SlideShare une entreprise Scribd logo
1  sur  67
Télécharger pour lire hors ligne
Medical Devices:
Passwords To Pwnage
Scott Erven
2
Who I Am
Scott Erven
Associate Director – Medical Device & Healthcare Security
Security Researcher
Over 15 Years Experience and 5 Years Direct Experience
Managing Security In Healthcare Systems
Over 3 Years Researching Medical Device Security
@scotterven
3
Agenda
Why Research Medical Devices
Phase 1 Research: Device Vulnerabilities
Phase 2 Research: Internet Exposure
Phase 3 Research: Admin Access
Is AppSec A Problem?
Diagnosis
Treatment Plans
Why Research Medical Devices
5
Personal Impact
When we are at our most vulnerable, we will depend on
these devices for life.
Even at times when we aren’t personally affected,
people we care about may be.
Many of us rely on these devices daily.
6
Malicious Intent Is Not A Prerequisite To Patient Safety Issues
7
What We Are Doing
• Security-Focused Technical Assessment (not HIPAA)
• Research serves healthcare mission and values
• Equip defenders against accident and adversaries
Discover patient safety issuesMedical Device Assessment
• Healthcare Providers
• Medical Device Manufacturers
• Government Agencies (FDA and ICS-CERT)
Alert affected partiesCoordination & Notification
• Security and Healthcare Conferences
• 1-on-1 with healthcare providers
• Educating FDA and Healthcare Providers
Inoculate against future issuesPublic Awareness
Phase 1 Research:
Device Vulnerabilities
9
Weak default/hardcoded administrative credentials
• Treatment modification
• Cannot attribute action to individual
Known software vulnerabilities in existing and new devices
• Reliability and stability issues
• Increased deployment cost to preserve patient safety
Unencrypted data transmission and service authorization flaws
• Healthcare record privacy and integrity
• Treatment modification
Phase 1 Research: Device Vulnerabilities
Phase 2 Research:
Internet Exposure
11
Shodan Search Initial Findings
Doing a search for anesthesia in Shodan and realized it was
not an anesthesia workstation.
Located a public facing system with the Server Message
Block (SMB) service open, and it was leaking intelligence
about the healthcare organization’s entire network including
medical devices.
12
Initial Healthcare Organization Discovery
Very large US healthcare system consisting of over 12,000
employees and over 3,000 physicians. Including large
cardiovascular and neuroscience institutions.
Exposed intelligence on over 68,000 systems and provided
direct attack vector to the systems.
Exposed numerous connected third-party organizations and
healthcare systems.
13
Did We Only Find One?
No. We found hundreds!!
Change the search term and many more come up.
Potentially thousands if you include exposed third-
party healthcare systems.
14
Summary Of Devices Inside Organization
Anesthesia Systems – 21
Cardiology Systems – 488
Infusion Systems – 133
MRI – 97
PACS Systems – 323
Nuclear Medicine Systems – 67
Pacemaker Systems - 31
15
Potential Attacks - Physical
We know what type of systems and medical devices are inside
the organization.
We know the healthcare organization and location.
We know the floor and office number.
We know if it has a lockout exemption.
16
Potential Attacks - Phishing
We know what type of systems and medical devices are
inside the organization.
We know the healthcare organization and employee names.
We know the hostname of all these devices.
We can create a custom payload to only target medical
devices and systems with known vulnerabilities.
17
Potential Attacks - Pivot
We know the direct public Internet facing system is vulnerable
to MS08-067 and is Windows XP.
We know it is touching the backend networks because it is
leaking all the systems it is connected to.
We can create a custom payload to pivot to only targeted
medical devices and systems with known vulnerabilities.
Phase 3 Research:
Admin Access
19
Disclosure Timeline
NOTE: ALL INFORMATION DISCLOSED WAS PUBLICLY AVAILABLE ON GE HEALTHCARE’S WEBSITE.
August 17th, 2014– Initial disclosure to GE
Healthcare
September 16th, 2014 –
Additional disclosure to
ICS/CERT
August 25th, 2014– Initial disclosure to ICS-
CERT
December 3rd,
2014 –
Confirmation
from ICS-CERT
on completion
of GE
investigation
and closing of
issue.
20
Response
GE quickly responded to reports both from myself and ICS-
CERT and outlined investigation plan for response.
After investigation GE responded that all credentials were default
and not hard-coded.
21
CVE-2006-7253
GE Infinia II X4100 Workstation – Nuclear Imaging
Manufacturer Model Version Type of Device
Type of
Account
Login info
GE Infinia II
X4100
Workstation
Nuclear Imaging
Default User
Account
UserID = "infinia"
Password = "infinia"
GE Infinia II
X4100
Workstation
Nuclear Imaging
FE or OLC
Engineer
Account
UserID = "acqservice"
Password = "#bigguy1"
GE Infinia II
X4100
Workstation
Nuclear Imaging
Administer
Account-
Window
UserID = "Administrator"
Password = "dont4get2"
GE Infinia II
X4100
Workstation
Nuclear Imaging
Emergency
Account
UserID = "emergency"
Password = "#bigguy1"
GE Infinia II
X4100
Workstation
Nuclear Imaging
Administrator
Account
UserID = "InfiniaAdmin"
Password = "2Bfamous"
22
GE Discovery NM750b – Nuclear Imaging
CVE-2013-7404
Manufacturer Model Version Type of Device
Type of
Account
Login info
GE Discovery NM 750b Nuclear Imaging Telnet- Root
UserID = "insite" Password =
"2getin"
GE Discovery NM 750b Nuclear Imaging FTP- Admin
UserID = "insite" Password =
"2getin"
23
CVE-2013-7407 GE Discovery NM750b – Nuclear Imaging
CVE-2013-7404/CVE-2003-1603
CVE-2003-1603 GE Discovery VH – Nuclear Imaging
Manufacturer Model Version Type of Device
Type of
Account
Login info
GE Discovery NM 750b Nuclear Imaging Telnet - Root
UserID = "insite" Password =
"2getin"
GE Discovery NM 750b Nuclear Imaging FTP - Admin
UserID = "insite" Password =
"2getin"
Manufacturer Model Version Type of Device
Type of
Account
Login info
GE Discovery VH Nuclear Imaging
FTP - Remote
Interfile Server
UserID = "ftpclient" Password =
"interfile"
GE Discovery VH Nuclear Imaging
FTP - Codonics
Printer
UserID = "LOCAL" Password =
"2"
24
CVE-2011-5374
CVE-2011-5374 GE Discovery NM670/NM630 - Nuclear Imaging/CT
Manufacturer Model Version Type of Device
Type of
Account
Login info
GE Discovery NM670 Nuclear Imaging/CT SU Account
UserID = "su"
Password = "install"
GE Discovery NM670 Nuclear Imaging/CT Service Account
UserID = "service" Password =
"#bigguy1"
GE Discovery NM670 Nuclear Imaging/CT Root Account
UserID = "root"
Password = "install"
GE Discovery NM630 Nuclear Imaging SU Account
UserID = "su"
Password = "install"
GE Discovery NM630 Nuclear Imaging/CT Service Account
UserID = "service" Password =
"#bigguy1"
GE Discovery NM630 Nuclear Imaging/CT Root Account
UserID = "root"
Password = "install"
25
CVE-2009-5143 GE Discovery 530C - Nuclear Imaging
Manufacturer Model Version Type of Device
Type of
Account
Login info
GE Discovery 530C Nuclear Imaging Service Login
UserID = "acqservice" Password
= "#bigguy1"
GE Discovery 530C Nuclear Imaging
Xeleris Service
Login
UserID = "wsservice" Password
= "#bigguy1"
CVE-2009-5143
26
CVE-2001-1594 GE eNTEGRA P&R - Nuclear Imaging
Manufacturer Model Version Type of Device
Type of
Account
Login info
GE
eNTEGRA
P&R
Nuclear Imaging Windows Admin
UserID = "entegra" Password =
"entegra"
GE
eNTEGRA
P&R
Nuclear Imaging
Polestar &
Polestar-I Starlink
4
UserID = "super" Password =
"passme"
GE
eNTEGRA
P&R
Nuclear Imaging
Codonic Printer
FTP Login
UserID = Your First Name
Password = "300"
GE
eNTEGRA
P&R
Nuclear Imaging
Codonic Printer
FTP Login - User
Preference File
UserID = "entegra" Password =
"0"
GE
eNTEGRA
P&R
Nuclear Imaging
eNTEGRA P&R
User Account
UserID = "eNTEGRA" Password
= "eNTEGRA"
GE
eNTEGRA
P&R
Nuclear Imaging
Local
Administrator
Account
UserID = "Administrator"
Password = "elgems"
GE
eNTEGRA
P&R
Nuclear Imaging WinVNC Login Password = "insite"
CVE-2001-1594
27
CVE-2000-1253 GE FX Camera
Manufacturer Model Version Type of Device
Type of
Account
Login info
GE FX Camera Camera
FX Camera Root
Login
UserID = "root"
Password = "vision"
CVE-2000-1253
28
CVE-2002-2445 GE Millennium MG/NC – Nuclear Imaging
Manufacturer Model Version Type of Device
Type of
Account
Login info
GE Millenium MG and NC Nuclear Imaging
Acquisition Root
Login
UserID = "root"
Password = "root.genie"
GE Millenium MG and NC Nuclear Imaging
Acquisition
Service Account
UserID = "service"
Password = "service."
GE Millenium MG and NC Nuclear Imaging
Acquisition Insite
Login - Remote
Support
UserID = "insite"
Password = "insite.genieacq"
GE Millenium MG and NC Nuclear Imaging
Acquisition Admin
Login
UserID = "admin"
Password = "admin.genie"
GE Millenium MG and NC Nuclear Imaging
Acquisition
Reboot Login
UserID = "reboot"
Password = "reboot"
GE Millenium MG and NC Nuclear Imaging
Acquisition
Shutdown Login
UserID = "shutdown"
Password = "shutdown"
GE Millenium MG and NC Nuclear Imaging
Acquisition
License Server
Password
Password = "14geonly"
CVE-2002-2445
29
CVE-2002-2445 GE Millennium MyoSIGHT – Nuclear Imaging
Manufacturer Model Version Type of Device
Type of
Account
Login info
GE Millenium MyoSIGHT Nuclear Imaging
Acquisition Root
Login
UserID = "root"
Password = "root.genie"
GE Millenium MyoSIGHT Nuclear Imaging
Acquisition
Service Account
UserID = "service"
Password = "service."
GE Millenium MyoSIGHT Nuclear Imaging
Acquisition Insite
Login - Remote
Support
UserID = "insite"
Password = "insite.genieacq"
GE Millenium MyoSIGHT Nuclear Imaging
Acquisition Admin
Login
UserID = "admin"
Password = "admin.genie"
GE Millenium MyoSIGHT Nuclear Imaging
Acquisition
Reboot Login
UserID = "reboot"
Password = "reboot"
GE Millenium MyoSIGHT Nuclear Imaging
Acquisition
Shutdown Login
UserID = "shutdown"
Password = "shutdown"
GE Millenium MyoSIGHT Nuclear Imaging
Acquisition Root
Login
UserID = "root"
Password = "root.genie"
CVE-2002-2445 Continued
30
CVE-2010-5306 GE Optima CT520/540/640/680 – CT Scanner
Manufacturer Model Version Type of Device
Type of
Account
Login info
GE Optima CT680 CT Scanner SU Login
UserID = "su" Password =
"#bigguy"
GE Optima CT540 CT Scanner SU Login
UserID = "su" Password =
"#bigguy"
GE Optima CT640 CT Scanner SU Login
UserID = "su" Password =
"#bigguy"
GE Optima CT520 CT Scanner SU Login
UserID = "su" Password =
"#bigguy"
CVE-2010-5306
31
CVE-2010-5307 GE Optima MR360 - MRI
Manufacturer Model Version Type of Device
Type of
Account
Login info
GE Optima MR360 MRI Admin Login
UserID = "admin"
Password = "adw2.0"
GE Optima MR360 MRI
System Startup
Login
UserID = "sdc"
Password = "adw2.0"
CVE-2010-5307
32
CVE-2014-7233 GE Precision THUNIS-800+ – X-Ray
CVE-2014-7233/CVE-2014-7234
Manufacturer Model Version Type of Device Type of Account Login info
GE Precision
THUNIS-
800+
X-Ray
Factory Default
Service Password
Password = "1973"
GE Precision
THUNIS-
800+
X-Ray
TH8740
Software/Firmware
Package Password
Password = "TH8740"
GE Precision
THUNIS-
800+
X-Ray
DSA Software
Package Password
Password = "hrml"
CVE-2014-7234 GE Precision THUNIS-800+ – X-Ray
Manufacturer Model Version Type of Device
Type of
Account
Login info
GE Precision
THUNIS-
800+
X-Ray
Shutter
Configuration
Password
No Username Or Password
Required To Login
33
CVE-2012-6660 GE Precision MPi – X-Ray
Manufacturer Model Version Type of Device Type of Account Login info
GE Precision MPi X-Ray
Windows XP Service
Login (Press & Hold
Left Shift Key After
Setup Dialog)
UserID = "serviceapp"
Password = "orion"
GE Precision MPi X-Ray Clinical Operator Login
UserID = "operator"
Password = "orion"
GE Precision MPi X-Ray Administrator Login
UserID = "administrator"
Password = "PlatinumOne"
CVE-2012-6660/CVE-2010-5310
CVE-2012-6660 GE Precision MPi – X-Ray
Manufacturer Model Version Type of Device
Type of
Account
Login info
GE Revolution XQ/i X-Ray
System Startup
