back to article Brain monitor had remote code execution and DoS flaw

Cisco’s Talos security limb has warned that specialist medical hardware has remote code execution and denial of service bugs. Talos researchers say Natus Xltek EEG medical products are susceptible to “A specially crafted network packet” that “can cause a stack buffer overflow resulting in code execution.” Which is rather …

  1. Mayday
    Flame

    It definitely takes

    a special kind of c*nt to mess around with medical equipment, hospitals and anything else that affects people's lives.

    Unfortunately it seems like that they are out there based on issues such as this, ransomware and the like.

    1. Mark 85 Silver badge

      Re: It definitely takes

      This might be harsh, but those who hack medical equipment should be shot or hung on the public square.

      My apologies to those of gentle minds but messing with these machines could cause the death of people and messing with lives for the LOL's or ransom deserves an extremely harsh punishment.

      1. Charles 9 Silver badge

        Re: It definitely takes

        Careful about unintended consequences. Those with nothing to lose may go unfettered. Think about those who have "two strikes" and decide to not be taken alive.

        IOW, If you think a pwned electroencephalograph is scary, how about this same person deciding to wait until he/she could pwn an entire hospital or medical network.

        1. Anonymous Coward
          Anonymous Coward

          Re: It definitely takes

          >Careful about unintended consequences. Those with nothing to lose may go unfettered. Think about those who have "two strikes" and decide to not be taken alive.

          Having had an utter psychopathic boss, having seen this boss destroy the company, damage te employees there and finally witnessed in court against the very same boss for embezzlement, I can assure you that the grade of humanity represented here will easily kill before being taken alive in any case. They always leave human wrecks in their wake. I am probably not able to fully explain the enormity of damage wrecked by just one such person. You have to stop them and stop them as fast as you can.

          There is just one known cure for such aggressive psychopathy: plumbum forte hot-injected into gluteus maximus.

          1. Charles 9 Silver badge

            Re: It definitely takes

            "There is just one known cure for such aggressive psychopathy: plumbum forte hot-injected into gluteus maximus."

            Problem is, psycophathy is pretty much a prerequisite these days to get into any position of power. The thing about positions of power is that they tend to allow you to take anything permanent like you describe and order it turned around.

      2. Voland's right hand Silver badge

        Re: It definitely takes

        My apologies to those of gentle minds but messing with these machines could cause the death of people

        So, what do we do with those who hack SCADA? An explosion at a power station can do damage on an order of magnitude higher than hacking a single medical device (or even class of). The Philip IV the fair treatment for state treason? For those of us who do not read history that is: "quarter, skin, castrate, gut, and hang the remains".

        So what about those who hack cars, aircraft, traffic control systems, satellite communications?

        This is is a slippery slope and what makes it doubly slippery is the fact that medical equipment manufacturers are pathological in making their equipment insecure and impossible to secure. One of the reasons for the severity of the NHS Wannacry outbreak was the tens of thousands (if not more) radiography, CAT scan, etc machines which were all running Windoze and were OFF LIMITS to patching. You could not patch them period - only the stock OS as shipped was allowed to be used and the manufacturers never ever verified a single MS hotfix. Sure, in that case NHS IT itself was at fault for putting them on a flat network and not firewalling them. However, in real life you simply cannot firewall everything. That approach does not work (especially for things like monitors, sensors and smart pump/drug delivery systems).

        So someone HAS TO HACK them and take to task the idiots who have shipped defective and substandard equipment out there. As long as there is no damage to the individuals using the equipment and the only ones "suffering" are the idiots who write software for it, I am all for hacking medical kit. We need more of it - so that regulators finally start paying attention.

        1. Old Used Programmer

          Re: It definitely takes

          I understand your point, but there need to be some pretty strict limits. The things to really worry about--at least on an individual level--are things like pacemakers. Modern ones can be monitored and adjusted from outside the body. Messing with one of those, if it has been implanted, could have *very* serious consequences.

          It is--without a doubt--too much to ask that the manufacturers publish the code the devices run on so that those interested can verify that it is written correctly and securely and that even basic security precautions have been taken, such as not running implanted devices on default passwords--or, for that matter, even *having* passwords.

          And one other thing....the medical personnel are very reasurring, but quite obviously have absolutely no clues whatsoever how communications with the devices is handled, nor do they actually know what sort of security the devices have (or, more likely, don't have), but they will say to your face that the devices are secure--because that's what the manufacturers salesmen tell them. Great "bedside manner", but quite transparent BS to anyone with an actual technical background.

    2. Nick Kew

      Re: It definitely takes

      Um, the article talks of the threat as stealing information.

      A threat against someone's vital life-support make a serious (and plausible) story, but it's not actually *this story*.

      1. Mayday

        Re: It definitely takes

        @Nick.

        True, but it also talks of remote code execution. Having access to a "trusted" device such as this which is generally behind the firewalls and being able to run arbitrary code on it means you have a platform to attack other devices on the same network.

        Sure, defence in depth is a real thing and your IPS and other internal security systems should/might help but my point is about the c*nts out there that attack medical and life-essential devices for their own means, be it ransom, information or just for kicks.

