How a security researcher easily hacked a hospital and its medical devices
The rise in the Internet of Things (IoT) has left devices more connected, yet in many cases more vulnerable, than ever before. From car hacking to cyber-attacks against the energy sector, it has never been more important for manufacturers and IT teams to adopt a 'security-first' attitude.
Yet despite a steep rise in successful hacks, security is often overlooked. Now, in a recent study as part of the recent Security Analyst Summit in Spain, Sergey Lozhkin, a senior researcher at security firm Kaspersky Lab, has turned his focus on hospitals to demonstrate how easy it really is for a hacker to compromise critical healthcare infrastructure.
"If something goes wrong with medical equipment, if someone hacked a device that helps a doctor to identify an illness, if someone could affect this data a healthy person could be treated as an ill person or the opposite," he said. "If someone affects the results of for example, MRI, it could be really rough."
In his talk, Lozhkin outlined how he was able to hack into the hospital's network with ease – and permission – after finding vulnerable medical devices listed on Shodan.
"I decided that this is a critical area and I wanted to research it. I decided to look on the internet, I found the hospital, tested the WiFi network and finally I was able to connect to an MRI device and find personal information and [flaws] in the architecture. It was scary because it was really easy," he explained. "The initial vector was the WiFi network, the network was not really as secured as it should be in such a place where you keep medical data."
Shodan is a tool used to scan open ports on the internet is often used by security researchers to uncover critical exposed infrastructure that should be better protected. Indeed, the 'search engine' nature of Shodan often courts controversy for linking to open devices like webcams and, in the most recent case, baby monitors.
"[Shodan] can find out about the hardware and software connected [to the internet] and if you know, for example, what feedback an MRI or laser or cardiology device gives when you connect to its port, you can go to Shodan and find hundreds of these devices and if you know a vulnerability you can hack all of them," the Kaspersky researcher warned.
"In this case it was easy. Medical devices are still insecure, I can see it. Some manufacturers really secure them but some [developers] are thinking about internet security in second or third place."
Looking into the future of IoT, Lozhkin added: "I think lots of people from both sides, the white-hat security researchers and the bad guys, are deeply researching this area – car hacking, connected cars, medical devices, everything. For cyber criminals it could be a big market."
Most recently, an internal emergency was declared at a major US hospital in Los Angeles following a widespread ransomware-style cyberattack that left staff unable to access vital patient data.
You can watch the full video interview with Sergey Lozhkin below:
© Copyright IBTimes 2024. All rights reserved.