A vast array of heart defibrillators, drug infusion pumps, and other medical devices contain backdoors that make them vulnerable to potentially life-threatening hacks, federal officials have warned.
The devices, which also include ventilators, patient monitors, and surgical and anesthesia devices, contain hard-coded password vulnerabilities, according to an advisory issued Thursday by the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), a liaison group between the US Department of Homeland Security and private industry. Attackers who know the default passwords of the devices can exploit these backdoors and change critical settings or replace the authorized firmware altogether.
The advisory came the same day that the Food and Drug Administration released its own notice on the same topic. Both warnings said there was no indication attacks were being carried out in the wild, and neither warning disclosed the affected device models or the manufacturers. But Terry McCorkle, one of the researchers who uncovered the vulnerabilities, said few if any are immune.