Login -
Acquisition
Workstation
UserID = "sdc"
Password = "adw3.1"
GE Revolution XR/d X-Ray
System Startup
Login -
Acquisition
Workstation
UserID = "sdc"
Password = "adw3.1"
34
CVE-2013-7405 GE Centricity DMS 4.0/4.1/4.2 – Cardiology Application
Manufacturer Model Version Type of Device
Type of
Account
Login info
GE Centricity DMS 4.2.x
Cardiology
Application
Administrator
Login
UserID = "Administrator"
Password = "Never!Mind"
GE Centricity DMS 4.2.x
Cardiology
Application
Muse Admin
Login
UserID = "Museadmin"
Password = "Muse!Admin"
GE Centricity DMS 4.1.x
Cardiology
Application
Muse Admin
Login
UserID = "Museadmin"
Password = "Muse!Admin"
GE Centricity DMS 4.0.x
Cardiology
Application
Muse Admin
Login
UserID = "Museadmin"
Password = "Muse!Admin"
CVE-2013-7405
35
CVE-2004-2777 GE Centricity Image Vault – Cardiology
CVE-2004-2777
Manufacturer Model Version Type of Device
Type of
Account
Login info
GE Centricity Image Vault Cardiology
Administrator
Login
UserID = "administrator"
Password = "gemnet"
GE Centricity Image Vault Cardiology
Webadmin
Administrator
Login
UserID = "administrator"
Password = "webadmin"
GE Centricity Image Vault Cardiology
SQL SA
Ultrasound
Database Login
UserID = "gemsservice"
Password = No Password
Required
GE Centricity Image Vault Cardiology
GEMNet License
Server Login
UserID = "gemnet2002"
Password = "gemnet2002"
36
CVE-2014-9736 GE Centricity Archive Audit Trail
Manufacturer Model Type of Account Login info
GE
Centricity Clinical Archive Audit
Trail Repository
SSL Key Manager
Password
initnit
GE
Centricity Clinical Archive Audit
Trail Repository
Server Keystore
Password
initnit
GE
Centricity Clinical Archive Audit
Trail Repository
Server Truststore
Password
keystore_password
GE
Centricity Clinical Archive Audit
Trail Repository
Database Primary
Storage Login
UserID = "atna" Password = "atna"
GE
Centricity Clinical Archive Audit
Trail Repository
Database Archive
Storage Login
UserID = "atna" Password = "atna"
CVE-2014-9736
37
CVE-2011-5322 GE Centricity Analytics Server
CVE-2011-5322
Manufacturer Model Type of Account Login info
GE Centricity Analytics Server SQL SA Login
UserID = "sa"
Password = "V0yag3r"
GE Centricity Analytics Server
Analytics & Dundas
Account Login
UserID = "analyst"
Password = "G3car3s"
GE Centricity Analytics Server Analytics CCG Login
UserID = "ccg"
Password = "G3car3s"
GE Centricity Analytics Server
Analytics Viewer
Login
UserID = "viewer"
Password = "V0yag3r"
GE Centricity Analytics Server
Analytics Real-time
Dashboard Admin
Login
UserID = "admin"
Password = "V0yag3r"
GE Centricity Analytics Server
Analytics CCG
Webmin Service Tool
Login
UserID = "geservice" Password =
"geservice"
38
CVE-2011-5323 GE Centricity PACS
Manufacturer Model Type of Account Login info
GE Centricity PACS-IW 3.7.3.8 SQL SA Login
UserID = "sa"
Password = "A11endale"
GE Centricity PACS-IW 3.7.3.7 SQL SA Login
UserID = "sa"
Password = "A11endale"
CVE-2011-5323
39
CVE-2011-5324 GE Centricity PACS
Manufacturer Model Type of Account Login info
GE Centricity PACS-IW 3.7.3.8
TeraRecon Server
Shared Login
UserID = "shared"
Password = "shared"
Group = "shared"
GE Centricity PACS-IW 3.7.3.8
TeraRecon Server
Scan Login
UserID = "scan"
Password = "scan"
Group = N/A
GE Centricity PACS-IW 3.7.3.7
TeraRecon Server
Shared Login
UserID = "shared"
Password = "shared"
Group = "shared"
GE Centricity PACS-IW 3.7.3.7
TeraRecon Server
Scan Login
UserID = "scan"
Password = "scan"
Group = N/A
CVE-2011-5324
40
CVE-2012-6693 GE Centricity PACS Server
Manufacturer Model Type of Account Login info
GE Centricity PACS 4.0 Server NAS Read Only Login
UserID = "nasro"
Password = "nasro"
GE Centricity PACS 4.0 Server
NAS Read/Write
Login
UserID = "nasrw"
Password = "nasrw"
CVE-2012-6693
41
CVE-2012-6694 GE Centricity PACS
Manufacturer Model Type of Account Login info
GE
Centricity PACS 4.0.1
Workstation
TimbuktuPro Remote
Control Software
Service Login
UserID = "geservice" Password =
"2charGE"
GE
Centricity PACS 4.0.1
Workstation
GE Service Account
Login
UserID = "geservice" Password =
"2charGE"
GE
Centricity PACS
4.0.Workstation
TimbuktuPro Remote
Control Software
Service Login
UserID = "geservice" Password =
"2charGE"
GE
Centricity PACS
4.0.Workstation
GE Service Account
Login
UserID = "geservice" Password =
"2charGE"
GE Centricity PACS 4.0 Server
GE Service Account
Login
UserID = "geservice" Password =
"2charGE"
CVE-2012-6694
42
CVE-2012-6694 GE Centricity PACS
Manufacturer Model Type of Account Login info
GE
Centricity PACS 4.0.1
Workstation
DDP Admin Login
UserID = "ddpadmin" Password =
"ddpadmin"
GE
Centricity PACS
4.0.Workstation
DDP Admin Login
UserID = "ddpadmin" Password =
"ddpadmin"
CVE-2012-6695
43
CVE-2013-7442 GE Centricity PACS
Manufacturer Model Type of Account Login info
GE
Centricity PACS 4.0.1
Workstation
Administrator Login
UserID = "Administrator" Password =
"CANal1"
GE
Centricity PACS 4.0.1
Workstation
IIS Login
UserID = "iis"
Password = "iis"
GE
Centricity PACS
4.0.Workstation
Administrator Login
UserID = "Administrator" Password =
"CANal1"
GE
Centricity PACS
4.0.Workstation
IIS Login
UserID = "iis"
Password = "iis"
CVE-2013-7442
44
CVE-2003-???? GE Gamma Camera
Additional Disclosures – CVE Pending
Manufacturer Model Version
Type of
Device
Type of Account Login info
GE
DST/DST-XL/DST-
Xli/DSXi/DSTi/Dsi
Software
Version
8.0.3
Gamma Camera Camera Configuration Password = "sopha"
GE
DST/DST-XL/DST-
Xli/DSXi/DSTi/Dsi
Software
Version
8.0.1
Gamma Camera Camera Configuration Password = "sopha"
GE
DST/DST-XL/DST-
Xli/DSXi/DSTi/Dsi
Software
Version
7.9.7
Gamma Camera Camera Configuration Password = "sopha"
GE
DST/DST-XL/DST-
Xli/DSXi/DSTi/Dsi
Software
Version
7.7.19
Gamma Camera Camera Configuration Password = "sopha"
45
CVE-????-???1 GE HiSpeed - CT Scanner
Manufacturer Model Version Type of Device Type of Account Login info
GE HiSpeed Adv CTI CT Scanner SU Login
UserID = "su"
Password =
"#bigguy)"
GE HiSpeed Adv CTI CT Scanner
PROM Reset Password
Command - No Password
Required
Command = "resetpw"
GE HiSpeed NP CT Scanner SU Login
UserID = "su"
Password = "#bigguy"
GE HiSpeed Adv Z CT Scanner SU Login
UserID = "su"
Password = "genesis"
GE HiSpeed Adv Z CT Scanner Root Login
UserID = "root"
Password = "#bigguy"
GE HiSpeed Adv Z CT Scanner Genesis Login
UserID = "genesis"
Password = "4$apps"
GE HiSpeed Adv Z CT Scanner Insite Login
UserID = "insite"
Password = "2getin"
GE HiSpeed Adv Z CT Scanner Service Login
UserID = "service"
Password = "4rhelp"
GE HiSpeed Adv Z CT Scanner
Genesis Sun Computer
Root Login
UserID = "root"
Password = "Genesis"
Additional Disclosures – CVE Pending
46
CVE-????-???1 GE HiSpeed - CT Scanner
Manufacturer Model Version
Type of
Device
Type of Account Login info
GE HiSpeed Adv RP CT Scanner SU Login
UserID = "su"
Password = "#bigguy"
GE HiSpeed Adv RP CT Scanner Root Login
UserID = "root"
Password = "#bigguy"
GE HiSpeed Adv RP CT Scanner Insite Login
UserID = "insite"
Password = "2getin"
GE HiSpeed Adv RP CT Scanner Genesis Login
UserID = "genesis"
Password = "4$apps"
GE HiSpeed Adv RP CT Scanner Service Login
UserID = "service"
Password = "4rhelp"
GE HiSpeed Adv RP CT Scanner
Genesis Sun Computer
Root Login
UserID = "root"
Password = "Genesis"
GE HiSpeed Dual
ProSpeed
FII
CT Scanner SU Login
UserID = "su"
Password = "#bigguy"
GE HiSpeed Qx/i CT Scanner SU Login
UserID = "su"
Password = "#bigguy"
Additional Disclosures – CVE Pending
47
CVE-????-????
Manufacturer Model Version
Type of
Device
Type of Account Login info
GE Optima MR360 MRI Emergency Login
No Username Or
Password Required To
Login
GE
CADStream
Server
MRI
Admin Login (In Addition
Password Manager Will
Remember Login And
Never Require Future
Login)
UserID = "admin"
Password =
"confirma"
Additional Disclosures – CVE Pending
48
CVE-????-???4 GE Precision MPi – X-Ray
Additional Disclosures – CVE Pending
Manufacturer Model Version
Type of
Device
Type of Account Login info
GE Precision MPi X-Ray
Service Tech 1 & Service Tech 2 Login
(Created Using CreateServiceUsers.bat
Script)
UserID = "servicetech1" &
"servicetech2"
Password = "servicetech"
GE Precision MPi X-Ray
User Accounts Tech 1 through Tech 20
Login (Created Using CreateUsers01-
20.bat Script)
UserID = "Tech1" through
"Tech20"
Password = "xraytech"
GE Precision MPi X-Ray
User Accounts Tech 21 through Tech 40
Login (Created Using CreateUsers21-
40.bat Script)
UserID = "Tech21" through
"Tech40"
Password = "xraytech"
GE Precision MPi X-Ray
User Accounts Tech 41 through Tech 60
Login (Created Using CreateUsers41-
60.bat Script)
UserID = "Tech41" through
"Tech60"
Password = "xraytech"
GE Precision MPi X-Ray
User Accounts Tech 61 through Tech 80
Login (Created Using CreateUsers61-
80.bat Script)
UserID = "Tech61" through
"Tech80"
Password = "xraytech"
GE Precision MPi X-Ray
User Accounts Tech 81 through Tech
100 Login (Created Using
CreateUsers81-100.bat Script)
UserID = "Tech81" through
"Tech100"
Password = "xraytech"
49
GE Login Credentials Word Cloud
50
So If They Are Indeed Default Are There Still Issues
• Documentation instructs in some cases to not change credentials and not allow
password reset.
• Documentation instructs in some cases to not change password or your account
will not be able to be supported.
• Documentation not updated with how to change default credentials and secure
configuration guides are lacking.
• Support personal often rely on implementation documentation so these logins are
heavily utilized in the healthcare industry.
51
Examples
52
Examples
53
Examples
54
Examples
55
Examples
Is AppSec a Problem?
57
Is AppSec A Problem?
You Decide
Diagnosis
59
Technical Properties
Exposed, vulnerable systems
Lack of patient safety alignment in medical device cyber security practices
• All software has flaws.
• Connectivity increases potential interactions.
• A software-driven, connected medical device is a vulnerable, exposed one.
60
Problem Awareness
Medical devices are increasingly accessible due to the
nature of healthcare
1
HIPAA focuses on patient privacy, not patient safety.2
FDA does not validate cyber safety controls.3
Malicious intent is not a prerequisite for adverse patient
outcomes.4
Treatment Plans
62
Treatment Plans
• Scan your biomedical device environment
for default credentials.
• Report identified issues to manufacturer for
remediation in your environment.
63
Treatment Plans
It falls to all of us. Patient safety is not a spectator sport.
• Stakeholders must understand prerequisites
• Multi-stakeholder teams and conversations
• Engage with willing allies where domains of
expertise overlap
• Incorporate safety into existing processes
64
Summary of Current State
• FDA receives “several hundred thousand” reports of patient safety issues per year
related to medical devices
• Cyber safety investigations hampered by evidence capture capabilities.
• New devices are coming to market with long-known defects.
• Existing devices aren’t consistently maintained and updated.
Projected Future
• The nature of healthcare is driving towards greater connectivity (and therefore exposure)
of devices.
• Adversaries change the risk equation unpredictably
• Increase in incidental contact
Continue As-Is
65
Summary of Recommended Treatment
• Patient safety as the overriding objective
• Avoid failed practices and iteratively evolve better ones
• Engage internal and external stakeholders
• Safety into existing practices and governance
Projected Outcomes
• “Reliable medical devices to market without undue delay or cost.”
• Collaboration among willing allies on common terms
• Medical devices resilient against accidents and adversaries
A Better Way
66
How To Get Involved
Acquiring Medical Devices – eBay or MedWow
Get Involved In Industry Working Groups
Speak On Topic At Industry Conferences
I Am The Cavalry
https://iamthecavalry.org
67
Q & A
That time already?

