have nice things on the Internet ...
Executing custom payloads, establishing shells, and lateral pivoting within a network, are all possible, he said.