Almost Half of Connected Medical Devices Are Vulnerable To Hackers Exploiting BlueKeep

An anonymous reader quotes a report from ZDNet: Connected medical devices are twice as likely to be vulnerable to the BlueKeep exploit than other devices on hospital networks, putting patients and staff at additional risk from cyber attacks. This is especially concerning when healthcare is already such a popular target for hacking campaigns. BlueKeep is a vulnerability in Microsoft's Remote Desktop Protocol (RDP) service which was discovered last year, and impacts Windows 7, Windows Server 2008 R2 and Windows Server 2008.

According to figures in a new report from researchers at healthcare cybersecurity company CyberMDX, 22% of all Windows devices in a typical hospital are exposed to BlueKeep because they haven't received the relevant patches. And when it comes to connected medical devices running on Windows, the figure rises to 45% -- meaning almost half are vulnerable. Connected devices on hospital networks can include radiology equipment, monitors, x-ray and ultrasound devices, anesthesia machines and more. If these devices aren't patched, it's possible that destructive cyber attacks searching for machines vulnerable to BlueKeep could put hospital networks -- and patients -- at risk. "One of the key problems for hospitals is that many devices are classed as obsolete: Windows 7, for example, is vulnerable to BlueKeep and no longer supported by Microsoft, but remains common across hospital networks," adds ZDNet. "Any further vulnerabilities uncovered in Windows 7 -- and other out-of-support operating systems -- aren't guaranteed security patches, leaving networks potentially at further risk going forward."

Hackspital

[Tablizer]

I can envision a sequel to Weekend at Bernie's.

So Win 7 Home is not vulnerable?

[Solandri]

BlueKeep is a vulnerability in Microsoft's Remote Desktop Protocol (RDP) service which was discovered last year, and impacts Windows 7, Windows Server 2008 R2 and Windows Server 2008.

So ironically, the "limited feature" Windows 7 Home wouldn't be vulnerable, since Microsoft opted to delete the RDP server from it.

Re:

[PingSpike]

Meanwhile, on Windows 10 it requires a heroic effort to keep Candy Crush uninstalled.

Re:

[AmiMoJo]

RDP is in Windows 7, it's just that you can't enable it for arbitrary connections. It's still available for their "remote support" feature though, which was intended for computer manufacturers to offer assistance to customers.

Microsoft lists all versions of Windows 7 as being vulnerable: https://portal.msrc.microsoft.... [microsoft.com]

The problem here is maintainability

[dgatwood]

At a high level, the main problem is that companies build this equipment, and then once it is sold, there's little advantage to maintaining it. After all, you're not about to buy another MRI machine. You already have one. So you have all this custom software that was designed to run on one version of one operating system, and the risk of things going wrong on a new OS is high, and changing anything requires everything to be re-certified, so it never happens.

In an ideal world, these systems would be purpose-built, with minimal operating systems capable of handling the operation of the devices, and the computers you use for actually seeing what they are doing or asking them to do things should be subject to lower levels of certification, because the devices themselves should be internally failsafe-by-design. I'm not sure what the proper boundary is, but it seems pretty clear that the industry hasn't found it yet.

Also, in an ideal world, the FDA would require the manufacturer to realize a significant portion of revenue over the expected life of the hardware, and provide regular maintenance updates and recertification throughout that entire period, for as long as anyone is still within that expected lifespan, thus ensuring that, for example, the digital X-ray at your dentist's office isn't stuck on Windows 95 because the manufacturer abandoned it after five years.

Re:

[Anonymous Coward]

We love it when Microsoft comes out with new OS and stops supporting the old ones... it gives us an excuse to stop supporting our older products as well, and force our customers to buy new product even if technically their old equipment still works just fine... we just make sure it's not compatible with new accessories, features, etc. Of course we curse Microsoft right along with them at dinner, and then watch the orders roll in a week later lol

Re:

[malkavian]

You realise that the distros of linux only have a limited lifetime of support per release too? And every other offering I know of too. Well, outside hobbyist, but you'd never want that kind of support for a front line medical device.

