Medical device error messages may tip off hackers on vulnerabilities
Hackers are using error messages emitted by connected medical devices to gain insight into a provider organization’s network and vulnerabilities.
The gambit shows how hackers are finding creative ways to target medical devices, and providers need to recognize these threats before real harm is caused, says Xu Zou, co-founder and CEO at Zingbox, which operates an Internet of Things analytics platform.
Zingbox researchers have identified this new trend in cyberattacks. It’s easy to gain access to error messages from a device, says Daniel Regalado, principal security researcher at Zingbox. For example, if an application tries to connect to a server that eventually times out, it frequently triggers an error message that contains a wealth of information for hackers.
Alternatively, an attacker may wait for an error to be triggered without attacking the system. The application sends errors during authentication failures and database connectivity issues, when file systems are full and when timeouts are triggered. So, a hacker with access to the local area network just needs to sniff the network and wait for the errors to flow by.
In another scenario, the attacker sends malformed or unexpected requests to the web server and waits to receive error messages normally caused by unhandled exceptions.
By monitoring the network traffic for common error messages, a hacker can see the inner workings of a device’s application—this can include the type of web server, framework and versions used, the manufacturer that developed the web server, the database engine in the back end, protocols used and even the code that is causing the error, Regalado explains. Hackers also can target specific devices to induce error messages.
During research for a report, Zingbox contacted seven major device manufacturers and informed them that Zingbox uncovered multiple IoT devices leaking data, but found that only one of the manufacturers has released a software patch to fix a vulnerability this year. The others were not planning to issue a patch or were waiting for vendor acknowledgement that a patch was needed. The Zingbox report is available here.