Contenu connexe

Tendances

Security Analyst Workshop - 20200212
Security Analyst Workshop - 20200212Security Analyst Workshop - 20200212
Security Analyst Workshop - 20200212Florian Roth
 
Balbix-New-CISO-Board-Deck.pptx
Balbix-New-CISO-Board-Deck.pptxBalbix-New-CISO-Board-Deck.pptx
Balbix-New-CISO-Board-Deck.pptxjjvdneut
 
Tcs cybersecurity for healthcare
Tcs cybersecurity for healthcareTcs cybersecurity for healthcare
Tcs cybersecurity for healthcareComtech TCS
 
Penetration testing
Penetration testingPenetration testing
Penetration testingAmmar WK
 
Telesoft Cyber Threat Hunting Infographic
Telesoft Cyber Threat Hunting InfographicTelesoft Cyber Threat Hunting Infographic
Telesoft Cyber Threat Hunting InfographicSarah Chandley
 
How To Handle Cybersecurity Risk Powerpoint Presentation Slides
How To Handle Cybersecurity Risk Powerpoint Presentation SlidesHow To Handle Cybersecurity Risk Powerpoint Presentation Slides
How To Handle Cybersecurity Risk Powerpoint Presentation SlidesSlideTeam
 
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...MITRE ATT&CK
 
Threat hunting for Beginners
Threat hunting for BeginnersThreat hunting for Beginners
Threat hunting for BeginnersSKMohamedKasim
 
Threat Modeling In 2021
Threat Modeling In 2021Threat Modeling In 2021
Threat Modeling In 2021Adam Shostack
 
Building a Cyber Threat Intelligence Knowledge Management System (Paris Augus...
Building a Cyber Threat Intelligence Knowledge Management System (Paris Augus...Building a Cyber Threat Intelligence Knowledge Management System (Paris Augus...
Building a Cyber Threat Intelligence Knowledge Management System (Paris Augus...Vaticle
 
Introduction to Cybersecurity
Introduction to CybersecurityIntroduction to Cybersecurity
Introduction to CybersecurityKrutarth Vasavada
 
End User Security Awareness Presentation
End User Security Awareness PresentationEnd User Security Awareness Presentation
End User Security Awareness PresentationCristian Mihai
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabTeymur Kheirkhabarov
 
Raising information security awareness
Raising information security awarenessRaising information security awareness
Raising information security awarenessTerranovatraining
 
CVE-2021-44228 Log4j (and Log4Shell) Executive Explainer by cje@bugcrowd
CVE-2021-44228 Log4j (and Log4Shell) Executive Explainer by cje@bugcrowdCVE-2021-44228 Log4j (and Log4Shell) Executive Explainer by cje@bugcrowd
CVE-2021-44228 Log4j (and Log4Shell) Executive Explainer by cje@bugcrowdCasey Ellis
 
Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)k33a
 
Maturity Model of Security Disciplines
Maturity Model of Security Disciplines Maturity Model of Security Disciplines
Maturity Model of Security Disciplines Florian Roth
 

Tendances (20)

Security Analyst Workshop - 20200212
Security Analyst Workshop - 20200212Security Analyst Workshop - 20200212
Security Analyst Workshop - 20200212
 
Balbix-New-CISO-Board-Deck.pptx
Balbix-New-CISO-Board-Deck.pptxBalbix-New-CISO-Board-Deck.pptx
Balbix-New-CISO-Board-Deck.pptx
 
Tcs cybersecurity for healthcare
Tcs cybersecurity for healthcareTcs cybersecurity for healthcare
Tcs cybersecurity for healthcare
 
Penetration testing
Penetration testingPenetration testing
Penetration testing
 
Honeypot
HoneypotHoneypot
Honeypot
 
Telesoft Cyber Threat Hunting Infographic
Telesoft Cyber Threat Hunting InfographicTelesoft Cyber Threat Hunting Infographic
Telesoft Cyber Threat Hunting Infographic
 
Sandboxing
SandboxingSandboxing
Sandboxing
 
How To Handle Cybersecurity Risk Powerpoint Presentation Slides
How To Handle Cybersecurity Risk Powerpoint Presentation SlidesHow To Handle Cybersecurity Risk Powerpoint Presentation Slides
How To Handle Cybersecurity Risk Powerpoint Presentation Slides
 
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
 
Threat hunting for Beginners
Threat hunting for BeginnersThreat hunting for Beginners
Threat hunting for Beginners
 
Pen test methodology
Pen test methodologyPen test methodology
Pen test methodology
 
Threat Modeling In 2021
Threat Modeling In 2021Threat Modeling In 2021
Threat Modeling In 2021
 
Building a Cyber Threat Intelligence Knowledge Management System (Paris Augus...
Building a Cyber Threat Intelligence Knowledge Management System (Paris Augus...Building a Cyber Threat Intelligence Knowledge Management System (Paris Augus...
Building a Cyber Threat Intelligence Knowledge Management System (Paris Augus...
 
Introduction to Cybersecurity
Introduction to CybersecurityIntroduction to Cybersecurity
Introduction to Cybersecurity
 
End User Security Awareness Presentation
End User Security Awareness PresentationEnd User Security Awareness Presentation
End User Security Awareness Presentation
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On Lab
 
Raising information security awareness
Raising information security awarenessRaising information security awareness
Raising information security awareness
 
CVE-2021-44228 Log4j (and Log4Shell) Executive Explainer by cje@bugcrowd
CVE-2021-44228 Log4j (and Log4Shell) Executive Explainer by cje@bugcrowdCVE-2021-44228 Log4j (and Log4Shell) Executive Explainer by cje@bugcrowd
CVE-2021-44228 Log4j (and Log4Shell) Executive Explainer by cje@bugcrowd
 
Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)
 
Maturity Model of Security Disciplines
Maturity Model of Security Disciplines Maturity Model of Security Disciplines
Maturity Model of Security Disciplines
 

En vedette

Suns Out Guns Out: Hacking without a Vehicle by Charlie Miller & Chris Valasek
Suns Out Guns Out: Hacking without a Vehicle by Charlie Miller & Chris ValasekSuns Out Guns Out: Hacking without a Vehicle by Charlie Miller & Chris Valasek
Suns Out Guns Out: Hacking without a Vehicle by Charlie Miller & Chris ValasekShakacon
 
Kalyani maxion wheels pvt ltd
Kalyani maxion wheels pvt ltdKalyani maxion wheels pvt ltd
Kalyani maxion wheels pvt ltdNaveed Ahmed
 
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...Zoltan Balazs
 
Malwarem armed with PowerShell
Malwarem armed with PowerShellMalwarem armed with PowerShell
Malwarem armed with PowerShellFFRI, Inc.
 