Re:The problem here is maintainability

[Ol Olsoc]

You realise that the distros of linux only have a limited lifetime of support per release too? And every other offering I know of too. Well, outside hobbyist, but you'd never want that kind of support for a front line medical device.

Updates and support lifecycles on Linux don't work like you envision. If a distro goes end of life, the new one is an update away. I've had several distros go EOL, and the update just carries along with no distruption.

Re:

[Anonymous Coward]

updates and support don't work like you envision. a new version update will often break your system/app and also now take it out of compliance so it is no longer certified to perform the task it was sold to do leaving you open to having your arse sued off.. EOL is a bitch on all platforms, ESPECIALLY linux. real life enterprises and certified machines DON'T operate the same way they do in your mothers basement,

Re:

[Ol Olsoc]

updates and support don't work like you envision. a new version update will often break your system/app and also now take it out of compliance so it is no longer certified to perform the task it was sold to do leaving you open to having your arse sued off.. EOL is a bitch on all platforms, ESPECIALLY linux. real life enterprises and certified machines DON'T operate the same way they do in your mothers basement,

Posting AC was the smartest thing you did all day, homie.

Your experience with Linux is exactly opposite mine. Which has me thinking if you actually ever used Linux, you ain't doin' it right. I've been through several end of support versions, and the lack of drama is almost disappointing. W10? Takes a bad case of Stockholm syndrome to ignore the shithouse fire that is Windows updates. Even this last one, it's made a lot of programs unstable

Why, you are saying that Apache servers can never be updated ev

Re:

[Ol Olsoc]

Well dude, fill me in on the "drama free" method to update CentOS5/RHEL5 to a supported operating system?

Well dude, if you are using a Linux system that requires drama to update, don't blame me.

Re:

[Ol Olsoc]

You can't update a medical device without re-certifying it (money).

I had no idea that every update took a top to bottom recertification. Well there is the answer. Between the several times a year W10 updates, and every Update on the apache servers, re-certification would happen so often that you wouldn't be able to use the equipment.

Re:

[AmiMoJo]

Until the update breaks something. Maybe they changed the init system to systemd. Maybe the version of libc your app needs no longer works. And that the new version runs on the old hardware, they didn't just deprecate something you need or break a driver you relied on.

How likely do you think it is that a binary which interfaces with custom hardware using custom drivers from say 10 years ago will work properly on a 2020 Linux distro? I mean, maybe, but at the very least the manufacturer needs to do some exte

Re:

[Ol Olsoc]

Until the update breaks something. Maybe they changed the init system to systemd. Maybe the version of libc your app needs no longer works. And that the new version runs on the old hardware, they didn't just deprecate something you need or break a driver you relied on.

How likely do you think it is that a binary which interfaces with custom hardware using custom drivers from say 10 years ago will work properly on a 2020 Linux distro? I mean, maybe, but at the very least the manufacturer needs to do some extensive testing.

While I'd be the last person to say that Linux is bulletproof - no OS is. Trying to compare it as if it were equivalent to the utter disaster that Windows 10 has proven to be is simply not comparable.

I've lived through the XP to Vista disaster where entire companies worth of printers and other peripherals werk rendered useless overnight, then re-lived it with Windows 8, eventually refusing to support W8. Windows 10 has also been a shitshow.

My favorite Vista story is I was forced to update a system to

Re:

[HiThere]

The difference is that they *can* still be supported. If your MRI machine used Linux you could club together with others who used the same model and get the system code maintained. Whether this would be legal is another question, since the updated code would then often need to be recertified...and that's not an easy process. But in principle you could do it.

(Still, a better approach is to not have the code accessible over the net. Possibly post copies of the results to a net facing server that has read

Re:

[Ol Olsoc]

(Still, a better approach is to not have the code accessible over the net. Possibly post copies of the results to a net facing server that has read only access.)

