DistilINFO LifeSciences

Weekly round up from Life Sciences Industry.

Medical device error messages may tip off hackers on vulnerabilities

Hackers are using error messages emitted by connected medical devices to gain insight into a provider organization’s network and vulnerabilities.

The gambit shows how hackers are finding creative ways to target medical devices, and providers need to recognize these threats before real harm is caused, says Xu Zou, co-founder and CEO at Zingbox, which operates an Internet of Things analytics platform.

Zingbox researchers have identified this new trend in cyberattacks. It’s easy to gain access to error messages from a device, says Daniel Regalado, principal security researcher at Zingbox. For example, if an application tries to connect to a server that eventually times out, it frequently triggers an error message that contains a wealth of information for hackers.

Alternatively, an attacker may wait for an error to be triggered without attacking the system. The application sends errors during authentication failures and database connectivity issues, when file systems are full and when timeouts are triggered. So, a hacker with access to the local area network just needs to sniff the network and wait for the errors to flow by.

Want to publish your own articles on DistilINFO Publications?

Send us an email, we will get in touch with you.

In another scenario, the attacker sends malformed or unexpected requests to the web server and waits to receive error messages normally caused by unhandled exceptions.

By monitoring the network traffic for common error messages, a hacker can see the inner workings of a device’s application—this can include the type of web server, framework and versions used, the manufacturer that developed the web server, the database engine in the back end, protocols used and even the code that is causing the error, Regalado explains. Hackers also can target specific devices to induce error messages.

During research for a report, Zingbox contacted seven major device manufacturers and informed them that Zingbox uncovered multiple IoT devices leaking data, but found that only one of the manufacturers has released a software patch to fix a vulnerability this year. The others were not planning to issue a patch or were waiting for vendor acknowledgement that a patch was needed.

Date: October 3, 2018

Source: HealthDataManagement

Coffee with DistilINFO's Morning Updates...

Sign up for DistilINFO e-Newsletters.

Just a little bit more about you...
PROCEED

Related Stories

Trending This Week

Sorry. No data so far.

About Us

DistilINFO is media company that publishes Industry news, views and Interviews. We distil the information for you – saving time and keeping you up to date on your interest areas.

More About Us

Follow Us


Useful Links

All Publications