Critical Success Factors for a Medical Device Company
Critical Success Factors for a Medical Device CompanyCritical Success Factors for a Medical Device Company
Critical Success Factors for a Medical Device CompanyDickson Consulting
 
Strategic Sales And Market Planning
Strategic Sales And Market PlanningStrategic Sales And Market Planning
Strategic Sales And Market Planningmpeterh
 
HospitalSoftwareShop PACS | A Powerful, Web-based, Cost-Effective PACS
 HospitalSoftwareShop PACS | A Powerful, Web-based, Cost-Effective PACS HospitalSoftwareShop PACS | A Powerful, Web-based, Cost-Effective PACS
HospitalSoftwareShop PACS | A Powerful, Web-based, Cost-Effective PACShospitalsoftwareshop
 
Medical Device Regulations Global Overview And Guiding Principles
Medical Device Regulations   Global Overview And Guiding PrinciplesMedical Device Regulations   Global Overview And Guiding Principles
Medical Device Regulations Global Overview And Guiding PrinciplesJacobe2008
 
DICOM Structure Basics
DICOM Structure BasicsDICOM Structure Basics
DICOM Structure BasicsGunjan Patel
 
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...Zoltan Balazs
 
Medical device industry 2014 - A Healthcare Sector Analysis
Medical device industry 2014 - A Healthcare Sector AnalysisMedical device industry 2014 - A Healthcare Sector Analysis
Medical device industry 2014 - A Healthcare Sector AnalysisVikas Soni
 
2015 trends in global medical device strategy and issues for the supply chain...
2015 trends in global medical device strategy and issues for the supply chain...2015 trends in global medical device strategy and issues for the supply chain...
2015 trends in global medical device strategy and issues for the supply chain...Tony Freeman
 
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does ItAMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does ItNikhil Mittal
 
Gray Hat PowerShell - ShowMeCon 2015
Gray Hat PowerShell - ShowMeCon 2015Gray Hat PowerShell - ShowMeCon 2015
Gray Hat PowerShell - ShowMeCon 2015Ben Ten (0xA)
 
Picture Archiving and Communication System (PACS)
Picture Archiving and Communication System (PACS)Picture Archiving and Communication System (PACS)
Picture Archiving and Communication System (PACS)Shweta Tripathi
 

En vedette (17)

GE Healthcare Optima CT660
GE Healthcare  Optima CT660GE Healthcare  Optima CT660
GE Healthcare Optima CT660
 
Suns Out Guns Out: Hacking without a Vehicle by Charlie Miller & Chris Valasek
Suns Out Guns Out: Hacking without a Vehicle by Charlie Miller & Chris ValasekSuns Out Guns Out: Hacking without a Vehicle by Charlie Miller & Chris Valasek
Suns Out Guns Out: Hacking without a Vehicle by Charlie Miller & Chris Valasek
 
Kalyani maxion wheels pvt ltd
Kalyani maxion wheels pvt ltdKalyani maxion wheels pvt ltd
Kalyani maxion wheels pvt ltd
 
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
 
Malwarem armed with PowerShell
Malwarem armed with PowerShellMalwarem armed with PowerShell
Malwarem armed with PowerShell
 
Critical Success Factors for a Medical Device Company
Critical Success Factors for a Medical Device CompanyCritical Success Factors for a Medical Device Company
Critical Success Factors for a Medical Device Company
 
Marketing for Medical Device Startups
Marketing for Medical Device StartupsMarketing for Medical Device Startups
Marketing for Medical Device Startups
 
Strategic Sales And Market Planning
Strategic Sales And Market PlanningStrategic Sales And Market Planning
Strategic Sales And Market Planning
 
HospitalSoftwareShop PACS | A Powerful, Web-based, Cost-Effective PACS
 HospitalSoftwareShop PACS | A Powerful, Web-based, Cost-Effective PACS HospitalSoftwareShop PACS | A Powerful, Web-based, Cost-Effective PACS
HospitalSoftwareShop PACS | A Powerful, Web-based, Cost-Effective PACS
 
Medical Device Regulations Global Overview And Guiding Principles
Medical Device Regulations   Global Overview And Guiding PrinciplesMedical Device Regulations   Global Overview And Guiding Principles
Medical Device Regulations Global Overview And Guiding Principles
 
DICOM Structure Basics
DICOM Structure BasicsDICOM Structure Basics
DICOM Structure Basics
 
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
 
Medical device industry 2014 - A Healthcare Sector Analysis
Medical device industry 2014 - A Healthcare Sector AnalysisMedical device industry 2014 - A Healthcare Sector Analysis
Medical device industry 2014 - A Healthcare Sector Analysis
 
2015 trends in global medical device strategy and issues for the supply chain...
2015 trends in global medical device strategy and issues for the supply chain...2015 trends in global medical device strategy and issues for the supply chain...
2015 trends in global medical device strategy and issues for the supply chain...
 
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does ItAMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
 
Gray Hat PowerShell - ShowMeCon 2015
Gray Hat PowerShell - ShowMeCon 2015Gray Hat PowerShell - ShowMeCon 2015
Gray Hat PowerShell - ShowMeCon 2015
 
Picture Archiving and Communication System (PACS)
Picture Archiving and Communication System (PACS)Picture Archiving and Communication System (PACS)
Picture Archiving and Communication System (PACS)
 

Similaire à Medical Devices Passwords to Pwnage by Scott Erven

Securing IoT medical devices
Securing IoT medical devicesSecuring IoT medical devices
Securing IoT medical devicesBenjamin Biwer
 
Cyb 610 Your world/newtonhelp.com
Cyb 610 Your world/newtonhelp.comCyb 610 Your world/newtonhelp.com
Cyb 610 Your world/newtonhelp.comamaranthbeg95
 
Cyb 610 Motivated Minds/newtonhelp.com
Cyb 610 Motivated Minds/newtonhelp.comCyb 610 Motivated Minds/newtonhelp.com
Cyb 610 Motivated Minds/newtonhelp.comamaranthbeg55
 
The Immune System of Internet
The Immune System of InternetThe Immune System of Internet
The Immune System of InternetMohit Kanwar
 
SplunkLive! Stockholm 2015 breakout - Analytics based security
SplunkLive! Stockholm 2015 breakout - Analytics based securitySplunkLive! Stockholm 2015 breakout - Analytics based security
SplunkLive! Stockholm 2015 breakout - Analytics based securitySplunk
 
SplunkSummit 2015 - Splunk User Behavioral Analytics
SplunkSummit 2015 - Splunk User Behavioral AnalyticsSplunkSummit 2015 - Splunk User Behavioral Analytics
SplunkSummit 2015 - Splunk User Behavioral AnalyticsSplunk
 
Infosec cert service
Infosec cert serviceInfosec cert service
Infosec cert serviceMinh Le
 
Cisco cybersecurity essentials chapter - 2
Cisco cybersecurity essentials chapter - 2Cisco cybersecurity essentials chapter - 2
Cisco cybersecurity essentials chapter - 2Mukesh Chinta
 
NetWatcher Customer Overview
NetWatcher Customer OverviewNetWatcher Customer Overview
NetWatcher Customer OverviewScott Suhy
 
How to Investigate Threat Alerts in Spiceworks!
How to Investigate Threat Alerts in Spiceworks!	How to Investigate Threat Alerts in Spiceworks!
How to Investigate Threat Alerts in Spiceworks! AlienVault
 
IRJET- Image Steganography using Pixel Pattern Matching in Cloud Data Sto...
IRJET-  	  Image Steganography using Pixel Pattern Matching in Cloud Data Sto...IRJET-  	  Image Steganography using Pixel Pattern Matching in Cloud Data Sto...
IRJET- Image Steganography using Pixel Pattern Matching in Cloud Data Sto...IRJET Journal
 
Basic Security Chapter 1
Basic Security Chapter 1Basic Security Chapter 1
Basic Security Chapter 1AfiqEfendy Zaen
 
Basic security concepts_chapter_1
Basic security concepts_chapter_1Basic security concepts_chapter_1
Basic security concepts_chapter_1abdifatah said
 
SplunkLive! Amsterdam 2015 - Analytics based security breakout
SplunkLive! Amsterdam 2015 - Analytics based security breakoutSplunkLive! Amsterdam 2015 - Analytics based security breakout
SplunkLive! Amsterdam 2015 - Analytics based security breakoutSplunk
 
Csec 610 Motivated Minds/newtonhelp.com
Csec 610 Motivated Minds/newtonhelp.comCsec 610 Motivated Minds/newtonhelp.com
Csec 610 Motivated Minds/newtonhelp.comamaranthbeg52
 
Csec 610 Your world/newtonhelp.com
Csec 610 Your world/newtonhelp.comCsec 610 Your world/newtonhelp.com
Csec 610 Your world/newtonhelp.comamaranthbeg92
 
Csec 610 Extraordinary Success/newtonhelp.com
Csec 610 Extraordinary Success/newtonhelp.comCsec 610 Extraordinary Success/newtonhelp.com
Csec 610 Extraordinary Success/newtonhelp.comamaranthbeg112
 
Csec 610 Education is Power/newtonhelp.com
Csec 610 Education is Power/newtonhelp.comCsec 610 Education is Power/newtonhelp.com
Csec 610 Education is Power/newtonhelp.comamaranthbeg72
 
Security and Privacy Protection of Medical Sensor Data of Patient using IOT
Security and Privacy Protection of Medical Sensor Data of Patient using IOTSecurity and Privacy Protection of Medical Sensor Data of Patient using IOT
Security and Privacy Protection of Medical Sensor Data of Patient using IOTIRJET Journal
 

Similaire à Medical Devices Passwords to Pwnage by Scott Erven (20)

Securing IoT medical devices
Securing IoT medical devicesSecuring IoT medical devices
Securing IoT medical devices
 
AXENT-Everything-IDS
AXENT-Everything-IDSAXENT-Everything-IDS
AXENT-Everything-IDS
 
Cyb 610 Your world/newtonhelp.com
Cyb 610 Your world/newtonhelp.comCyb 610 Your world/newtonhelp.com
Cyb 610 Your world/newtonhelp.com
 
Cyb 610 Motivated Minds/newtonhelp.com
Cyb 610 Motivated Minds/newtonhelp.comCyb 610 Motivated Minds/newtonhelp.com
Cyb 610 Motivated Minds/newtonhelp.com
 
The Immune System of Internet
The Immune System of InternetThe Immune System of Internet
The Immune System of Internet
 
SplunkLive! Stockholm 2015 breakout - Analytics based security
SplunkLive! Stockholm 2015 breakout - Analytics based securitySplunkLive! Stockholm 2015 breakout - Analytics based security
SplunkLive! Stockholm 2015 breakout - Analytics based security
 
SplunkSummit 2015 - Splunk User Behavioral Analytics
SplunkSummit 2015 - Splunk User Behavioral AnalyticsSplunkSummit 2015 - Splunk User Behavioral Analytics
SplunkSummit 2015 - Splunk User Behavioral Analytics
 
Infosec cert service
Infosec cert serviceInfosec cert service
Infosec cert service
 
Cisco cybersecurity essentials chapter - 2
Cisco cybersecurity essentials chapter - 2Cisco cybersecurity essentials chapter - 2
Cisco cybersecurity essentials chapter - 2
 
NetWatcher Customer Overview
NetWatcher Customer OverviewNetWatcher Customer Overview
NetWatcher Customer Overview
 
How to Investigate Threat Alerts in Spiceworks!
How to Investigate Threat Alerts in Spiceworks!	How to Investigate Threat Alerts in Spiceworks!
How to Investigate Threat Alerts in Spiceworks!
 
