Zero-days—security issues known only to the attacker and not the affected vendor—can be a sought after commodity for researchers, criminals, or governments. But one company is offering zero-days for a set of overlooked targets: medical software, some of which is used in hospitals.
The company’s products highlight the often polemic debate between keeping hold of vulnerabilities for offensive purposes and selling them, or disclosing the issues to the affected software vendor so the holes can be fixed.
“To disclose is not an obligation,” Yuriy Gurkin from Moscow-based cybersecurity company Gleg, and which is selling the exploits, told Motherboard in an email.
Gleg offers several different packs of exploits for clients: Agora covers mainstream web software; the “SCADA+ Pack” is focused on “industrial software and hardware environment” issues, and, predictably, the MedPack includes vulnerabilities for medical software. A one year subscription for MedPack costs $4,000, and for that Gleg provides 25 exploits per year, most of which are zero-days, Gurkin wrote.
In one video uploaded to Vimeo, Gleg shows an exploit being used against a hospital health information management system (HHIMS). A list of MedPack updates includes a zero-day to replace files in a piece of software from a company called MediTEX. MediTEX makes scheduling software as well as a platform for documenting therapy and quality assurance for reproductive medicine, according to the company’s website.
“We use some products of them in the hospitals too,” Jelena Milosevic, a pediatrician and intensive care unit (ICU) nurse, who has also crossed over into information security, told Motherboard in an email.
Got a tip? You can contact this reporter securely on Signal on +44 20 8133 5190, OTR chat on firstname.lastname@example.org, or email email@example.com.
Gleg’s MedPack exploits are designed to be used with Canvas, a penetration testing tool made by cybersecurity firm Immunity Inc. With this, someone paid to legally scope out how secure a medical centre or hospital is may be able to get a foothold in a target organization. But while those vulnerabilities remain as zero-days, with their details unknown to the vendor, they are still open for others to potentially exploit—something which may concern those in and around the medical industry.
“The FDA strongly encourages coordinated disclosure of cybersecurity vulnerability information, which places the health of patients at the forefront,” a spokesperson for the U.S. Food & Drug Administration (FDA) told Motherboard in an email. Earlier this month the FDA issued a new plan on medical device safety, which includes medical device cybersecurity.
While zero-days for medical software could allow an attacker to gain access to a target, they are typically not how medical organizations are hacked in real world cases, though.
“It is likely not from custom exploits but instead older, easily leveraged exploits against legacy OS [operating system] based medical devices/systems,” Jon DiMaggio, senior threat intelligence analyst at Symantec Security Response, which recently published research on a hacker group that gained access to computers controlling X-Ray, MRI and other medical machines, told Motherboard in an email. Indeed, the WannaCry virus, likely the most significant hack that impacted the medical industry, relied on a known and patched exploit in Microsoft Windows—but one that many UK hospitals were not ready for.
“Zero-days are obviously a major threat to any industry. However, because the medical industry utilizes older/legacy technologies to implement medical devices/software and tools such as X-Ray and MRI devices, zero-day exploits are likely not necessary to take advantage of these networks/systems,” DiMaggio added.
Gurkin from Gleg said the company includes computer emergency response team (CERT) related structures among its customers—groups that typically respond to security incidents within a particular country—so details may eventually reach vendors anyway.
And Gleg may disclose medical software vulnerabilities, but “for money of course,” Gurkin added.