ISC-CERT warns about medical devices with hard-coded passwords
Posted on 14 June 2013.
Approximately 300 different surgical and anesthesia devices, ventilators, drug infusion pumps, external defibrillators, patient monitors, and laboratory and analysis equipment have been found to have hard-coded passwords - a fact that can be taken advantage of by malicious actors to change devices' critical settings or even modify their firmware.

The discovery of this vulnerability has been made public by ICS-CERT and the U.S. Food and Drug Administration (FDA), both of whom issued alerts, but assured that there is no indication that such attacks have ben already spotted in the wild.

They have, understandably, not shared the names of the manufacturers and the devices that have been found to be affected by the flaw.

"ICS-CERT and the FDA have notified the affected vendors of the report and have asked the vendors to confirm the vulnerability and identify specific mitigations," confirmed the former organization, adding that both orgs will follow up with specific advisories and information as appropriate.

In the meantime, health care facilities have been urged to evaluate their network security and protect their hospital system by restricting unauthorized access to the network and networked medical devices, keeping antivirus software and firewalls up-to-date, monitoring network activity for unauthorized use, protecting individual network components through routine and periodic evaluation, developing and evaluating strategies to maintain critical functionality during adverse conditions, and contacting the specific device manufacturer if they think they may have a cybersecurity problem related to a medical device.

"Many medical devices contain configurable embedded computer systems that can be vulnerable to cybersecurity breaches. In addition, as medical devices are increasingly interconnected, via the Internet, hospital networks, other medical device, and smartphones, there is an increased risk of cybersecurity breaches, which could affect how a medical device operates," pointed out the FDA.


Credential manager system used by Cisco, IBM, F5 has been breached

Pearson VUE is part of Pearson, the world's largest learning company. Over 450 credential owners (including IT organizations such as IBM, Adobe, etc.) across the globe use the company's solutions to develop, manage, deliver and grow their testing programs.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Wed, Nov 25th