{
	"id": "f7a8e804-81f0-4258-a18b-46f69b71d61e",
	"created_at": "2026-04-29T02:21:13.272954Z",
	"updated_at": "2026-04-29T08:22:45.328112Z",
	"deleted_at": null,
	"sha1_hash": "222aa310469bd2203e8ebf36d6c5d9457a0e9c49",
	"title": "Medical Devices Hard-Coded Passwords | CISA",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 48232,
	"plain_text": "Medical Devices Hard-Coded Passwords | CISA\r\nPublished: 2013-10-29 · Archived: 2026-04-29 02:10:56 UTC\r\nDescription\r\nThis alert provides information about mitigating a credentials management vulnerability that has been reported\r\nacross a broad range of medical devices.\r\nSUMMARY\r\nResearchers Billy Rios and Terry McCorkle of Cylance have reported a hard-coded password vulnerability\r\naffecting roughly 300 medical devices across approximately 40 vendors. According to their report, the\r\nvulnerability could be exploited to potentially change critical settings and/or modify device firmware.\r\nBecause of the critical and unique status that medical devices occupy, ICS-CERT has been working in close\r\ncooperation with the Food and Drug Administration (FDA) in addressing these issues. ICS-CERT and the FDA\r\nhave notified the affected vendors of the report and have asked the vendors to confirm the vulnerability and\r\nidentify specific mitigations. ICS-CERT is issuing this alert to provide early notice of the report and identify\r\nbaseline mitigations for reducing risks to these and other cybersecurity attacks. ICS-CERT and the FDA will\r\nfollow up with specific advisories and information as appropriate\r\nThe report included vulnerability details for the following vulnerability\r\nVulnerability Type Remotely Exploitable Impact\r\nHard-coded password Yes, device dependent Critical settings/device firmware modification\r\nThe affected devices have hard-coded passwords that can be used to permit privileged access to devices such as\r\npasswords that would normally be used only by a service technician. In some devices, this access could allow\r\ncritical settings or the device firmware to be modified.\r\nThe affected devices are manufactured by a broad range of vendors and fall into a broad range of categories\r\nincluding but not limited to:\r\nSurgical and anesthesia devices,\r\nVentilators,\r\nDrug infusion pumps,\r\nExternal defibrillators,\r\nPatient monitors, and\r\nLaboratory and analysis equipment.\r\nICS-CERT and the FDA are not aware that this vulnerability has been exploited, nor are they aware of any patient\r\ninjuries resulting from this potential cybersecurity vulnerability.\r\nhttps://www.cisa.gov/news-events/ics-alerts/ics-alert-13-164-01\r\nPage 1 of 3\n\nMITIGATION\r\nICS-CERT is currently coordinating with multiple vendors, the FDA, and the security researchers to identify\r\nspecific mitigations across all devices. In the interim, ICS-CERT recommends that device manufacturers,\r\nhealthcare facilities, and users of these devices take proactive measures to minimize the risk of exploitation of this\r\nand other vulnerabilities. The FDA has published recommendations and best practices to help prevent\r\nunauthorized access or modification to medical devices.\r\nTake steps to limit unauthorized device access to trusted users only, particularly for those devices that are\r\nlife-sustaining or could be directly connected to hospital networks.\r\nAppropriate security controls may include: user authentication, for example, user ID and password,\r\nsmartcard or biometric; strengthening password protection by avoiding hard‑coded passwords and\r\nlimiting public access to passwords used for technical device access; physical locks; card readers;\r\nand guards.\r\nProtect individual components from exploitation and develop strategies for active security protection\r\nappropriate for the device’s use environment. Such strategies should include timely deployment of routine,\r\nvalidated security patches and methods to restrict software or firmware updates to authenticated code.\r\nNote: The FDA typically does not need to review or approve medical device software changes made solely\r\nto strengthen cybersecurity.