“I have no information on medical equipment; I don’t know how it works,” he said. “I started the research just to learn something. It’s really scary. When we develop technology in software systems, engineers forget about IT security. It’s a problem not just with medical equipment, but in a lot of areas of the industry.”
— Eugene Kaspersky (@e_kaspersky) February 9, 2016 Lozhkin’s experiment started when he accidentally discovered unprotected medical devices available online using a Shodan search. After researching deep into the results, he found that a few of the exposed devices were actually from a local nearby hospital. One search result turned up a Moscow hospital run by a friend of Lozhkin’s; among the results was a Siemens log-in portal for a CT scan machine guarded only by a default password.
— Eugene Kaspersky (@e_kaspersky) February 9, 2016
— Eugene Kaspersky (@e_kaspersky) February 9, 2016 Lozhkin told his friend at the hospital about the situation and brought the issue to the institution management’s attention. He explained the problem to the people in charge and finally agreed to carry out a security audit to test if he could hack into their network.
— Eugene Kaspersky (@e_kaspersky) February 9, 2016 He discovered during his initial hacking attempts that he couldn’t access any equipment from a remote connection, which meant that basic and properly configured firewalls are more than enough to keep low-skilled hackers away.
— Sam Gad Jones (@samgadjones) February 9, 2016 Therefore, he started by sitting outside the hospital and cracking the facility’s Wi-Fi. From there, he managed to hack and steal the local network key, which he said were “configured badly with an easy password”. Once on the network, he was able to access various medical equipment connected to the building’s internal Wi-Fi network. “You can say I just hacked [lousy] Wi-Fi, so what?” Lozhkin said. “The guys who are creating software for medical devices should think about someone configuring [lousy] Wi-Fi access to the local network.”
Once on the network, using available pen-testing tools, Lozhkin was able to find a control panel for a MRI machine that was not password protected and extracted patient records. There was also access to a C Shell in the application. “You could do anything you wanted; add files, get a full list of patients, information on diagnoses, all on this device,” Lozhkin said. Since management knew that Lozhkin was supposed to carry out a test, the records provided were dummy data. However, the experiment put forward its point and showed hospital management that their network was miserably insecure. “There are two groups of people who need to be alarmed by this question, more specifically – the developers of medical equipment and the hospital management boards,” the Kaspersky team notes in a blog post. “The developers should test their devices for security, search for vulnerabilities and ensure they are all patched in a timely fashion,” the cyber-security vendor continues. “The management groups should care more about their network security and be certain that no critical infrastructure equipment is connected to any public network.”