Inside the Exploit: Philips XPER Vulnerability

Terry and I had a chance to speak at the S4 SCADA Security Scientific Symposium in Miami. S4 has traditionally been one of the more technical ICS/SCADA security conferences and we're always honored to speak at such prestigious events.

This year, Terry and I chose to speak on the (in)security of medical devices and software. Our talk outlined some of the similarities between ICS/SCADA market and the medical industry, with a focus on the likeness in the poor security practices employed by both industries. We culminated the talk with the live demonstration of a remote, unauthenticated zero-day exploit against the Philips XPER medical device.

The exploit was a fairly straight forward heap overflow and while I found myself disappointed at the lack of exploit mitigations (DEP, ASLR, etc) implemented by the software, I was not surprised to find the software in such poor security state. In addition to the heap overflow, we also extracted password hashes for various service passwords and cracked those hashes using a cracking cluster. These passwords could be used against other Philips medical systems, not just XPER systems.

I won't go into the details of the vulnerabilities or exploit here, as the vendor is still looking into the vulnerabilities; however, I did want to take a moment to briefly touch on a few things we discovered while looking into medical devices and software:

1. Generally speaking, the state of security for medical devices and software is extremely poor. When we discussed this with the team at Cylance, the general consensus was that this is a dirty little secret in the healthcare world, and it needs to be addressed.

2. Getting a hold of certain types of medical devices can be a little difficult (as a security researcher) and it seems that some in the medical industry are using this barrier-to-entry as a form of security obfuscation (luckily, we've managed to obtain various devices and software).

3. Once a vulnerability is found, it's unlikely that you'll find any type of exploit mitigation (/GS, DEP, ASLR…etc) in place to prevent exploitation.

4. The number of life sustaining medical devices far eclipses the security professionals to protect them.

Once the vendor has a better handle on the vulnerability, we'll dissect the vulnerability and provide additional details on the exploit we wrote. You can expect more research related to the security of medical devices in the coming weeks. We hope that by shining a light on the security of medical devices, the relevant vendors and medical institutions can implement the appropriate mitigations. These devices are the foundation to safeguarding sensitive patient data and patient well-being.

If you have an XPER device in your organization, we recommend that you contact Philips immediately.

- Billy Rios
Author, Speaker, and Serial Entrepreneur