Ultrasound Machine Vulnerability Reveals Disturbing Details

A recent vulnerability surrounding ultrasound machines has been discovered.

The flaw was identified by a cybersecurity research firm, Check Point Research who addressed the flaw to reporters at the ongoing RSA Conference 2019.

Oded Vanunu, the firm’s Head of Vulnerability Products Research, said they had worked with a hospital located in Tel Aviv to test an ultrasound machine that was known to be common in most hospitals around the globe.

They noted that most hospitals were known to exhibit poor network because they do not have proper funding for better IT infrastructure. Hence, it was easy to exploit the ultrasound machine which was a proxy on the network within two simple clicks.

He disclosed that exploiting the ultrasound machine didn’t require reverse engineering tool or any other sophisticated tool for that matter. The machine, like most ultrasound machines everywhere else, ran on Windows 2000 – an OS that was no longer maintained or updated by Microsoft.

All they had to do was use an old vulnerability to exploit and gain control of the hardware.

He revealed that they employed three different attacks which were all successful. The vulnerability allowed them to all the scans of a patient in seconds. Then, they manipulated them to replace the names of the patients.

It was easy to execute Ransomware from then on.

Vanunu noted that while the ease of the attacks on the machine was particularly disturbing, it remained the norm in hospitals, where patient data could be sold to the highest bidder on the Dark Web.

He stated that hospitals will soon become the next hotspot for cyberattacks since most of the devices – not just the ultrasound machine – are quite easy to hack and pilfer patients’ data.

Vanunu stressed the importance of throwing resources into segmentation – the mere act of separating patient data from the IT framework. This would make malware encryption or data heist impossible.

Cyber-attacks in medical facilities have been on the rise following the attack on SingHealth, where the Singapore’s Prime Minister’s health records along with over 1.5 million patients’ data was pilfered from 2015 to 2018.

Over 30,000 patients’ data was also stolen from the Medical Health Services in Indiana

The infamous 2017 WannaCry attack that resulted in over 19,000 appointments at the UK’s National Health Service to be revoked also comes to mind.