Good guy researcher Billy Rios of Whitescope looks at the cyber security of medical devices and found some problems in a device that is no longer sold or supported.
1,418 known vulnerabilities in the Pyxis devices: https://t.co/YaVRP8X97w
— Billy Rios (@XSSniper) March 29, 2016
So what are we to do with this security disaster?
- Ask a key question: Was the new device currently being sold developed under a credible Security Development Lifecycle and have a credible cyber maintenance strategy? This is key because there is no security benefit to spending money to replace an old insecure device with a new insecure device.
- If the answer to the above question is yes, how should the risk reduction in the new purchase drive the early retirement and replacement of the device with 1418 known vulnerabilities?
- If the answer is no, how should the medical community alter their use of this highly hackable equipment given this newly unidentified, but unsurprising to those in the ICS field, risk?