12 Feb 2016

Kaspersky Researcher Hacked a Hospital While Sitting in His Car

Sergey Lozhkin, a security researcher for Kaspersky, gave a talk at the Security Analyst Summit (SAS 2016) held these days in Tenerife, Spain, where he presented a case study during which he hacked a local hospital.
For the past few years, Internet-connected devices have been hacked left and right, but most of the times, these are harmless IoT appliances, like kettles or fridges.
Lozhkin's experiment started when he accidentally discovered unprotected medical equipment available online through Shodan. Digging deeper into the results, he found that a few of the exposed devices were actually from a local nearby hospital.
Hospital management allows him to carry out a penetration test
The researcher contacted a friend working at that hospital and brought the issue to the institution management's attention. He explained the problem to the people in charge and eventually agreed to carry out a security audit to test if he could hack into their network.
Since IoT equipment is known to have lots of security issues, Lozhkin was sure he'd eventually get in.
During his initial hacking attempts, he discovered that he couldn't access any equipment from a remote connection, which means that basic and properly configured firewalls are more than enough to keep low-skilled hackers away.
Lozhkin did manage to crack into the hospital's network, but only after he drove near the actual building, close enough to reach its WiFi network from his laptop.
Researcher was able to steal patient records
From there, he managed to hack and steal the local network key, which then allowed him to access various medical equipment that was connected to the building's internal WiFi network.
Using the network key, he accessed a tomographic scanner, from where he extracted patient records. The records were dummy data since management knew he was supposed to carry out a test, but the experiment proved its point and showed hospital management that their network was woefully insecure.
"There are two groups of people who need to be alarmed by this question, more specifically - the developers of medical equipment and the hospital management boards," the Kaspersky team notes in a blog post.
"The developers should test their devices for security, search for vulnerabilities and ensure they are all patched in a timely fashion," the cyber-security vendor continues. "The management groups should care more about their network security and be certain that no critical infrastructure equipment is connected to any public network."