Now that, I can get behind. I've got a couple air-gapped networks that are not touched by the internet except when I remove the computers to another place to do updates.

While they aren't 100 percent secure - nothing is - it does take a deliberate act to compromise them.

Re:

[Agripa]

At a high level, the main problem is that companies build this equipment, and then once it is sold, there's little advantage to maintaining it.

And they have to get FDA approval for software updates in one way or another.

Only Half??

[kenwd0elq]

Too many specialized medical systems are STILL running Windoze XP. I went my my ophthalmologist last year, and the system was running XP, wasn't compatible with Win 7, and the maker had gone out of business. There were no updates.

Re:

[PPH]

I just can't see this ending well.

Re:

[just another AC]

not ideal, but air gapping and virtualisation for dead HW could perpetuate this xp only software "safely" (less risk) well into the future. But if someone says connected...

Re:

[biptoe]

*groan* WHOOSH

Re:

[malkavian]

There are alternatives to just about every system I know of on the medical front. The problem is that sometimes, the clinical leads have a system that just works, can be stand alone (making it invisible to IT, unless they're specifically brought in), they've never bought a maintenance and support contract and they've struck lucky in that something doesn't go wrong, so they just keep right on using it.
These aren't the life critical systems, though sometimes end up being very useful in treatment. As things

Re:Only Half??

[Ol Olsoc]

Too many specialized medical systems are STILL running Windoze XP. I went my my ophthalmologist last year, and the system was running XP, wasn't compatible with Win 7, and the maker had gone out of business. There were no updates.

Its the conundrum that people didn't think of. With most things, you use it until it breaks or wears out. Companies and individual businesses didn't know or understand that the Windows model was to replace working systems every few years for no really good reason. You have to go into that meeting telling them they have to spend a lot of money to get to the same place they already are.

So in the matter of larger companies, the OS update might involve buying thousands of new computers, and very often new peripherals, as Windows stops supporting things like printers - I lived through the VISTA debacle as drivers went away, and just had a W10 update abandon a perfectly good laser printer driver. And some places are likewise stuck with software that isn't available any more, but works on the older machines they already have.

Re:

[Ol Olsoc]

More things Windows can do that Linux can't. ;)

Runs malware a trick!

die from fear of bad hospital IT

[tychoS]

So if I am admitted to hospital, my life might depend on windows installations so obsolete and ill-maintained, that I would not trust them with even the most menial tasks around my own home or business?

A patient with good IT knowledge risk dying of fear and shock once hooked up to such a system.

Re:die from fear of bad hospital IT

[Tough Love]

Right you are, now you need the latest Windows with official spyware and brand new vulnerabilities. And don't worry a bit about backward compatibility because lots of the good old exploits still work too.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[malkavian]

It would be a violation of HIPAA if it were true. It's not though. Windows in an enterprise is very configurable about what you allow and disallow.
Everything has vulnerabilities if it has any complexity enough (c.f. the frame problem).

Re:

[HiThere]

IIUC, MSWindows installations are certified by some authority, so even though they ought to be in violation of the HIPAA, they effectively aren't.

Re:die from fear of bad hospital IT

[Ol Olsoc]

Right you are, now you need the latest Windows with official spyware and brand new vulnerabilities. And don't worry a bit about backward compatibility because lots of the good old exploits still work too.

Exactly. People get all spun up about W7 and security when Windows 10 gets tons of security updates. Which means it's not quite as secure as they would like us to believe.

Re:

[necro81]

People get all spun up about W7 and security when Windows 10 gets tons of security updates. Which means it's not quite as secure as they would like us to believe.

I tend to assume there's an innumerable supply of vulnerabilities in any complex piece of software (like an OS). (I say "innumerable" rather than infinite, because while the number may be small or large, it isn't known, but also has some bound.) I'll also assume that Win10 has dealt with most of the known vulnerabilities of Win7. The fact that

Re:

[Ol Olsoc]

So if I am admitted to hospital, my life might depend on windows installations so obsolete and ill-maintained, that I would not trust them with even the most menial tasks around my own home or business?

