In a presentation at a gathering of industrial control security experts in Florida, researchers Billy Rios and Terry McCorkle said an informal audit of medical devices from major manufacturers, including Philips and Siemens showed that medical devices have many of the same kinds of software security holes found in industrial control system (ICS) products from the same firms. The research suggests that lax coding practices may be institutionalized within the firms, amplifying their effects.
Rios (@xssniper), a security researcher at Google, and McCorkle (@0psys), the CTO of SpearPoint Security told attendees at S4 in Miami that they conducted their research out of curiosity and in an effort to branch out from investigating industrial control systems. Using eBay, they purchased second-hand medical devices, often from hospitals. They soon realized that many of names they came across were familiar: firms like General Electric, Siemens, Honeywell and Philips, among them.
“The same PLC (programmable logic controller) vulnerability that you see on iCS software, you also see on medical device software,” Rios told Security Ledger in a phone interview. "I don't want to say (the security issues) are more ridiculous in the medical field, but we came across some ridiculous things.""