Security Experts:

Researchers Uncover Privilege Escalation Bug in Philips Medical Devices

Researchers from Cylance, a stealth security firm based in Irvine, California, said they were able to hack into a medical management system and take control of other pieces of connected equipment.

The researchers targeted a heap overflow vulnerability on a Philips XPER system in order to take control of the entire workstation, Cylance said. The XPER software runs as a privileged user on the workstation, so triggering the vulnerability gave researchers increased user privileges despite not being an authenticated user, Cylance said.

Medical Device VulnerabilityThe medical information management system typically connects with various types of medical equipment, including x-ray machines, in a hospital network, according to the company. Attackers would be able to communicate with any device connected to the compromised XPER system, Billy Rios, the managing director of Cylance, told SecurityWeek.

"These devices would normally be on a hospital network. I would hope that they are not Internet facing (that would be extremely bad)," Rios said.

Once the attacker has compromised XPER, either by breaching the network or by getting physical access to the system, the attacker has full control of all connected devices. Just as industrial control systems (ICS) and supervisory control and data acquisition (SCADA) devices should never be public-facing, Cylance said hospitals should not be deploying XPER to be visible from the Internet.

Cylance worked with the Department of Homeland Security and ICS-Computer Emergency Response Team (CERT) to disclose the vulnerability. ICS-CERT has a working copy of the exploit and Terry McCorkle and Billy Rios, Cylance researchers, demonstrated the exploit targeting the vulnerability at the S4 SCADA Conference in Miami on Jan. 17.

Cylance bought the Philips XPER used in its research secondhand from a reseller. The researchers identified a well-known hospital in Utah as the previous owner of the system after seeing inventory tags on the unit. The vulnerability was present in the default configuration of that particular Philips XPER system.

Cylance is currently working with Phillips to find out whether all XPER models are affected with this vulnerability or whether it was unique to that version.

The vulnerabilities Cylance researchers discovered in biomedical devices are not brand-new issues, but rather are new to "the worlds in which they are being discovered," Cylance CEO Stuart McClure told SecurityWeek. Similar bugs have been found in automobiles, avionics, telecommunications, energy and power systems, and water treatment plants, McClure said.

"Generally speaking, the security of ICS and medical are in a similar posture," Rios said. Both ICS and medical devices were designed and implemented with "very, very poor security," Rios said.

"We found out today that 'Patching' is kind of a dirty word in the medical device world," Rios said.

Security researcher Jay Radcliffe learned that lesson back in 2011 after he tried to hack an insulin pump and remotely disable it as part of a presentation at the Black Hat Security Conference. While he initially declined to identify the medical device manufacturer during his session, he later released the name and the model numbers of affected pumps because the company wasn't taking his findings seriously.

The DHS even issued an alert last May warning about how medical devices on IT networks can pose a threat to patient data or be tampered with.

Related: Lawmakers Say FDA Needs to Consider Security for Medical Devices

Related: Securing Medical Devices From Attacks

Related: Hacking The Human Body SCADA System

view counter
Fahmida Y. Rashid is a Senior Contributing Writer for SecurityWeek. She has experience writing and reviewing security, core Internet infrastructure, open source, networking, and storage. Before setting out her journalism shingle, she spent nine years as a help-desk technician, software and Web application developer, network administrator, and technology consultant.