IRJET- Image Steganography using Pixel Pattern Matching in Cloud Data Sto...
IRJET-  	  Image Steganography using Pixel Pattern Matching in Cloud Data Sto...IRJET-  	  Image Steganography using Pixel Pattern Matching in Cloud Data Sto...
IRJET- Image Steganography using Pixel Pattern Matching in Cloud Data Sto...
 
Basic Security Chapter 1
Basic Security Chapter 1Basic Security Chapter 1
Basic Security Chapter 1
 
Basic security concepts_chapter_1
Basic security concepts_chapter_1Basic security concepts_chapter_1
Basic security concepts_chapter_1
 
SplunkLive! Amsterdam 2015 - Analytics based security breakout
SplunkLive! Amsterdam 2015 - Analytics based security breakoutSplunkLive! Amsterdam 2015 - Analytics based security breakout
SplunkLive! Amsterdam 2015 - Analytics based security breakout
 
Csec 610 Motivated Minds/newtonhelp.com
Csec 610 Motivated Minds/newtonhelp.comCsec 610 Motivated Minds/newtonhelp.com
Csec 610 Motivated Minds/newtonhelp.com
 
Csec 610 Your world/newtonhelp.com
Csec 610 Your world/newtonhelp.comCsec 610 Your world/newtonhelp.com
Csec 610 Your world/newtonhelp.com
 
Csec 610 Extraordinary Success/newtonhelp.com
Csec 610 Extraordinary Success/newtonhelp.comCsec 610 Extraordinary Success/newtonhelp.com
Csec 610 Extraordinary Success/newtonhelp.com
 
Csec 610 Education is Power/newtonhelp.com
Csec 610 Education is Power/newtonhelp.comCsec 610 Education is Power/newtonhelp.com
Csec 610 Education is Power/newtonhelp.com
 
Security and Privacy Protection of Medical Sensor Data of Patient using IOT
Security and Privacy Protection of Medical Sensor Data of Patient using IOTSecurity and Privacy Protection of Medical Sensor Data of Patient using IOT
Security and Privacy Protection of Medical Sensor Data of Patient using IOT
 

Plus de Shakacon

Web (dis)assembly
Web (dis)assemblyWeb (dis)assembly
Web (dis)assemblyShakacon
 
I can be apple and so can you
I can be apple and so can youI can be apple and so can you
I can be apple and so can youShakacon
 
Cloud forensics putting the bits back together
Cloud forensics putting the bits back togetherCloud forensics putting the bits back together
Cloud forensics putting the bits back togetherShakacon
 
Pwned in Translation - from Subtitles to RCE
Pwned in Translation - from Subtitles to RCEPwned in Translation - from Subtitles to RCE
Pwned in Translation - from Subtitles to RCEShakacon
 
Oversight: Exposing spies on macOS
Oversight: Exposing spies on macOS Oversight: Exposing spies on macOS
Oversight: Exposing spies on macOS Shakacon
 
Modern Reconnaissance Phase on APT - protection layer
Modern Reconnaissance Phase on APT - protection layerModern Reconnaissance Phase on APT - protection layer
Modern Reconnaissance Phase on APT - protection layerShakacon
 
A Decompiler for Blackhain-Based Smart Contracts Bytecode
A Decompiler for Blackhain-Based Smart Contracts BytecodeA Decompiler for Blackhain-Based Smart Contracts Bytecode
A Decompiler for Blackhain-Based Smart Contracts BytecodeShakacon
 
Honey, I Stole Your C2 Server: A Dive into Attacker Infrastructure
Honey, I Stole Your C2 Server:  A Dive into Attacker InfrastructureHoney, I Stole Your C2 Server:  A Dive into Attacker Infrastructure
Honey, I Stole Your C2 Server: A Dive into Attacker InfrastructureShakacon
 
Dock ir incident response in a containerized, immutable, continually deploy...
Dock ir   incident response in a containerized, immutable, continually deploy...Dock ir   incident response in a containerized, immutable, continually deploy...
Dock ir incident response in a containerized, immutable, continually deploy...Shakacon
 
Reviewing the Security of ASoC Drivers in Android Kernel
Reviewing the Security of ASoC Drivers in Android KernelReviewing the Security of ASoC Drivers in Android Kernel
Reviewing the Security of ASoC Drivers in Android KernelShakacon
 
Silent Protest: A Wearable Protest Network
Silent Protest:  A Wearable Protest NetworkSilent Protest:  A Wearable Protest Network
Silent Protest: A Wearable Protest NetworkShakacon
 
WiFi-Based IMSI Catcher
WiFi-Based IMSI CatcherWiFi-Based IMSI Catcher
WiFi-Based IMSI CatcherShakacon
 
Sad Panda Analysts: Devolving Malware
Sad Panda Analysts:  Devolving MalwareSad Panda Analysts:  Devolving Malware
Sad Panda Analysts: Devolving MalwareShakacon
 
reductio [ad absurdum]
reductio [ad absurdum]reductio [ad absurdum]
reductio [ad absurdum]Shakacon
 
XFLTReat: a new dimension in tunnelling
XFLTReat:  a new dimension in tunnellingXFLTReat:  a new dimension in tunnelling
XFLTReat: a new dimension in tunnellingShakacon
 
Windows Systems & Code Signing Protection by Paul Rascagneres
Windows Systems & Code Signing Protection by Paul RascagneresWindows Systems & Code Signing Protection by Paul Rascagneres
Windows Systems & Code Signing Protection by Paul RascagneresShakacon
 
When Encryption is Not Enough...Sumanth Naropanth, Chandra Prakash Gopalaiah ...
When Encryption is Not Enough...Sumanth Naropanth, Chandra Prakash Gopalaiah ...When Encryption is Not Enough...Sumanth Naropanth, Chandra Prakash Gopalaiah ...
When Encryption is Not Enough...Sumanth Naropanth, Chandra Prakash Gopalaiah ...Shakacon
 
The Search for the Perfect Door - Deviant Ollam
The Search for the Perfect Door - Deviant OllamThe Search for the Perfect Door - Deviant Ollam
The Search for the Perfect Door - Deviant OllamShakacon
 

Plus de Shakacon (20)

Web (dis)assembly
Web (dis)assemblyWeb (dis)assembly
Web (dis)assembly
 
Macdoored
MacdooredMacdoored
Macdoored
 
I can be apple and so can you
I can be apple and so can youI can be apple and so can you
I can be apple and so can you
 
Cloud forensics putting the bits back together
Cloud forensics putting the bits back togetherCloud forensics putting the bits back together
Cloud forensics putting the bits back together
 
Pwned in Translation - from Subtitles to RCE
Pwned in Translation - from Subtitles to RCEPwned in Translation - from Subtitles to RCE
Pwned in Translation - from Subtitles to RCE
 
Oversight: Exposing spies on macOS
Oversight: Exposing spies on macOS Oversight: Exposing spies on macOS
Oversight: Exposing spies on macOS
 
Modern Reconnaissance Phase on APT - protection layer
Modern Reconnaissance Phase on APT - protection layerModern Reconnaissance Phase on APT - protection layer
Modern Reconnaissance Phase on APT - protection layer
 
Shamoon
ShamoonShamoon
Shamoon
 
A Decompiler for Blackhain-Based Smart Contracts Bytecode
A Decompiler for Blackhain-Based Smart Contracts BytecodeA Decompiler for Blackhain-Based Smart Contracts Bytecode
A Decompiler for Blackhain-Based Smart Contracts Bytecode
 
Honey, I Stole Your C2 Server: A Dive into Attacker Infrastructure
Honey, I Stole Your C2 Server:  A Dive into Attacker InfrastructureHoney, I Stole Your C2 Server:  A Dive into Attacker Infrastructure
Honey, I Stole Your C2 Server: A Dive into Attacker Infrastructure
 
Dock ir incident response in a containerized, immutable, continually deploy...
Dock ir   incident response in a containerized, immutable, continually deploy...Dock ir   incident response in a containerized, immutable, continually deploy...
Dock ir incident response in a containerized, immutable, continually deploy...
 
Reviewing the Security of ASoC Drivers in Android Kernel
Reviewing the Security of ASoC Drivers in Android KernelReviewing the Security of ASoC Drivers in Android Kernel
Reviewing the Security of ASoC Drivers in Android Kernel
 
Silent Protest: A Wearable Protest Network
Silent Protest:  A Wearable Protest NetworkSilent Protest:  A Wearable Protest Network
Silent Protest: A Wearable Protest Network
 
WiFi-Based IMSI Catcher
WiFi-Based IMSI CatcherWiFi-Based IMSI Catcher
WiFi-Based IMSI Catcher
 
Sad Panda Analysts: Devolving Malware
Sad Panda Analysts:  Devolving MalwareSad Panda Analysts:  Devolving Malware
Sad Panda Analysts: Devolving Malware
 
reductio [ad absurdum]
reductio [ad absurdum]reductio [ad absurdum]
reductio [ad absurdum]
 
XFLTReat: a new dimension in tunnelling
XFLTReat:  a new dimension in tunnellingXFLTReat:  a new dimension in tunnelling
XFLTReat: a new dimension in tunnelling
 
Windows Systems & Code Signing Protection by Paul Rascagneres
Windows Systems & Code Signing Protection by Paul RascagneresWindows Systems & Code Signing Protection by Paul Rascagneres
Windows Systems & Code Signing Protection by Paul Rascagneres
 
When Encryption is Not Enough...Sumanth Naropanth, Chandra Prakash Gopalaiah ...
When Encryption is Not Enough...Sumanth Naropanth, Chandra Prakash Gopalaiah ...When Encryption is Not Enough...Sumanth Naropanth, Chandra Prakash Gopalaiah ...
When Encryption is Not Enough...Sumanth Naropanth, Chandra Prakash Gopalaiah ...
 