A patient with good IT knowledge risk dying of fear and shock once hooked up to such a system.

Well, at least a Windows 10 update won't delete your ventilator's drivers on you.

Re:

[PingSpike]

Relax, I'm sure the billing systems are properly maintained and hardened so there's very little risk of your giant bill accidentally disappearing due to hacking.

Somebody needs to go to jail

[Tough Love]

Somebody needs to go to jail for running medical devices on Windows.

Re:

[aaarrrgggh]

Yeah right. It isn’t just a Windows problem, but Windows is the most visible issue. I have seen ancient versions of Solaris, and even some Linux systems. They cannot be updated like a normal computer— everything needs to be approved as a package. A hospital will buy a support contract (as long as one is available), but companies do go out of business, merge/acquire, and lose key staff, which can all lead to a loss of ability to continue to support a legacy product.

Most hospitals I have dealt wit

Re:Somebody needs to go to jail

[Tough Love]

It isn’t just a Windows problem

This one is just a Windows problem. [csoonline.com] Plus every one of the numerous other medical vulnerabilities I have heard of.

Using Windows as a medical platform should be a felony. How many lives have been lost already, and who are the criminals responsible?

Re:

[malkavian]

Completely incorrect. I can tell you don't work in the clinical area from your assertions alone. I suspect you may not even work in the IT field at all.
Windows is a perfectly capable system for using as a medical platform. All front line clinical systems are thoroughly vetted, tested and so on, with several levels of fail safe built in.
The problem is that hospital IT groups are kept small and focused on keeping normal hospital activities going, which leaves clinical devices in a very strange place. The

Re:

[Tough Love]

There is a reason [networkworld.com] that Windows is permanently banned from financial platforms. Why is it still allowed in hospitals?

Re:

[malkavian]

Except it's not. That's a cherry picking fallacy you've just picked up right there. I happen to know Windows is used a lot in Financial institutions too.
What they got rid of was an in house .net system, because the latency was too great.

Re:

[malkavian]

I should also have mentioned that the article you pointed to only referred to their in house platform, NOT windows. So you're even further away from the truth. I call "chess pigeon".

Re:

[Tough Love]

I call denialist. Windows is in fact not used in any financial trading platform (provide link if you think otherwise, haha) not only because it is slow but because it is buggy as shit.

Re:

[malkavian]

Ahh, now you're saying "trading platform", which isn't a standard "financial platform". That's a changing the goalposts logical fallacy, and completely changes the entire scope of the discussion. Which is a completely chess pigeon move.
What you originally said is "Windows is so bad that people should be made a crime to use it in a medical environment". Your evidence for this is that a niche example of a stock trading transfer system that is effectively a highly tuned specialist piece of software that wil

Re:

[Tough Love]

Disingenuous fellow. Trading platform and financial platform are commonly regarded as synonyms. To clarify, a platform dependent on 100% reliable and efficient network transactions, which Windows abundantly proved itself to be incapable of. Never mind that it is a malware petri dish, always has been and always will be.

Flail away my friend, these facts are engraved on the internet.

Re:

[malkavian]

Incorrect. Financial platforms are many and varied (at last according to the financiers in my crowd). A particular stock exchange gateway is a piece of software (I know LSE swapped out their own software for MillenniumIT, but I'm actually suspecting that's gateway software that may even sit on windows; there's nothing about underlying infrastructure I can see, but nothing saying a move away was made).
A financial platform would be such things as financial modelling platforms, financial trading platforms, s

Re:

[Tough Love]

I know LSE swapped out their own software for MillenniumIT, but I'm actually suspecting that's gateway software that may even sit on windows

You guessed 100% wrong on multiple levels. Post again and embarrass yourself more.

Re:

[Ol Olsoc]

Except it's not. That's a cherry picking fallacy you've just picked up right there. I happen to know Windows is used a lot in Financial institutions too. What they got rid of was an in house .net system, because the latency was too great.

