Thursday, January 17, 2013

Fuzzing Philips X-Ray Equipment, Remote Exploit?

Today there are news reports [Dark Reading, SC Magazine] about security problems found in a Philips medical device related to X-ray care delivery.

The facts are not entirely clear to me. The capitalization errors in the reports cause me to maintain some skepticism. So I would suggest treating the news as "untrusted input" that needs to be independently verified before rushing to judgement. If I were a clinical engineer or IT administrator at a hospital, I'd keep a calm head and wait for official reports from FDA and the manufacturer.

Last June, we posted a note about some red flags for the cybersecurity language describing a Phillips medical device. So it would not surprise me if such a device falls during Round One of fuzz testing. Getting security right is really hard, and there need to be more students learning the skills and concepts to improve the security of software-controlled medical devices.
"We have a remote unauthenticated exploit for Xper, so if you same see an Xper machine on a network, then you can own it," Cylance researcher Billy Rios told SC.
To pass the time, browse MAUDE for adverse events by typing "Philips" into the manufacturer box and "xper" into the brand box. Consider filing a MedWatch 3500 if you discover an adverse event involving cybersecurity. The form is a pain to use, but there are few alternatives available today.

No comments:

Post a Comment

All comments are moderated to prevent spam, so please pardon the delay while our anti-spam team looks at incoming messages.