The Search for the Perfect Door - Deviant Ollam
The Search for the Perfect Door - Deviant OllamThe Search for the Perfect Door - Deviant Ollam
The Search for the Perfect Door - Deviant Ollam
 

Dernier

Pharmacovigilance audits inspections.pptx
Pharmacovigilance audits inspections.pptxPharmacovigilance audits inspections.pptx
Pharmacovigilance audits inspections.pptxCliniminds India
 
person with disability and pwd act ppt.pptx
person with disability and pwd act ppt.pptxperson with disability and pwd act ppt.pptx
person with disability and pwd act ppt.pptxMUKESH PADMANABHAN
 
Three Keys to a Successful Margin: Charges, Costs, and Labor
Three Keys to a Successful Margin: Charges, Costs, and LaborThree Keys to a Successful Margin: Charges, Costs, and Labor
Three Keys to a Successful Margin: Charges, Costs, and LaborHealth Catalyst
 
NEONATAL RESPIRATORY CARE FROM A PHYSIO POV.pptx
NEONATAL RESPIRATORY CARE FROM A PHYSIO POV.pptxNEONATAL RESPIRATORY CARE FROM A PHYSIO POV.pptx
NEONATAL RESPIRATORY CARE FROM A PHYSIO POV.pptxHanineHassan2
 
ACCA Version of AI & Healthcare: An Overview for the Curious
ACCA Version of AI & Healthcare: An Overview for the CuriousACCA Version of AI & Healthcare: An Overview for the Curious
ACCA Version of AI & Healthcare: An Overview for the CuriousKR_Barker
 
Understanding Warts and Moles: Differences, Types, and Common Locations
Understanding Warts and Moles: Differences, Types, and Common LocationsUnderstanding Warts and Moles: Differences, Types, and Common Locations
Understanding Warts and Moles: Differences, Types, and Common LocationsNeha Sharma
 
Introduction to Evaluation and Skin Benefits
Introduction to Evaluation and Skin BenefitsIntroduction to Evaluation and Skin Benefits
Introduction to Evaluation and Skin Benefitssahilgabhane29
 
Identifying Signs of Mental Health Presentation (1).pptx
Identifying Signs of Mental Health Presentation (1).pptxIdentifying Signs of Mental Health Presentation (1).pptx
Identifying Signs of Mental Health Presentation (1).pptxsandhulove46637
 
Toothpaste for bleeding gums and sensitive teeth. Teeth whitening, Mouthwash....
Toothpaste for bleeding gums and sensitive teeth. Teeth whitening, Mouthwash....Toothpaste for bleeding gums and sensitive teeth. Teeth whitening, Mouthwash....
Toothpaste for bleeding gums and sensitive teeth. Teeth whitening, Mouthwash....sharyurangari111
 
Living Well Every Day: Lyons Wellness Practice | Nurtures Your Complete Health
Living Well Every Day: Lyons Wellness Practice | Nurtures Your Complete HealthLiving Well Every Day: Lyons Wellness Practice | Nurtures Your Complete Health
Living Well Every Day: Lyons Wellness Practice | Nurtures Your Complete HealthLyons Health
 
Artificial Intelligence in Healthcare: Challenges, Risks, Benefits
Artificial Intelligence in Healthcare: Challenges, Risks, BenefitsArtificial Intelligence in Healthcare: Challenges, Risks, Benefits
Artificial Intelligence in Healthcare: Challenges, Risks, BenefitsIris Thiele Isip-Tan
 
CECT NECK NECK ANGIOGRAPHY CAROTID ANGIOGRAPHY
CECT NECK NECK ANGIOGRAPHY CAROTID ANGIOGRAPHYCECT NECK NECK ANGIOGRAPHY CAROTID ANGIOGRAPHY
CECT NECK NECK ANGIOGRAPHY CAROTID ANGIOGRAPHYRMC
 
Hematinics and Erythropoietin- Pharmacology of Hematinics
Hematinics and Erythropoietin- Pharmacology of HematinicsHematinics and Erythropoietin- Pharmacology of Hematinics
Hematinics and Erythropoietin- Pharmacology of Hematinicsnetraangadi2
 
Health literacies in marginalised communities LILAC 24.pptx
Health literacies in marginalised communities LILAC 24.pptxHealth literacies in marginalised communities LILAC 24.pptx
Health literacies in marginalised communities LILAC 24.pptxPamela McKinney
 
Basics of Giant Cell Tumor of bone (GCTB)
Basics of Giant Cell Tumor of bone (GCTB)Basics of Giant Cell Tumor of bone (GCTB)
Basics of Giant Cell Tumor of bone (GCTB)bishwabandhuniraula
 
Assisted Living Care Residency - PapayaCare
Assisted Living Care Residency - PapayaCareAssisted Living Care Residency - PapayaCare
Assisted Living Care Residency - PapayaCareratilalthakkar704
 
Eating Disorders in Athletes I Sports Psychology
Eating Disorders in Athletes I Sports PsychologyEating Disorders in Athletes I Sports Psychology
Eating Disorders in Athletes I Sports Psychologyshantisphysio
 

Dernier (20)

Pharmacovigilance audits inspections.pptx
Pharmacovigilance audits inspections.pptxPharmacovigilance audits inspections.pptx
Pharmacovigilance audits inspections.pptx
 
person with disability and pwd act ppt.pptx
person with disability and pwd act ppt.pptxperson with disability and pwd act ppt.pptx
person with disability and pwd act ppt.pptx
 
Painting Rats White Angers Them to No End
Painting Rats White Angers Them to No EndPainting Rats White Angers Them to No End
Painting Rats White Angers Them to No End
 
Three Keys to a Successful Margin: Charges, Costs, and Labor
Three Keys to a Successful Margin: Charges, Costs, and LaborThree Keys to a Successful Margin: Charges, Costs, and Labor
Three Keys to a Successful Margin: Charges, Costs, and Labor
 
NEONATAL RESPIRATORY CARE FROM A PHYSIO POV.pptx
NEONATAL RESPIRATORY CARE FROM A PHYSIO POV.pptxNEONATAL RESPIRATORY CARE FROM A PHYSIO POV.pptx
NEONATAL RESPIRATORY CARE FROM A PHYSIO POV.pptx
 
ACCA Version of AI & Healthcare: An Overview for the Curious
ACCA Version of AI & Healthcare: An Overview for the CuriousACCA Version of AI & Healthcare: An Overview for the Curious
ACCA Version of AI & Healthcare: An Overview for the Curious
 
Understanding Warts and Moles: Differences, Types, and Common Locations
Understanding Warts and Moles: Differences, Types, and Common LocationsUnderstanding Warts and Moles: Differences, Types, and Common Locations
Understanding Warts and Moles: Differences, Types, and Common Locations
 
Introduction to Evaluation and Skin Benefits
Introduction to Evaluation and Skin BenefitsIntroduction to Evaluation and Skin Benefits
Introduction to Evaluation and Skin Benefits
 
Identifying Signs of Mental Health Presentation (1).pptx
Identifying Signs of Mental Health Presentation (1).pptxIdentifying Signs of Mental Health Presentation (1).pptx
Identifying Signs of Mental Health Presentation (1).pptx
 
Toothpaste for bleeding gums and sensitive teeth. Teeth whitening, Mouthwash....
Toothpaste for bleeding gums and sensitive teeth. Teeth whitening, Mouthwash....Toothpaste for bleeding gums and sensitive teeth. Teeth whitening, Mouthwash....
Toothpaste for bleeding gums and sensitive teeth. Teeth whitening, Mouthwash....
 
The Power of Active listening - Tool in effective communication.pdf
The Power of Active listening - Tool in effective communication.pdfThe Power of Active listening - Tool in effective communication.pdf
The Power of Active listening - Tool in effective communication.pdf
 
Living Well Every Day: Lyons Wellness Practice | Nurtures Your Complete Health
Living Well Every Day: Lyons Wellness Practice | Nurtures Your Complete HealthLiving Well Every Day: Lyons Wellness Practice | Nurtures Your Complete Health
Living Well Every Day: Lyons Wellness Practice | Nurtures Your Complete Health
 
Annual Training
Annual TrainingAnnual Training
Annual Training
 
Artificial Intelligence in Healthcare: Challenges, Risks, Benefits
Artificial Intelligence in Healthcare: Challenges, Risks, BenefitsArtificial Intelligence in Healthcare: Challenges, Risks, Benefits
Artificial Intelligence in Healthcare: Challenges, Risks, Benefits
 
CECT NECK NECK ANGIOGRAPHY CAROTID ANGIOGRAPHY
CECT NECK NECK ANGIOGRAPHY CAROTID ANGIOGRAPHYCECT NECK NECK ANGIOGRAPHY CAROTID ANGIOGRAPHY
CECT NECK NECK ANGIOGRAPHY CAROTID ANGIOGRAPHY
 
Hematinics and Erythropoietin- Pharmacology of Hematinics
Hematinics and Erythropoietin- Pharmacology of HematinicsHematinics and Erythropoietin- Pharmacology of Hematinics
Hematinics and Erythropoietin- Pharmacology of Hematinics
 
Health literacies in marginalised communities LILAC 24.pptx
Health literacies in marginalised communities LILAC 24.pptxHealth literacies in marginalised communities LILAC 24.pptx
Health literacies in marginalised communities LILAC 24.pptx
 
Basics of Giant Cell Tumor of bone (GCTB)
Basics of Giant Cell Tumor of bone (GCTB)Basics of Giant Cell Tumor of bone (GCTB)
Basics of Giant Cell Tumor of bone (GCTB)
 
Assisted Living Care Residency - PapayaCare
Assisted Living Care Residency - PapayaCareAssisted Living Care Residency - PapayaCare
Assisted Living Care Residency - PapayaCare
 
Eating Disorders in Athletes I Sports Psychology
Eating Disorders in Athletes I Sports PsychologyEating Disorders in Athletes I Sports Psychology
Eating Disorders in Athletes I Sports Psychology
 

