The US Department of Homeland Security (DHS) issued a security advisory on Thursday, warning that vulnerabilities found in medical scanners made by Siemens are trivial to exploit remotely.
Exploits are publicly available.
Siemens said on Monday that the company expects to update some medical scanners’ software by month’s end, according to Reuters.
The good news is that so far, Siemens hasn’t detected any sign of an attack – but it’s not twiddling its thumbs over this one, however. The company assigned a security severity rating of 9.8 out of 10, using the open industry standard CVSS (Common Vulnerability Scoring System) risk assessment system, according to the DHS security advisory.
Patients are apparently not at risk. From Siemens’ statement:
Based on the existing controls of the devices and use conditions, we believe the vulnerabilities do not result in any elevated patient risk. To date, there have been no reports of exploitation of the identified vulnerabilities on any system installation worldwide.
The exploits target known weaknesses in older Windows software. Those weaknesses were found in the Windows 7 versions of software running on Siemens’ PET (positron emission tomography), CT (computed tomography), and SPECT (single-photon emission computed tomography) scanners.
Successful exploitation of the flaws would enable “an attacker with a low skill” to remotely execute arbitrary code, according to ICS-CERT researchers.
PET scans show images at the cellular level. They rely on special dyes with radioactive tracers that enable doctors to check for disease in the body. The most common use of PET scans is to seek out cancer and the metabolization of cancerous cells, though they’re also used to image heart problems, brain disorders and problems in the central nervous system.
The scanners aren’t typically connected to the internet. ICS-CERT says that anybody running vulnerable devices should keep it that way: keep them off both the network and the internet.
ICS-CERT is also advising healthcare organizations to locate all medical and remote devices behind firewalls and to isolate the tools from the network. If remote access is required, researchers are advising that it be done securely, such as via a Virtual Private Network (VPN).
It’s important to keep in mind that VPNs aren’t free from their own vulnerabilities, as ICS-CERT notes and as Naked Security’s Paul Ducklin has explained. Keep your VPN updated to the most current version available, the researchers note, and bear in mind that a VPN is “only as secure as the connected devices”.
Unfortunately, most healthcare organizations just don’t get security right, whether it’s aimed at stopping data breaches, stemming the onslaught of ransomware attacks or securing devices such as these vulnerable scanners. Case in point: in its 2016 Cyber Security Intelligence Index, IBM called 2015 “the year of the healthcare breach”.
Last year, Sophos conducted a survey of IT decision-makers across multiple industries in six countries, finding an alarming laxity in many organizations’ approach to data security.
The survey found that the healthcare sector had one of the lowest rates of data encryption, with only 31% of healthcare organizations reporting extensive use of encryption, while 20% said they don’t use encryption at all.
There doesn’t even have to be a malicious actor involved to bring about security lapses in healthcare. Beyond data breaches perpetrated by hackers, health data is frequently exposed through accidental loss, device theft and employee negligence.
These are the flaws that Siemens is now working on patching:
- Code injection. An unauthenticated remote attacker could execute arbitrary code by sending specially crafted HTTP requests to the Microsoft web server (Port 80/TCP and Port 443/TCP) of affected devices.
- Code injection. An unauthenticated remote attacker could execute arbitrary code by sending a specially crafted request to the HP Client automation service on Port 3465/TCP of affected devices.
- Memory buffer flaw. An unauthenticated remote attacker could execute arbitrary code by sending a specially crafted request to the HP Client automation service of affected devices.
- Access elevation/escalation/privileges. An unauthenticated remote attacker could execute arbitrary code by sending a specially crafted request to the HP Client automation service of affected devices.