I take it from your posts that there isn't any problem here?

Re:

[PPH]

A hospital will buy a support contract

From whom? When your Windows 7 system goes EOL, who could you pay to keep it running? Never mind Windows 7. What about people who got stuck with a Windows XP, IE6 SCADA where the choice is to rip out and replace millions of dollars of hardware (hoping that the port didn't overlook some oddball system dependency), or just cross your fingers, unplug the workstation from the Internet and soldier on.

Wouldn't it be nice if someone could pick up the system source code, put that together with some past experience

Re:

[malkavian]

Microsoft support it for a very pretty penny.
The critical systems are updated to work with newer versions of windows.

Re:

[aaarrrgggh]

You buy a support contract for your system from a Siemens/GE/Phillips/Varian/whomever. They will update the OS if needed; the cost is trivial relative to their maintenance contract. (Sure, they will find a way to charge you for it though.) For most systems, the upgrade comes roughly at the same time the operator workstation is replaced.

It is not like commercial software; you are paying for a solution, not a program.

In-house stuff is/was another matter though.

Re:

[malkavian]

Somebody needs to go to jail for making completely inane ranty assertions without rational and evidence.

It's much worse than this.

[ZuckFucker]

One major regional hospital I worked at had security so bad it was scary. There was one common login and password for all employees and medical staff and obviously the entire county knew what it was. Everything was addressable by any computer on the network across the entire county. Security cameras were globally accessible on the network with default passwords. Even the PTZ camera on the roof could be moved around. Everything was saved on an open Windows share drive with no access control. This included employee contact information, patient lists, PHI, employee SSNs, pay stubs, recipes for tuna casserole, and so on. The ER system had access control through the software but the entire database was wide open on a "hidden" Windows share drive. I told them about it and rather than fix it they terminated my contract and threatened me with legal action.

Be afraid. Be very afraid.

Re:

[malkavian]

That's a HIPAA violation (or data protection act violation) right there.
If that wasn't over 30 years ago, call in the lawyers.

Wireshark

[Plugh]

I have to go to the hospital once a month for a procedure that lasts about 2 hours, during which I used to take care of emails or idly browse a bit.

Then one day I had the crazy idea to just fire up wireshark and sniff the air. I figured all the traffic would be encrypted, but why not just look.

ZOMG. I donâ(TM)t think *anything* was encrypted. I shut it down before I could see anything so blatant as to compel me to have to have a big long Responsibily Disclosing This Info To Your IT Folks discussion.

This was in a major cityâ(TM)s pride-and-joy medical complex. But that was like a year ago; Iâ(TM)m sure itâ(TM)s all sorted now.

Re:

[ZuckFucker]

And if they did encrypt it they were probably sticking the network key on the monitor with PostIt notes.

Re:

[malkavian]

Well,, there's the patient network, which is completely open, so patients can, well, use their wireless devices to entertain themselves in areas that reception isn't great, or is non-existent.
That's pretty much the case for every hospital I know of. So what you were likely looking at was other people's traffic from their devices.
Completely gapped from that is the real hospital network which hosts servers, and usually at least VLAN and firewall isolated from that are the medical device networks.

Re:

[Plugh]

Yeah I could see patients' phones and laptops. But I also saw a bunch of doctors' iPads & iMacs and an ASSLOAD of IoT devices, devices whose names sure *looked* like medical stuff probably plugged into myself or a patient like me

That's OK.

[DogDude]

Everything is so CONVENIENT. That's all we care about. CONVENIENCE. Fuck doing things right, or thinking about things. Just plug it in, turn it on, and turn off your brain. Go ahead. You know you're going to keep doing it.

Microsoft Windows strikes again

[notdecnet]

No one in their right mind would use this home consumer “product” in a medical device.

open

[sad_]

this is just one more example on why it is important to have open hardware and open operating systems.
there is no guarantee these devices are going to be secure or updated regularly without.