Medical Devices Passwords to Pwnage by Scott Erven

  • 1. Medical Devices: Passwords To Pwnage Scott Erven
  • 2. 2 Who I Am Scott Erven Associate Director – Medical Device & Healthcare Security Security Researcher Over 15 Years Experience and 5 Years Direct Experience Managing Security In Healthcare Systems Over 3 Years Researching Medical Device Security @scotterven
  • 3. 3 Agenda Why Research Medical Devices Phase 1 Research: Device Vulnerabilities Phase 2 Research: Internet Exposure Phase 3 Research: Admin Access Is AppSec A Problem? Diagnosis Treatment Plans
  • 5. 5 Personal Impact When we are at our most vulnerable, we will depend on these devices for life. Even at times when we aren’t personally affected, people we care about may be. Many of us rely on these devices daily.
  • 6. 6 Malicious Intent Is Not A Prerequisite To Patient Safety Issues
  • 7. 7 What We Are Doing • Security-Focused Technical Assessment (not HIPAA) • Research serves healthcare mission and values • Equip defenders against accident and adversaries Discover patient safety issuesMedical Device Assessment • Healthcare Providers • Medical Device Manufacturers • Government Agencies (FDA and ICS-CERT) Alert affected partiesCoordination & Notification • Security and Healthcare Conferences • 1-on-1 with healthcare providers • Educating FDA and Healthcare Providers Inoculate against future issuesPublic Awareness
  • 8. Phase 1 Research: Device Vulnerabilities
  • 9. 9 Weak default/hardcoded administrative credentials • Treatment modification • Cannot attribute action to individual Known software vulnerabilities in existing and new devices • Reliability and stability issues • Increased deployment cost to preserve patient safety Unencrypted data transmission and service authorization flaws • Healthcare record privacy and integrity • Treatment modification Phase 1 Research: Device Vulnerabilities
  • 11. 11 Shodan Search Initial Findings Doing a search for anesthesia in Shodan and realized it was not an anesthesia workstation. Located a public facing system with the Server Message Block (SMB) service open, and it was leaking intelligence about the healthcare organization’s entire network including medical devices.
  • 12. 12 Initial Healthcare Organization Discovery Very large US healthcare system consisting of over 12,000 employees and over 3,000 physicians. Including large cardiovascular and neuroscience institutions. Exposed intelligence on over 68,000 systems and provided direct attack vector to the systems. Exposed numerous connected third-party organizations and healthcare systems.
  • 13. 13 Did We Only Find One? No. We found hundreds!! Change the search term and many more come up. Potentially thousands if you include exposed third- party healthcare systems.
  • 14. 14 Summary Of Devices Inside Organization Anesthesia Systems – 21 Cardiology Systems – 488 Infusion Systems – 133 MRI – 97 PACS Systems – 323 Nuclear Medicine Systems – 67 Pacemaker Systems - 31
  • 15. 15 Potential Attacks - Physical We know what type of systems and medical devices are inside the organization. We know the healthcare organization and location. We know the floor and office number. We know if it has a lockout exemption.
  • 16. 16 Potential Attacks - Phishing We know what type of systems and medical devices are inside the organization. We know the healthcare organization and employee names. We know the hostname of all these devices. We can create a custom payload to only target medical devices and systems with known vulnerabilities.
  • 17. 17 Potential Attacks - Pivot We know the direct public Internet facing system is vulnerable to MS08-067 and is Windows XP. We know it is touching the backend networks because it is leaking all the systems it is connected to. We can create a custom payload to pivot to only targeted medical devices and systems with known vulnerabilities.
  • 19. 19 Disclosure Timeline NOTE: ALL INFORMATION DISCLOSED WAS PUBLICLY AVAILABLE ON GE HEALTHCARE’S WEBSITE. August 17th, 2014– Initial disclosure to GE Healthcare September 16th, 2014 – Additional disclosure to ICS/CERT August 25th, 2014– Initial disclosure to ICS- CERT December 3rd, 2014 – Confirmation from ICS-CERT on completion of GE investigation and closing of issue.
  • 20. 20 Response GE quickly responded to reports both from myself and ICS- CERT and outlined investigation plan for response. After investigation GE responded that all credentials were default and not hard-coded.
  • 21. 21 CVE-2006-7253 GE Infinia II X4100 Workstation – Nuclear Imaging Manufacturer Model Version Type of Device Type of Account Login info GE Infinia II X4100 Workstation Nuclear Imaging Default User Account UserID = "infinia" Password = "infinia" GE Infinia II X4100 Workstation Nuclear Imaging FE or OLC Engineer Account UserID = "acqservice" Password = "#bigguy1" GE Infinia II X4100 Workstation Nuclear Imaging Administer Account- Window UserID = "Administrator" Password = "dont4get2" GE Infinia II X4100 Workstation Nuclear Imaging Emergency Account UserID = "emergency" Password = "#bigguy1" GE Infinia II X4100 Workstation Nuclear Imaging Administrator Account UserID = "InfiniaAdmin" Password = "2Bfamous"
  • 22. 22 GE Discovery NM750b – Nuclear Imaging CVE-2013-7404 Manufacturer Model Version Type of Device Type of Account Login info GE Discovery NM 750b Nuclear Imaging Telnet- Root UserID = "insite" Password = "2getin" GE Discovery NM 750b Nuclear Imaging FTP- Admin UserID = "insite" Password = "2getin"
  • 23. 23 CVE-2013-7407 GE Discovery NM750b – Nuclear Imaging CVE-2013-7404/CVE-2003-1603 CVE-2003-1603 GE Discovery VH – Nuclear Imaging Manufacturer Model Version Type of Device Type of Account Login info GE Discovery NM 750b Nuclear Imaging Telnet - Root UserID = "insite" Password = "2getin" GE Discovery NM 750b Nuclear Imaging FTP - Admin UserID = "insite" Password = "2getin" Manufacturer Model Version Type of Device Type of Account Login info GE Discovery VH Nuclear Imaging FTP - Remote Interfile Server UserID = "ftpclient" Password = "interfile" GE Discovery VH Nuclear Imaging FTP - Codonics Printer UserID = "LOCAL" Password = "2"
  • 24. 24 CVE-2011-5374 CVE-2011-5374 GE Discovery NM670/NM630 - Nuclear Imaging/CT Manufacturer Model Version Type of Device Type of Account Login info GE Discovery NM670 Nuclear Imaging/CT SU Account UserID = "su" Password = "install" GE Discovery NM670 Nuclear Imaging/CT Service Account UserID = "service" Password = "#bigguy1" GE Discovery NM670 Nuclear Imaging/CT Root Account UserID = "root" Password = "install" GE Discovery NM630 Nuclear Imaging SU Account UserID = "su" Password = "install" GE Discovery NM630 Nuclear Imaging/CT Service Account UserID = "service" Password = "#bigguy1" GE Discovery NM630 Nuclear Imaging/CT Root Account UserID = "root" Password = "install"
  • 25. 25 CVE-2009-5143 GE Discovery 530C - Nuclear Imaging Manufacturer Model Version Type of Device Type of Account Login info GE Discovery 530C Nuclear Imaging Service Login UserID = "acqservice" Password = "#bigguy1" GE Discovery 530C Nuclear Imaging Xeleris Service Login UserID = "wsservice" Password = "#bigguy1" CVE-2009-5143
  • 26. 26 CVE-2001-1594 GE eNTEGRA P&R - Nuclear Imaging Manufacturer Model Version Type of Device Type of Account Login info GE eNTEGRA P&R Nuclear Imaging Windows Admin UserID = "entegra" Password = "entegra" GE eNTEGRA P&R Nuclear Imaging Polestar & Polestar-I Starlink 4 UserID = "super" Password = "passme" GE eNTEGRA P&R Nuclear Imaging Codonic Printer FTP Login UserID = Your First Name Password = "300" GE eNTEGRA P&R Nuclear Imaging Codonic Printer FTP Login - User Preference File UserID = "entegra" Password = "0" GE eNTEGRA P&R Nuclear Imaging eNTEGRA P&R User Account UserID = "eNTEGRA" Password = "eNTEGRA" GE eNTEGRA P&R Nuclear Imaging Local Administrator Account UserID = "Administrator" Password = "elgems" GE eNTEGRA P&R Nuclear Imaging WinVNC Login Password = "insite" CVE-2001-1594
  • 27. 27 CVE-2000-1253 GE FX Camera Manufacturer Model Version Type of Device Type of Account Login info GE FX Camera Camera FX Camera Root Login UserID = "root" Password = "vision" CVE-2000-1253
  • 28. 28 CVE-2002-2445 GE Millennium MG/NC – Nuclear Imaging Manufacturer Model Version Type of Device Type of Account Login info GE Millenium MG and NC Nuclear Imaging Acquisition Root Login UserID = "root" Password = "root.genie" GE Millenium MG and NC Nuclear Imaging Acquisition Service Account UserID = "service" Password = "service." GE Millenium MG and NC Nuclear Imaging Acquisition Insite Login - Remote Support UserID = "insite" Password = "insite.genieacq" GE Millenium MG and NC Nuclear Imaging Acquisition Admin Login UserID = "admin" Password = "admin.genie" GE Millenium MG and NC Nuclear Imaging Acquisition Reboot Login UserID = "reboot" Password = "reboot" GE Millenium MG and NC Nuclear Imaging Acquisition Shutdown Login UserID = "shutdown" Password = "shutdown" GE Millenium MG and NC Nuclear Imaging Acquisition License Server Password Password = "14geonly" CVE-2002-2445
  • 29. 29 CVE-2002-2445 GE Millennium MyoSIGHT – Nuclear Imaging Manufacturer Model Version Type of Device Type of Account Login info GE Millenium MyoSIGHT Nuclear Imaging Acquisition Root Login UserID = "root" Password = "root.genie" GE Millenium MyoSIGHT Nuclear Imaging Acquisition Service Account UserID = "service" Password = "service." GE Millenium MyoSIGHT Nuclear Imaging Acquisition Insite Login - Remote Support UserID = "insite" Password = "insite.genieacq" GE Millenium MyoSIGHT Nuclear Imaging Acquisition Admin Login UserID = "admin" Password = "admin.genie" GE Millenium MyoSIGHT Nuclear Imaging Acquisition Reboot Login UserID = "reboot" Password = "reboot" GE Millenium MyoSIGHT Nuclear Imaging Acquisition Shutdown Login UserID = "shutdown" Password = "shutdown" GE Millenium MyoSIGHT Nuclear Imaging Acquisition Root Login UserID = "root" Password = "root.genie" CVE-2002-2445 Continued
  • 30. 30 CVE-2010-5306 GE Optima CT520/540/640/680 – CT Scanner Manufacturer Model Version Type of Device Type of Account Login info GE Optima CT680 CT Scanner SU Login UserID = "su" Password = "#bigguy" GE Optima CT540 CT Scanner SU Login UserID = "su" Password = "#bigguy" GE Optima CT640 CT Scanner SU Login UserID = "su" Password = "#bigguy" GE Optima CT520 CT Scanner SU Login UserID = "su" Password = "#bigguy" CVE-2010-5306
  • 31. 31 CVE-2010-5307 GE Optima MR360 - MRI Manufacturer Model Version Type of Device Type of Account Login info GE Optima MR360 MRI Admin Login UserID = "admin" Password = "adw2.0" GE Optima MR360 MRI System Startup Login UserID = "sdc" Password = "adw2.0" CVE-2010-5307
  • 32. 32 CVE-2014-7233 GE Precision THUNIS-800+ – X-Ray CVE-2014-7233/CVE-2014-7234 Manufacturer Model Version Type of Device Type of Account Login info GE Precision THUNIS- 800+ X-Ray Factory Default Service Password Password = "1973" GE Precision THUNIS- 800+ X-Ray TH8740 Software/Firmware Package Password Password = "TH8740" GE Precision THUNIS- 800+ X-Ray DSA Software Package Password Password = "hrml" CVE-2014-7234 GE Precision THUNIS-800+ – X-Ray Manufacturer Model Version Type of Device Type of Account Login info GE Precision THUNIS- 800+ X-Ray Shutter Configuration Password No Username Or Password Required To Login
  • 33. 33 CVE-2012-6660 GE Precision MPi – X-Ray Manufacturer Model Version Type of Device Type of Account Login info GE Precision MPi X-Ray Windows XP Service Login (Press & Hold Left Shift Key After Setup Dialog) UserID = "serviceapp" Password = "orion" GE Precision MPi X-Ray Clinical Operator Login UserID = "operator" Password = "orion" GE Precision MPi X-Ray Administrator Login UserID = "administrator" Password = "PlatinumOne" CVE-2012-6660/CVE-2010-5310 CVE-2012-6660 GE Precision MPi – X-Ray Manufacturer Model Version Type of Device Type of Account Login info GE Revolution XQ/i X-Ray System Startup Login - Acquisition Workstation UserID = "sdc" Password = "adw3.1" GE Revolution XR/d X-Ray System Startup Login - Acquisition Workstation UserID = "sdc" Password = "adw3.1"
