back to article CERT warns of hardcoded creds in medical app

The US computer emergency response team has issued a warning after admin credentials were found in a popular medical application used for acquiring patient data. The MEDHOST application is designed for handling the perioperative three stages of surgery including patient tracking, and patient conditions. It can be hosted and …

  1. Walter Bishop Silver badge
    Facepalm

    Passwordless Medical app designed for handling perioperative surgery.

    This kind of security incident isn't even funny anymore. Isn't it about time that the people who design such defective systems are held accountable in court. Who put the hard-coded creds into medical app, what was its purpose, who forgot to remove the hard-coded creds before putting the MEDHOST application into an Operating Theatre.

    1. NotBob

      Re: Passwordless Medical app designed for handling perioperative surgery.

      More accurately, why is this accessible? It's fine on its own segregated network segment. It isn't designed for world+dog access.

      Poor choice in design, perhaps, but terrible implementation is the kicker here.

  2. jake Silver badge

    Remember back when ...

    ... Sun Microsystems hardcoded a default admin root/passwd in everything they were shipping? Probably mid to late 1980s.

    Seems that nothing has changed ...

    1. Destroy All Monsters Silver badge
      Holmes

      Re: Remember back when ...

      Actually, no.

      Wasn't that DEC VAX?

      (Also, default =/= hardcoded)

      1. Anonymous Coward
        Anonymous Coward

        Re: Remember back when ...

        yes field/service typically wasn't removed but that was what systems administrators were for

      2. jake Silver badge

        Re: Remember back when ...

        "Wasn't that DEC VAX?"

        Not to the best of my knowledge ... I worked for DEC. On initialization in the field, the first question was (paraphrasing) "Choose a root password" ...

        "(Also, default =/= hardcoded)"

        Fair point ... but the root/passwd on early SUN gear was stored in EEPROM, not on disk.

        Six of one, half a dozen of another.

        1. Vic

          Re: Remember back when ...

          but the root/passwd on early SUN gear was stored in EEPROM, not on disk.

          What difference would that make?

          Vic.

          1. jake Silver badge

            @Vic (was: Re: Remember back when ...)

            "What difference would that make?"

            I addressed the "choose a root/passwd pair" in the first vignette.

            In the second, I alluded to perception of the difference between hardware and so-called "software"

            1. Vic

              Re: @Vic (was: Remember back when ...)

              In the second, I alluded to perception of the difference between hardware and so-called "software"

              You didn't. You merely claimed a different type of storage medium was used on those machines than might otherwise be expected. I neither know nor care whether your claim is correct.

              If you think this was drawing a distinction between hardware and software, I've got some bad news for you...

              Vic.

  3. Anonymous Coward
    Anonymous Coward

    Don't tell the FBI...

  4. John Smith 19 Gold badge
    Unhappy

    A genius plan. Again.

    What could go wrong.

    1. Destroy All Monsters Silver badge

      Re: A genius plan. Again.

      The lock on the stable door might jam, leading to security by accident.

  5. This post has been deleted by its author

  6. Anonymous Coward
    Anonymous Coward

    Not really that surprising in healthcare IT

    Totally unrelated but I have client who just got a letter from their x-ray system vendor, saying the system has been recalled at the direction of the FDA. Vendor action:"...vendor will be taking no action at this time..." Err, now what?!

  7. Anonymous Coward
    Anonymous Coward

    Hardcoded access - implanted by the US spooks

    Or incompetence.

  8. Fatman Silver badge

    Hard coded access!

    <quote>"An attacker with knowledge of the hardcoded credentials and the ability to communicate directly with the application database server may be able to obtain or modify patient information," </quote>

    You would EXPECT the access to the db server to be locked down HARD!!!!

    Jesus Fucking Christ - WHO is that fucking stupid to allow direct db access to such sensitive information.

    I know,

    MANGLEMENT!!!

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019