    3. GIRZiM

      Re: It definitely takes

      > a special kind of c*nt to mess around with medical equipment, hospitals and anything else that affects people's lives.

      Yeah, like rival health trusts that want to see yours fail, take on your catchment and increase their budget.

      Think it won't happen?

      You don't think the people running them got where they are thanks to their fervent belief in the Hippocratic Oath, do you? The Hypocritical Oath maybe.

  2. Gene Cash Silver badge

    "if Natus users have done their patching"

    Hospitals? Doing proactive security and keeping their e-devices up-to-date?

    Not bloody likely. I'd expect Trump to turn into a nice person first.

  3. lglethal Silver badge
    Joke

    Oh lordy!

    "this should be no more serious than a dose of man-flu."

    But we all know there is nothing worse than Man-flu, child birth is a pale comparison!!! Panic stations everyone!!!

  4. John Smith 19 Gold badge
    WTF?

    OMFG. Hardware mfg of medical equipment issues *patches*

    F**k me sideways.

    Unlike apparently every NHS supplier of large type kit, like CT and MRI scanners, who seem to run XP and can't be bothered.

    1. Anonymous Coward
      Anonymous Coward

      Re: OMFG. Hardware mfg of medical equipment issues *patches*

      "Unlike apparently every NHS supplier of large type kit, like CT and MRI scanners, who seem to run XP and can't be bothered."

      Every NHS hospital I've visited in the last decade or so seems to have outsourced the potentially profitable parts of routine "imaging services" (CT, MRI, etc). Are the outsourced versions any better or is it just yet another way of removing taxpayers money from the health service and putting it into the pockets of US-style bureaucrats and shareholders?

      Aside: kit like this where a Windows PC is an essential (if inappropriate) part of the setup should in theory be using Windows Embedded flavours of Windows (the x86 ones, not the WinCE derivatives)..

  5. Anonymous Coward
    Coffee/keyboard

    Needs monitoring to test for...

    Half a brain or less.

    Most software testing is just stress testing, running a lot of stuff at the same time, and is not hack testing or giving over to software engineers employed in finding and removing the hacks, holes and misgivings.

    Many in the past said if aircraft or refrigerators crashed as much as the Microsoft operating system there would be much noise made and it would be banned.

    Well now there is Automobiles, Aircraft, Refrigerators Microwave, Brain monitors, Pacemakers, Insulin dose devices, Mobile phones, Centrifuges, Power stations, Water plants, etc that do and while there are rules for electronic emissions and electronic devices not much software has been banned yet, or much noise made about the problems with it being a major risk to human safety.

  6. Anonymous Coward
    Anonymous Coward

    All code is written by offshore idiots to the lowest price

    This shitty code is in your medical devices, cars, industrial systems, phones and most devices in your homes. It's present on every website you visit.

    Insecure by negligence and stupidity, it's everywhere in your life.

    But hey - psychopaths are running the companies that make this stuff & they don't give a shit. They are cutting cost to get paid. You are not the 1% so fuck you.

    1. Anonymous Coward
      Anonymous Coward

      @AC - Re: All code is written by offshore idiots to the lowest price

      Well said. I only could give you an upvote because that's the rule.

      Those who downvote you should bear in mind that the main purpose of a corporation is to make (lots of) money. Caring about human lives, obeying laws etc. all come after that and only if it doesn't interfere with the main goal.

      1. Charles 9 Silver badge

        Re: @AC - All code is written by offshore idiots to the lowest price

        "Those who downvote you should bear in mind that the main purpose of a corporation is to make (lots of) money. Caring about human lives, obeying laws etc. all come after that and only if it doesn't interfere with the main goal."

        Almost seems like it needs a law that mandates that businesses cater to the people (clients AND employees) first and make money second; if one cannot achieve the second without achieving the first, then the business shouldn't exist in the first place.

    2. Mark 85 Silver badge

      Re: All code is written by offshore idiots to the lowest price

      Ah downvotes honesty. I suspect those are from off-shore contractors or their paid schills.

      1. Nunyabiznes Silver badge

        Re: All code is written by offshore idiots to the lowest price

        "Ah downvotes honesty. I suspect those are from off-shore contractors or their paid schills."

        Or could be from people who know just how much shitty code has been\is being written on shore. Cue Linus T.

    3. Mike 137 Bronze badge

      Re: All code is written by offshore idiots to the lowest price

      Believe me, by no means all the idiots are off shore.

  7. Mike 137 Bronze badge

    "... heavily sub-optimal ..."

    Bad?

    1. GIRZiM

      Re: "... heavily sub-optimal ..."

      Dunno, the more I think about it, the more I wonder if it isn't even worse than bad, in the same way that 'not even wrong' is worse than wrong - if you can develop at all then do it properly or don't bother but, for goodness' sake, don't produce something suboptimal that is (actually) worse than nothing.

    2. TrumpSlurp the Troll Silver badge
      Trollface

      Re: "... heavily sub-optimal ..."

      Fat?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019