Identifying Vulnerable Medical Devices

Excuse me, healthcare organizations. I don't mean to embarrass you, but your networked devices are showing. Everyone can see them. What's worse, they are easy to find.

See Also: The Cybersecurity Swiss Army Knife for Info Guardians: ISO/IEC 27001

After a recent twitter post by security researcher Dan Tentler of AtenLabs (@viss) in which he mentioned an electronic health records vendor that bragged about the ubiquity of access to its systems, we were both inspired to do some searching for healthcare devices and systems connected to the Internet.

In less than five minutes of searching, I was able to locate PACS workstations sharing their hard drive content with the Internet, publicly accessible infusion pumps, blood gas analyzers, microscopes, mass spectrometers, an MRI machine and at least one machine with the hostname "Therac", the nature of which I didn't wish to further investigate. Information about one of the machines included the hospital, department and even the name of the physician to which it belonged.

These medical devices were located all over the world, but a significant number of them were located within the United States.

Once my mind stopped reeling from the safety implications of some of these devices being available on a public network, a quick mental tally of the potential fines these results represented reached a dizzying level. Not knowing where to begin, I wrote Dan a response: "This is bad."

An Easy Search Method

The method I used wasn't novel; anyone can perform these searches without leaving a scrap of evidence in your logs. In fact, I didn't even have to communicate with the networks containing the connected devices (that's fortunate, because I'm an ethical sort and I have no intention of running afoul of the CFAA - the Consumer Fraud and Abuse Act).

Clearly you'd have to be some sort of über-hacker to find all that so quickly and stealthily, right? I wish. The truth is, I could show any grade-school kid how to do it in a matter of minutes.

Have I got your attention? Perhaps you might want to seek out a few antacids.

The truth is, while most organizations are doing an excellent job to protect sensitive devices on their networks, it only takes one person to plug in a device they shouldn't or misconfigure settings to cause that device to be accessible to the entire world. If you are not performing regular external network vulnerability assessments, you may be completely unaware that a change has even occurred.

The Shodan Search Engine

Let me introduce you to Shodan, a search engine for "things" in the same way Google is a search engine for documents and information. Shodan crawls the web, collecting information about anything that responds and cataloging it for later searches. Shodan pays particular attention to SCADA [Supervisory Control and Data Acquisition] systems, the sort of technology generally used to automate industrial processes at places like factories and power plants. In the past, Shodan has famously located nuclear power plants, traffic light control systems, amusement park control systems, and even a cyclotron at Lawrence Berkeley National Laboratory.

How easy is it to find accessible medical devices and systems using Shodan? You only need to type in a keyword to search for, perhaps "PACS" or "CyberKnife", and click search. Any device that has responded with strings similar to your search term will be listed.

Perhaps far more useful for those of us concerned about our own organizations is the ability to search by domain name or organization name. You can even search by geographical area, country, or, my personal favorite, by IP subnet. The Shodan website has a list of filters available, with examples.

If I've interested you in Shodan, you may want to have a look at Dan Tentler's illuminating talk from DEF CON 20, "Drinking from the Caffeine Firehose We Know as Shodan."

Shodan isn't, in and of itself, an answer to the problems created by the rapid proliferation of network connected devices in healthcare, and it's certainly not a replacement for a good vulnerability assessment. But it is a valuable demonstration of what can happen when we fail to catch inadvertently exposed devices. It won't catch all of your mistakes, but if it does happen to list one of your own devices, you can be pretty sure everyone else already knows about it.

If you are not currently monitoring and assessing your network's external attack surface, I strongly suggest that you consult with a qualified professional or security services organization that can help you develop a regular assessment plan and provide advice on the use more advanced and targeted tools to locate exposures.

Jason J. White is a security engineer at Beth Israel Deaconess Medical Center in Boston. He holds a CISSP certification and specializes in vulnerability assessment digital forensics. He is active on Twitter: @ra6bit.