We usually think of Internet of Things (IoT) devices as smart light bulbs or door locks or cameras, but there are some IoT devices that are a little bigger and a lot more expensive.
In this case, it is a multi-million dollar Cat Scanner that hospitals and imaging centers use to create diagnostic images.
Siemens says that even an attacker with a low skill level would be able to exploit the vulnerabilities. That’s not very comforting.
The root of the problem is that there is a Windows 7 PC running the scanner and it is difficult to get approval to install patches – assuming they are even available – because it is considered a medical device.
To make matters worse – if that is possible – Siemens said that the flaw is executable remotely (from the Internet) and sample ways to exploit the bug are available on the Internet.
DHS suggests that hospitals unplug their cat scanners from the network so attackers cannot reach the scanners to attack them.
Of course, that probably is not possible, practically, to do.
Siemens says that they are working on a patch. That’s comforting. It is not clear how long it will take Siemens to develop a patch (Or get Microsoft to do so), how long it will take to get the patch approved or how long it will take to get hospitals to install the patch.
Since the vulnerability allows hackers to remotely execute arbitrary code, they could potentially steal any data on the scanners or use the scanners as a launching point for attacks elsewhere in the hospital.
We always tell clients that ALL IoT devices need to be isolated from any trusted internal networks and likely from other IoT devices as well.
Whether the IoT device is a $5 smart light bulb or a multi-million dollar cat scanner, that advice is still true. To do so may require hospitals to redesign their business practices as well as to make changes to their information systems, so that won’t happen overnight either.
This represents a bit of a mess for hospitals and clinics that have cat scanners and there does not seem to be an easy fix.
The point here is that IoT devices are everywhere and often in places that you do not think about. Some are small and relatively cheap; other are pretty large and very expensive, but they all share one commonality – they can be exploited.
It is likely to get much worse before it gets any better.