Brain monitor had remote code execution and DoS flaw Cisco’s Talos security limb has warned that specialist medical hardware has remote code execution and denial of service bugs. Talos researchers say Natus Xltek EEG medical products are susceptible to “A specially crafted network packet” that “can cause a stack buffer overflow resulting in code execution.” Which is rather …
This might be harsh, but those who hack medical equipment should be shot or hung on the public square.
My apologies to those of gentle minds but messing with these machines could cause the death of people and messing with lives for the LOL's or ransom deserves an extremely harsh punishment.
Careful about unintended consequences. Those with nothing to lose may go unfettered. Think about those who have "two strikes" and decide to not be taken alive.
IOW, If you think a pwned electroencephalograph is scary, how about this same person deciding to wait until he/she could pwn an entire hospital or medical network.
>Careful about unintended consequences. Those with nothing to lose may go unfettered. Think about those who have "two strikes" and decide to not be taken alive.
Having had an utter psychopathic boss, having seen this boss destroy the company, damage te employees there and finally witnessed in court against the very same boss for embezzlement, I can assure you that the grade of humanity represented here will easily kill before being taken alive in any case. They always leave human wrecks in their wake. I am probably not able to fully explain the enormity of damage wrecked by just one such person. You have to stop them and stop them as fast as you can.
There is just one known cure for such aggressive psychopathy: plumbum forte hot-injected into gluteus maximus.
"There is just one known cure for such aggressive psychopathy: plumbum forte hot-injected into gluteus maximus."
Problem is, psycophathy is pretty much a prerequisite these days to get into any position of power. The thing about positions of power is that they tend to allow you to take anything permanent like you describe and order it turned around.
My apologies to those of gentle minds but messing with these machines could cause the death of people
So, what do we do with those who hack SCADA? An explosion at a power station can do damage on an order of magnitude higher than hacking a single medical device (or even class of). The Philip IV the fair treatment for state treason? For those of us who do not read history that is: "quarter, skin, castrate, gut, and hang the remains".
So what about those who hack cars, aircraft, traffic control systems, satellite communications?
This is is a slippery slope and what makes it doubly slippery is the fact that medical equipment manufacturers are pathological in making their equipment insecure and impossible to secure. One of the reasons for the severity of the NHS Wannacry outbreak was the tens of thousands (if not more) radiography, CAT scan, etc machines which were all running Windoze and were OFF LIMITS to patching. You could not patch them period - only the stock OS as shipped was allowed to be used and the manufacturers never ever verified a single MS hotfix. Sure, in that case NHS IT itself was at fault for putting them on a flat network and not firewalling them. However, in real life you simply cannot firewall everything. That approach does not work (especially for things like monitors, sensors and smart pump/drug delivery systems).
So someone HAS TO HACK them and take to task the idiots who have shipped defective and substandard equipment out there. As long as there is no damage to the individuals using the equipment and the only ones "suffering" are the idiots who write software for it, I am all for hacking medical kit. We need more of it - so that regulators finally start paying attention.
I understand your point, but there need to be some pretty strict limits. The things to really worry about--at least on an individual level--are things like pacemakers. Modern ones can be monitored and adjusted from outside the body. Messing with one of those, if it has been implanted, could have *very* serious consequences.
It is--without a doubt--too much to ask that the manufacturers publish the code the devices run on so that those interested can verify that it is written correctly and securely and that even basic security precautions have been taken, such as not running implanted devices on default passwords--or, for that matter, even *having* passwords.
And one other thing....the medical personnel are very reasurring, but quite obviously have absolutely no clues whatsoever how communications with the devices is handled, nor do they actually know what sort of security the devices have (or, more likely, don't have), but they will say to your face that the devices are secure--because that's what the manufacturers salesmen tell them. Great "bedside manner", but quite transparent BS to anyone with an actual technical background.
@Nick.
True, but it also talks of remote code execution. Having access to a "trusted" device such as this which is generally behind the firewalls and being able to run arbitrary code on it means you have a platform to attack other devices on the same network.
Sure, defence in depth is a real thing and your IPS and other internal security systems should/might help but my point is about the c*nts out there that attack medical and life-essential devices for their own means, be it ransom, information or just for kicks.
> a special kind of c*nt to mess around with medical equipment, hospitals and anything else that affects people's lives.
Yeah, like rival health trusts that want to see yours fail, take on your catchment and increase their budget.
Think it won't happen?
You don't think the people running them got where they are thanks to their fervent belief in the Hippocratic Oath, do you? The Hypocritical Oath maybe.
"Unlike apparently every NHS supplier of large type kit, like CT and MRI scanners, who seem to run XP and can't be bothered."
Every NHS hospital I've visited in the last decade or so seems to have outsourced the potentially profitable parts of routine "imaging services" (CT, MRI, etc). Are the outsourced versions any better or is it just yet another way of removing taxpayers money from the health service and putting it into the pockets of US-style bureaucrats and shareholders?
Aside: kit like this where a Windows PC is an essential (if inappropriate) part of the setup should in theory be using Windows Embedded flavours of Windows (the x86 ones, not the WinCE derivatives)..
Half a brain or less.
Most software testing is just stress testing, running a lot of stuff at the same time, and is not hack testing or giving over to software engineers employed in finding and removing the hacks, holes and misgivings.
Many in the past said if aircraft or refrigerators crashed as much as the Microsoft operating system there would be much noise made and it would be banned.
Well now there is Automobiles, Aircraft, Refrigerators Microwave, Brain monitors, Pacemakers, Insulin dose devices, Mobile phones, Centrifuges, Power stations, Water plants, etc that do and while there are rules for electronic emissions and electronic devices not much software has been banned yet, or much noise made about the problems with it being a major risk to human safety.
This shitty code is in your medical devices, cars, industrial systems, phones and most devices in your homes. It's present on every website you visit.
Insecure by negligence and stupidity, it's everywhere in your life.
But hey - psychopaths are running the companies that make this stuff & they don't give a shit. They are cutting cost to get paid. You are not the 1% so fuck you.
Well said. I only could give you an upvote because that's the rule.
Those who downvote you should bear in mind that the main purpose of a corporation is to make (lots of) money. Caring about human lives, obeying laws etc. all come after that and only if it doesn't interfere with the main goal.
"Those who downvote you should bear in mind that the main purpose of a corporation is to make (lots of) money. Caring about human lives, obeying laws etc. all come after that and only if it doesn't interfere with the main goal."
Almost seems like it needs a law that mandates that businesses cater to the people (clients AND employees) first and make money second; if one cannot achieve the second without achieving the first, then the business shouldn't exist in the first place.
Dunno, the more I think about it, the more I wonder if it isn't even worse than bad, in the same way that 'not even wrong' is worse than wrong - if you can develop at all then do it properly or don't bother but, for goodness' sake, don't produce something suboptimal that is (actually) worse than nothing.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
