Connect with us

Hi, what are you looking for?



Researchers Uncover Privilege Escalation Bug in Philips Medical Devices

Researchers from Cylance, a stealth security firm based in Irvine, California, said they were able to hack into a medical management system and take control of other pieces of connected equipment.

Researchers from Cylance, a stealth security firm based in Irvine, California, said they were able to hack into a medical management system and take control of other pieces of connected equipment.

The researchers targeted a heap overflow vulnerability on a Philips XPER system in order to take control of the entire workstation, Cylance said. The XPER software runs as a privileged user on the workstation, so triggering the vulnerability gave researchers increased user privileges despite not being an authenticated user, Cylance said.

Medical Device VulnerabilityThe medical information management system typically connects with various types of medical equipment, including x-ray machines, in a hospital network, according to the company. Attackers would be able to communicate with any device connected to the compromised XPER system, Billy Rios, the managing director of Cylance, told SecurityWeek.

“These devices would normally be on a hospital network. I would hope that they are not Internet facing (that would be extremely bad),” Rios said.

Once the attacker has compromised XPER, either by breaching the network or by getting physical access to the system, the attacker has full control of all connected devices. Just as industrial control systems (ICS) and supervisory control and data acquisition (SCADA) devices should never be public-facing, Cylance said hospitals should not be deploying XPER to be visible from the Internet.

Cylance worked with the Department of Homeland Security and ICS-Computer Emergency Response Team (CERT) to disclose the vulnerability. ICS-CERT has a working copy of the exploit and Terry McCorkle and Billy Rios, Cylance researchers, demonstrated the exploit targeting the vulnerability at the S4 SCADA Conference in Miami on Jan. 17.

Cylance bought the Philips XPER used in its research secondhand from a reseller. The researchers identified a well-known hospital in Utah as the previous owner of the system after seeing inventory tags on the unit. The vulnerability was present in the default configuration of that particular Philips XPER system.

Cylance is currently working with Phillips to find out whether all XPER models are affected with this vulnerability or whether it was unique to that version.

Advertisement. Scroll to continue reading.

The vulnerabilities Cylance researchers discovered in biomedical devices are not brand-new issues, but rather are new to “the worlds in which they are being discovered,” Cylance CEO Stuart McClure told SecurityWeek. Similar bugs have been found in automobiles, avionics, telecommunications, energy and power systems, and water treatment plants, McClure said.

“Generally speaking, the security of ICS and medical are in a similar posture,” Rios said. Both ICS and medical devices were designed and implemented with “very, very poor security,” Rios said.

“We found out today that ‘Patching’ is kind of a dirty word in the medical device world,” Rios said.

Security researcher Jay Radcliffe learned that lesson back in 2011 after he tried to hack an insulin pump and remotely disable it as part of a presentation at the Black Hat Security Conference. While he initially declined to identify the medical device manufacturer during his session, he later released the name and the model numbers of affected pumps because the company wasn’t taking his findings seriously.

The DHS even issued an alert last May warning about how medical devices on IT networks can pose a threat to patient data or be tampered with.

Related: Lawmakers Say FDA Needs to Consider Security for Medical Devices

Related: Securing Medical Devices From Attacks

Related: Hacking The Human Body SCADA System

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.