Good guy researcher Billy Rios of Whitescope looks at the cyber security of medical devices and found some problems in a device that is no longer sold or supported.

1,418 known vulnerabilities in the Pyxis devices:

— Billy Rios (@XSSniper) March 29, 2016

So what are we to do with this security disaster?

  • Ask a key question: Was the new device currently being sold developed under a credible Security Development Lifecycle and have a credible cyber maintenance strategy? This is key because there is no security benefit to spending money to replace an old insecure device with a new insecure device.
  • If the answer to the above question is yes, how should the risk reduction in the new purchase drive the early retirement and replacement of the device with 1418 known vulnerabilities?
  • If the answer is no, how should the medical community alter their use of this highly hackable equipment given this newly unidentified, but unsurprising to those in the ICS field, risk?