Monday, August 7, 2017

Medical CAT scanners hackable from the Internet

It seems that these have web servers (strike one) that are Internet-accessible (strike two) that have an unmatched vulnerability that lets the Bad Guy run any code they want on it (strike three):
Hackers can exploit trivial flaws in network-connected Siemens' medical scanners to run arbitrary malicious code on the equipment. 
These remotely accessible vulnerabilities lurk in all of Siemens' positron emission tomography and computed tomography (PET-CT) scanners running Microsoft Windows 7. These are the molecular imaging gizmos used to detect tumors, look for signs of brain disease, and so on, in people. They pick up gamma rays from radioactive tracers injected into patients, and perform X-ray scans of bodies. 
US Homeland Security warned on Thursday that exploits for bugs in the equipment's software are in the wild, and "an attacker with a low skill would be able to exploit these vulnerabilities." That's because the flaws lie within Microsoft and Persistent Systems' code, which runs on the Siemens hardware, and were patched years ago. 
The patches just didn't make their way to the scanners.
Of course not.  Patches?  We don' need no stencil' patches!

After all, making an Internet playground for shady Black Hats, all inside a huge X-Ray control system - what could possibly go wrong?


Old NFO said...

But...but... Medical, NOBODY would use that for evil, right? Right??? Sigh

Roy said...

What the article failed to mention is that even though a patch for Windows might have been released by Microsoft, before it can be installed on a medical device it must first go through the FDA approval process. That can take a while. What generally happens is that a lot of patches get approved all at once and then are released and installed in one big patch installation. This happens, generally, about once or twice per year.