Undocumented Default Passwords Discovered on IoMT Devices Provide a Backdoor into Clinical Networks
New threat intelligence research by Cynerio has revealed that certain passwords are repeatedly used across hospitals in different health systems, in every clinical setting, and across all departments and device types. The repeated use of identical passwords led to the discovery of numerous undocumented default passwords providing a backdoor into clinical networks and threaten the integrity of healthcare infrastructures.
Devices with default passwords can be anything from simple HTTP server interfaces to the management ports of critical medical devices. To make things trickier, many default passwords aren’t easy to identify: they’re not published in device manuals or Common Vulnerabilities Exposures (CVEs).
Unsecure Generic IT Protocols
Default passwords are usually built into medical devices by manufacturers using generic IT protocols like FTP and HTTP. These generic IT protocols are required for standard (and necessary) device maintenance (OS updates, patches, etc.). Unfortunately, hospital IT and Biomed personnel are often unaware of when vendors communicate with devices to conduct maintenance and other services.
Default Passwords: IoMT Risk & Impact
Default passwords leave essential IoMT devices wide open to attack. Although some of them are hardcoded, many can be updated by hospital IT and Biomed/CE personnel but remain unchanged due to concerns over affecting the warranty and interoperability of essential medical devices.
Many of these devices are mission critical in clinical environments and have a significant impact on patient care, from diagnosis to treatment (e.g. hemodialysis devices, CT scanners, fluoroscopy and MRI machines). If a default password allows entry to even one of these devices, the entire clinical workflow can be compromised.
To add insult to injury, default passwords are often reused across devices and any party—authorized or unauthorized—who gains access to one also gains access to every device using it and the data they store. Malicious players with access to IoMT devices may even gain control over the devices’ functionality, posing a direct threat to patient welfare.
The fact that medical devices are built with default passwords is an inherent risk to clinical networks. Even the vendors who developed the default passwords into the device for maintenance purposes pose a threat because they connect to devices without notifying IT or Biomed teams. If a device happens to be in use at the time, the maintenance procedure can slow down or shut down the device, disrupting patient care.
This lack of visibility into vendor and IoMT communications makes devices easy to exploit and provides unhindered access to the device that can:
- Grant unauthorized access to sensitive data stored on the device (e.g. ePHI)
- Lead to the theft and corruption of data
- Cause unscheduled device downtime, placing patients at risk
- Allow “drive-by” attacks (general attacks that don’t target IoMT devices)
- Serve as a backdoor/entry point into the wider clinical network
Mitigating the Risk
Even if your clinical network is secured, unidentified and “hidden” default passwords constitute a path of least resistance and give unauthorized parties an easy way in. But the risk can be mitigated.
Step 1: Identify
The first step to securing your network is identifying devices using default passwords. If the passwords are in active use, automated IoMT security tools can easily identify them by:
- Listening to communications between devices
- Identifying different devices using the same passwords
- Flag reused passwords as default password
- Factor the newly discovered vulnerability into devices’ risk scores
Some passwords are not actively used by existing network communications and can’t be detected with passive network solutions. These passwords pose a greater risk because they’re harder to find and, if known by attackers, may be specifically targeted for exploitation.
The best way to discover inactive passwords is to use an active scanner on your network. However, hospital security teams should be aware that actively scanning medical devices is inherently risky as it can affect device functionality and interfere with patient treatment. If you choose to actively scan your clinical network, it is important to use a medical-first security solution that considers device downtimes and maintenance schedules so as not to obstruct patient care.
Step 2: Secure
Some passwords are hardcoded and can’t be changed, other mission-critical devices depend on default passwords for communications, but many of these can only be updated by the vendor as per warranty and service support requirements. These obstacles make it difficult for hospitals to mitigate the threat of default passwords, but network segmentation can mitigate the risk and secure your clinical network without needing to rely on password updates.
The right automated IoMT security tool can provide hospitals with a suite of information and compensating controls to help significantly minimize the clinical network’s attack surface and reduce overall risk with:
- A default password library—A collection of every default password discovered, plus those provided by device manuals, CVEs, and other sources
- Duplicate password index—An index of previously undocumented, duplicate passwords deployed across devices in multiple and unaffiliated healthcare systems
- Real-time alerts on newly discovered default passwords and vulnerabilities, and update notifications for passwords older than 3–6 months
- Vendor access management—A capability that gives hospitals control over vendor access to devices on the clinical network with visibility into all vendor connections, the ability to set security policies on vendor-specific communications, plus real-time alerts on violations
- Automatically generated segmentation policies tailored to unique clinical networks that restrict access to devices and management ports to trusted entities
To learn more about how to secure your clinical ecosystem against default passwords and stay ahead of vulnerabilities new and old, contact Cynerio.
Cynerio is the world's premier medical-first IoT cybersecurity solution. We view cybersecurity as a standard part of patient care and provide healthcare delivery organizations with the insight and tools they need to secure clinical ecosystems and achieve long-term, scalable threat remediation without disrupting operations or the delivery of care.