  • 34. 34 CVE-2013-7405 GE Centricity DMS 4.0/4.1/4.2 – Cardiology Application Manufacturer Model Version Type of Device Type of Account Login info GE Centricity DMS 4.2.x Cardiology Application Administrator Login UserID = "Administrator" Password = "Never!Mind" GE Centricity DMS 4.2.x Cardiology Application Muse Admin Login UserID = "Museadmin" Password = "Muse!Admin" GE Centricity DMS 4.1.x Cardiology Application Muse Admin Login UserID = "Museadmin" Password = "Muse!Admin" GE Centricity DMS 4.0.x Cardiology Application Muse Admin Login UserID = "Museadmin" Password = "Muse!Admin" CVE-2013-7405
  • 35. 35 CVE-2004-2777 GE Centricity Image Vault – Cardiology CVE-2004-2777 Manufacturer Model Version Type of Device Type of Account Login info GE Centricity Image Vault Cardiology Administrator Login UserID = "administrator" Password = "gemnet" GE Centricity Image Vault Cardiology Webadmin Administrator Login UserID = "administrator" Password = "webadmin" GE Centricity Image Vault Cardiology SQL SA Ultrasound Database Login UserID = "gemsservice" Password = No Password Required GE Centricity Image Vault Cardiology GEMNet License Server Login UserID = "gemnet2002" Password = "gemnet2002"
  • 36. 36 CVE-2014-9736 GE Centricity Archive Audit Trail Manufacturer Model Type of Account Login info GE Centricity Clinical Archive Audit Trail Repository SSL Key Manager Password initnit GE Centricity Clinical Archive Audit Trail Repository Server Keystore Password initnit GE Centricity Clinical Archive Audit Trail Repository Server Truststore Password keystore_password GE Centricity Clinical Archive Audit Trail Repository Database Primary Storage Login UserID = "atna" Password = "atna" GE Centricity Clinical Archive Audit Trail Repository Database Archive Storage Login UserID = "atna" Password = "atna" CVE-2014-9736
  • 37. 37 CVE-2011-5322 GE Centricity Analytics Server CVE-2011-5322 Manufacturer Model Type of Account Login info GE Centricity Analytics Server SQL SA Login UserID = "sa" Password = "V0yag3r" GE Centricity Analytics Server Analytics & Dundas Account Login UserID = "analyst" Password = "G3car3s" GE Centricity Analytics Server Analytics CCG Login UserID = "ccg" Password = "G3car3s" GE Centricity Analytics Server Analytics Viewer Login UserID = "viewer" Password = "V0yag3r" GE Centricity Analytics Server Analytics Real-time Dashboard Admin Login UserID = "admin" Password = "V0yag3r" GE Centricity Analytics Server Analytics CCG Webmin Service Tool Login UserID = "geservice" Password = "geservice"
  • 38. 38 CVE-2011-5323 GE Centricity PACS Manufacturer Model Type of Account Login info GE Centricity PACS-IW 3.7.3.8 SQL SA Login UserID = "sa" Password = "A11endale" GE Centricity PACS-IW 3.7.3.7 SQL SA Login UserID = "sa" Password = "A11endale" CVE-2011-5323
  • 39. 39 CVE-2011-5324 GE Centricity PACS Manufacturer Model Type of Account Login info GE Centricity PACS-IW 3.7.3.8 TeraRecon Server Shared Login UserID = "shared" Password = "shared" Group = "shared" GE Centricity PACS-IW 3.7.3.8 TeraRecon Server Scan Login UserID = "scan" Password = "scan" Group = N/A GE Centricity PACS-IW 3.7.3.7 TeraRecon Server Shared Login UserID = "shared" Password = "shared" Group = "shared" GE Centricity PACS-IW 3.7.3.7 TeraRecon Server Scan Login UserID = "scan" Password = "scan" Group = N/A CVE-2011-5324
  • 40. 40 CVE-2012-6693 GE Centricity PACS Server Manufacturer Model Type of Account Login info GE Centricity PACS 4.0 Server NAS Read Only Login UserID = "nasro" Password = "nasro" GE Centricity PACS 4.0 Server NAS Read/Write Login UserID = "nasrw" Password = "nasrw" CVE-2012-6693
  • 41. 41 CVE-2012-6694 GE Centricity PACS Manufacturer Model Type of Account Login info GE Centricity PACS 4.0.1 Workstation TimbuktuPro Remote Control Software Service Login UserID = "geservice" Password = "2charGE" GE Centricity PACS 4.0.1 Workstation GE Service Account Login UserID = "geservice" Password = "2charGE" GE Centricity PACS 4.0.Workstation TimbuktuPro Remote Control Software Service Login UserID = "geservice" Password = "2charGE" GE Centricity PACS 4.0.Workstation GE Service Account Login UserID = "geservice" Password = "2charGE" GE Centricity PACS 4.0 Server GE Service Account Login UserID = "geservice" Password = "2charGE" CVE-2012-6694
  • 42. 42 CVE-2012-6694 GE Centricity PACS Manufacturer Model Type of Account Login info GE Centricity PACS 4.0.1 Workstation DDP Admin Login UserID = "ddpadmin" Password = "ddpadmin" GE Centricity PACS 4.0.Workstation DDP Admin Login UserID = "ddpadmin" Password = "ddpadmin" CVE-2012-6695
  • 43. 43 CVE-2013-7442 GE Centricity PACS Manufacturer Model Type of Account Login info GE Centricity PACS 4.0.1 Workstation Administrator Login UserID = "Administrator" Password = "CANal1" GE Centricity PACS 4.0.1 Workstation IIS Login UserID = "iis" Password = "iis" GE Centricity PACS 4.0.Workstation Administrator Login UserID = "Administrator" Password = "CANal1" GE Centricity PACS 4.0.Workstation IIS Login UserID = "iis" Password = "iis" CVE-2013-7442
  • 44. 44 CVE-2003-???? GE Gamma Camera Additional Disclosures – CVE Pending Manufacturer Model Version Type of Device Type of Account Login info GE DST/DST-XL/DST- Xli/DSXi/DSTi/Dsi Software Version 8.0.3 Gamma Camera Camera Configuration Password = "sopha" GE DST/DST-XL/DST- Xli/DSXi/DSTi/Dsi Software Version 8.0.1 Gamma Camera Camera Configuration Password = "sopha" GE DST/DST-XL/DST- Xli/DSXi/DSTi/Dsi Software Version 7.9.7 Gamma Camera Camera Configuration Password = "sopha" GE DST/DST-XL/DST- Xli/DSXi/DSTi/Dsi Software Version 7.7.19 Gamma Camera Camera Configuration Password = "sopha"
  • 45. 45 CVE-????-???1 GE HiSpeed - CT Scanner Manufacturer Model Version Type of Device Type of Account Login info GE HiSpeed Adv CTI CT Scanner SU Login UserID = "su" Password = "#bigguy)" GE HiSpeed Adv CTI CT Scanner PROM Reset Password Command - No Password Required Command = "resetpw" GE HiSpeed NP CT Scanner SU Login UserID = "su" Password = "#bigguy" GE HiSpeed Adv Z CT Scanner SU Login UserID = "su" Password = "genesis" GE HiSpeed Adv Z CT Scanner Root Login UserID = "root" Password = "#bigguy" GE HiSpeed Adv Z CT Scanner Genesis Login UserID = "genesis" Password = "4$apps" GE HiSpeed Adv Z CT Scanner Insite Login UserID = "insite" Password = "2getin" GE HiSpeed Adv Z CT Scanner Service Login UserID = "service" Password = "4rhelp" GE HiSpeed Adv Z CT Scanner Genesis Sun Computer Root Login UserID = "root" Password = "Genesis" Additional Disclosures – CVE Pending
  • 46. 46 CVE-????-???1 GE HiSpeed - CT Scanner Manufacturer Model Version Type of Device Type of Account Login info GE HiSpeed Adv RP CT Scanner SU Login UserID = "su" Password = "#bigguy" GE HiSpeed Adv RP CT Scanner Root Login UserID = "root" Password = "#bigguy" GE HiSpeed Adv RP CT Scanner Insite Login UserID = "insite" Password = "2getin" GE HiSpeed Adv RP CT Scanner Genesis Login UserID = "genesis" Password = "4$apps" GE HiSpeed Adv RP CT Scanner Service Login UserID = "service" Password = "4rhelp" GE HiSpeed Adv RP CT Scanner Genesis Sun Computer Root Login UserID = "root" Password = "Genesis" GE HiSpeed Dual ProSpeed FII CT Scanner SU Login UserID = "su" Password = "#bigguy" GE HiSpeed Qx/i CT Scanner SU Login UserID = "su" Password = "#bigguy" Additional Disclosures – CVE Pending
  • 47. 47 CVE-????-???? Manufacturer Model Version Type of Device Type of Account Login info GE Optima MR360 MRI Emergency Login No Username Or Password Required To Login GE CADStream Server MRI Admin Login (In Addition Password Manager Will Remember Login And Never Require Future Login) UserID = "admin" Password = "confirma" Additional Disclosures – CVE Pending
  • 48. 48 CVE-????-???4 GE Precision MPi – X-Ray Additional Disclosures – CVE Pending Manufacturer Model Version Type of Device Type of Account Login info GE Precision MPi X-Ray Service Tech 1 & Service Tech 2 Login (Created Using CreateServiceUsers.bat Script) UserID = "servicetech1" & "servicetech2" Password = "servicetech" GE Precision MPi X-Ray User Accounts Tech 1 through Tech 20 Login (Created Using CreateUsers01- 20.bat Script) UserID = "Tech1" through "Tech20" Password = "xraytech" GE Precision MPi X-Ray User Accounts Tech 21 through Tech 40 Login (Created Using CreateUsers21- 40.bat Script) UserID = "Tech21" through "Tech40" Password = "xraytech" GE Precision MPi X-Ray User Accounts Tech 41 through Tech 60 Login (Created Using CreateUsers41- 60.bat Script) UserID = "Tech41" through "Tech60" Password = "xraytech" GE Precision MPi X-Ray User Accounts Tech 61 through Tech 80 Login (Created Using CreateUsers61- 80.bat Script) UserID = "Tech61" through "Tech80" Password = "xraytech" GE Precision MPi X-Ray User Accounts Tech 81 through Tech 100 Login (Created Using CreateUsers81-100.bat Script) UserID = "Tech81" through "Tech100" Password = "xraytech"
  • 50. 50 So If They Are Indeed Default Are There Still Issues • Documentation instructs in some cases to not change credentials and not allow password reset. • Documentation instructs in some cases to not change password or your account will not be able to be supported. • Documentation not updated with how to change default credentials and secure configuration guides are lacking. • Support personal often rely on implementation documentation so these logins are heavily utilized in the healthcare industry.
  • 56. Is AppSec a Problem?
  • 57. 57 Is AppSec A Problem? You Decide
  • 59. 59 Technical Properties Exposed, vulnerable systems Lack of patient safety alignment in medical device cyber security practices • All software has flaws. • Connectivity increases potential interactions. • A software-driven, connected medical device is a vulnerable, exposed one.
  • 60. 60 Problem Awareness Medical devices are increasingly accessible due to the nature of healthcare 1 HIPAA focuses on patient privacy, not patient safety.2 FDA does not validate cyber safety controls.3 Malicious intent is not a prerequisite for adverse patient outcomes.4
  • 62. 62 Treatment Plans • Scan your biomedical device environment for default credentials. • Report identified issues to manufacturer for remediation in your environment.
  • 63. 63 Treatment Plans It falls to all of us. Patient safety is not a spectator sport. • Stakeholders must understand prerequisites • Multi-stakeholder teams and conversations • Engage with willing allies where domains of expertise overlap • Incorporate safety into existing processes
  • 64. 64 Summary of Current State • FDA receives “several hundred thousand” reports of patient safety issues per year related to medical devices • Cyber safety investigations hampered by evidence capture capabilities. • New devices are coming to market with long-known defects. • Existing devices aren’t consistently maintained and updated. Projected Future • The nature of healthcare is driving towards greater connectivity (and therefore exposure) of devices. • Adversaries change the risk equation unpredictably • Increase in incidental contact Continue As-Is
  • 65. 65 Summary of Recommended Treatment • Patient safety as the overriding objective • Avoid failed practices and iteratively evolve better ones • Engage internal and external stakeholders • Safety into existing practices and governance Projected Outcomes • “Reliable medical devices to market without undue delay or cost.” • Collaboration among willing allies on common terms • Medical devices resilient against accidents and adversaries A Better Way
  • 66. 66 How To Get Involved Acquiring Medical Devices – eBay or MedWow Get Involved In Industry Working Groups Speak On Topic At Industry Conferences I Am The Cavalry https://iamthecavalry.org
  • 67. 67 Q & A That time already?