\r\nUse design approaches that maintain a device’s critical functionality, even when security has been\r\ncompromised, known as “fail-safe modes.”\r\nProvide methods for retention and recovery after an incident where security has been compromised.\r\nCybersecurity incidents are increasingly likely and manufacturers should consider incident response plans\r\nthat address the possibility of degraded operation and efficient restoration and recovery.\r\nFor health care facilities: The FDA is recommending that you take steps to evaluate your network security and\r\nprotect your hospital system. In evaluating network security, hospitals and health care facilities should consider:\r\nRestricting unauthorized access to the network and networked medical devices.\r\nMaking certain appropriate antivirus software and firewalls are up-to-date. \r\nMonitoring network activity for unauthorized use.\r\nProtecting individual network components through routine and periodic evaluation, including updating\r\nsecurity patches and disabling all unnecessary ports and services.\r\nContacting the specific device manufacturer if you think you may have a cybersecurity problem related to a\r\nmedical device. If you are unable to determine the manufacturer or cannot contact the manufacturer, the\r\nFDA and DHS ICS-CERT may be able to assist in vulnerability reporting and resolution.\r\nDeveloping and evaluating strategies to maintain critical functionality during adverse conditions.\r\nICS-CERT reminds health care facilities to perform proper impact analysis and risk assessment prior to taking\r\ndefensive and protective measures. \r\nICS-CERT also provides a recommended practices section for control systems on the US-CERT Web site. Several\r\nrecommended practices are available for reading or download, including Improving Industrial Control Systems\r\nhttps://www.cisa.gov/news-events/ics-alerts/ics-alert-13-164-01\r\nPage 2 of 3\n\nCybersecurity with Defense-in-Depth Strategies.\r\na\r\n Although medical devices are not industrial control systems,\r\nmany of the recommendations from these documents are applicable.\r\nOrganizations that observe any suspected malicious activity should follow their established internal procedures\r\nand report their findings to ICS-CERT and FDA for tracking and correlation against other incidents.\r\nThe FDA has also announced a safety communications that highlights the points made in this alert. For additional\r\ninformation see: http://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm356423.htm.\r\ntable.gridtable {\r\nfont-family: verdana,arial,sans-serif;\r\nfont-size:11px;\r\ncolor:#333333;\r\nborder-width: 1px;\r\nborder-color: #666666;\r\nborder-collapse: collapse;\r\n}\r\ntable.gridtable th {\r\nborder-width: 1px;\r\npadding: 8px;\r\nborder-style: solid;\r\nborder-color: #666666;\r\nbackground-color: #dedede;\r\n}\r\ntable.gridtable td {\r\nborder-width: 1px;\r\npadding: 8px;\r\nborder-style: solid;\r\nborder-color: #666666;\r\nbackground-color: #ffffff;\r\n}\r\nSource: https://www.cisa.gov/news-events/ics-alerts/ics-alert-13-164-01\r\nhttps://www.cisa.gov/news-events/ics-alerts/ics-alert-13-164-01\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.cisa.gov/news-events/ics-alerts/ics-alert-13-164-01"
	],
	"report_names": [
		"ics-alert-13-164-01"
	],
	"threat_actors": [
		{
			"id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d",
			"created_at": "2022-10-25T16:07:24.139848Z",
			"updated_at": "2026-04-29T06:58:58.13853Z",
			"deleted_at": null,
			"main_name": "Safe",
			"aliases": [],
			"source_name": "ETDA:Safe",
			"tools": [
				"DebugView",
				"LZ77",
				"OpenDoc",
				"SafeDisk",
				"TypeConfig",
				"UPXShell",
				"UsbDoc",
				"UsbExe"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1777429273,
	"ts_updated_at": 1777450965,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/222aa310469bd2203e8ebf36d6c5d9457a0e9c49.pdf",
		"text": "https://archive.orkl.eu/222aa310469bd2203e8ebf36d6c5d9457a0e9c49.txt",
		"img": "https://archive.orkl.eu/222aa310469bd2203e8ebf36d6c5d9457a0e9c49.jpg"
	}
}