SHARING AMERICA'S TECH NEWS FROM THE VALLEY TO THE ALLEY
by Dan Goodin (courtesy ArsTechnica)
The advisory came the same day that the Food and Drug Administration released its own notice on the same topic. Both warnings said there was no indication attacks were being carried out in the wild, and neither warning disclosed the affected device models or the manufacturers. But Terry McCorkle, one of the researchers who uncovered the vulnerabilities, said few if any are immune.
“It’s safe to say most medical device manufacturers are affected,” McCorkle, who is technical director at security firm Cylance, told Ars. “It’s kind of an industry-wide issue.”
He declined to name specific companies or products. He went on to say no reverse engineering is required to acquire the device passwords.
“The affected devices have hard-coded passwords that can be used to permit privileged access to devices, such as passwords that would normally be used only by a service technician,” the ICS-CERT warning stated. “In some devices, this access could allow critical settings or the device firmware to be modified.”
Security concerns have risen over the past decade as more and more medical devices incorporate configurable computer systems that are susceptible to tampering by malicious hackers. The amount of damage that can be done is magnified because many pacemakers, insulin pumps, and other devices implanted in or attached to a patient’s body can be remotely controlled using radio signals. Security researchers have proposed various measures to make unauthorized changes harder. The most effective way for manufacturers to prevent tampering is to remove backdoor accounts, followed by requiring all firmware to be digitally signed, McCorkle said.