Thursday, January 17, 2013

Security & Hacking: " Patient data revealed in medical device hack",patient-data-revealed-in-medical-device-hack.aspx

Face palm, after reading this section, though not only vulnerability:
Once an extensive 200Gb forensic imaging process of the Windows-based platform had completed and the system was booted into a virtual machine, it took the researchers "two minutes" to find the first vulnerability.
"We noticed there was a port open, and we started basic fuzzing and found a heap overflow and wrote up a quick exploit for it," Rios said.
"The exploit runs as a privileged service, so we owned the entire box - we owned everything that it could do."
The researchers suspect the authentication logins for the system,  one with a username Philips and password Service01, are hardcoded and unchangeable by users, but when they warned Philips the company refuted the claim.

Security evidently wasn't part of the design criteria.

Article notes US DHS (Dept. Homeland Security) and FDA (Food & Drug Administration) were pressuring Philips to fix the problem.

No comments:

Post a Comment