September 5, 2014
While skimming some manuals for GE’s medical devices I saw a line that should make all of us think!
Passwords – Must be at least one character long, no NULL
Equipment responsible for health and safety doesnt enforce any kind of password strength or complexity! I have blogged about default passwords and I am starting to see them in medical equipment too. When will vendors realize that if we can’t get the basics right there is no chance we get anything right?? Every day in the news you hear about company’s getting hacked and a lot of times it is because of weak passwords guessed by hackers. Vendors have to step it up and force people to take security more serious!
September 4, 2014
GE Medical Systems HISPEED CT/i and Lightspeed QX/i systems install with two default credentials and one is root. According to the HISPEED manual and the Lightspeed QX manual they are:
5–9–1 Default Passwords
Forward production HiSpeed CT/i systems have the following default passwords:
· root: #bigguy
· ctuser: 4$apps
GE changed these defaults in response to customer and field requests for tighter security, especially for systems operating on networks. We suggest you change the default passwords ONLY by
customer request. Then, contact your support center to report the new passwords.
The Discovery CT590 RT and Optima CT580 use #bigguy according to the manual.
September 3, 2014
According to the manual the Datex-Ohmeda Engström Ventilator comes with a default super-user password for the Install / Service Menu:
4.2 Install/Service Menu (Super User)
Use the super-user password to access the Install/Service menu: “23-17-21″
September 2, 2014
Metrobility Optical Systems, Inc makes NetBeacon Element Management Software that interacts with Compumedics Limited Siesta 802, Metrobility Optical Systems RADIANCE R1000 PREMISE SERVICE PLATFORM, and Metrobility Optical Systems RADIANCE DIN RAIL MOUNTED CHASSIS. According to the manual there are three default credentials including root!
Opening a Telnet Session
3. In the login field, type your login ID. The default login names are guest, admin and root.
4. In the password field, type your password. The corresponding default passwords are guest, admin and root.
August 29, 2014
The Compumedics software and hardware provide EEG monitoring. From the manual:
The ProFusion EEG software is a Microsoft Windows-based package used to configure, record and replay digitised patient neurological signals acquired during the recording of EEG studies. The
signals may be acquired by the E-Series EEG, E-Series EEG/PSG, Siesta or Safiro System hardware, displayed on a Recording workstation and stored on the workstation or other medium. This data may be used to assist trained physicians, clinicians or technologists in the investigation of neurological disorders. Note that the specifications for the ProFusion EEG software can change at any time without prior warning.
This User Guide contains information on the E-Series EEG System hardware. For information on the E-Series EEG/PSG, Siesta or Safiro Systems, refer to their respective user guides. The EEG System hardware comprises the input connections from the patient, the recording hardware and the peripherals used to acquire and store patient neurological data for later replay and analysis. Recording is performed on a Recording workstation. Replay and analysis can be performed on the Recording workstation or on other workstations using the data collected during the patient study. Access to archived data and printer facilities can be provided to other workstations via a network. Note that the specifications and hardware arrangements can change at any time without prior warning.
According to the user manual, the Compumedics Limited E-Series EEG, E-Series EEG/PSG, Siesta and Safiro data acquisition systems and the ProFusion EEG data acquisition and analysis software have a default security dialogue password.
To use the security system:
· Select Security from the Tools menu
When the Security dialogue box is opened, all of the check boxes are disabled.
· Enter the password.
Note: The first time that the Security dialogue box is opened, enter the default password 000.
August 28, 2014
The Datex-Ohmeda S/5 Light Monitor “is intended for stationary and mobile monitoring of patient’s ECG, SpO2, non-invasive and invasive blood pressure, temperature, respiration and CO2 in hospitals and ambulances.” According to the user manual the panel on the device (physical access) has a default password for the Install/Service menu:
To enter Install/Service menu, a password 16-4-34 must be given.
August 27, 2014
The EasyCoder PD41 Printer is a “is a dependable and versatile printer suitable for medium-duty applications in manufacturing, transportation and warehouse environments. It has all-metal chassis and covers, proven printing mechanics and powerful electronics providing sturdiness, performance and reliability.” This printer is used in some hospitals. According to the manual the web interface has default admin credentials:
Enter the printer’s IP number in the address field of your web browser (for example http://255.255.255.001). This brings up the printer’s home page, where it is possible to check and modify various printer settings. Modifying settings requires a login and a password: by default, these are set to ‘admin’ and ‘pass’ respectively.
August 26, 2014
Datacard Group Secure ID and Card Personalization creates software called Custom Desktop Issuance. According to the vendor “CDI is a highly efficient production software program which allows data files to personalize cards.” This system is used in hospitals among other places!
The version 6.0 user manual shows that there is a default password during installation:
When prompted to Enter Your User Name, type in ADMIN. Password for this user is by default ADMIN.
August 25, 2014
According to the user manual, the Hitache EUB-550 Ultrasound Diagnostic Scanner installs with a default password for special operation mode. This requires physical access to the device.
Special Operation for Service Personnel
3.2.1 Initialization of system environment
(1) Press Ctrl + Alt + S key to display the ‘Special Function’ dialog.
(2) Select ‘Service Tools’ from the Select item.
(3) After entering ‘SERVICETOOL’ for Password, click the ‘OK’ button to start ‘Service Tools’.
NOTE: 3) For entering Password, make sure to type it in capital letters. (With the state of Caps Lock key located on the keyboard being lit in orange color.)
March 29, 2014
Dedicated Micros BX2 DVRs install with a variety of default credentials according to the manual.
The unit will request a username and password, as defined in the ‘profiles’ configuration file. The default settings are ‘username’ and ‘password’.
To enter the User menu tap the Menu key.
Note: If a password has been set and enabled it will be necessary to enter the User password to gain access to the menus. This is disabled by default.
There are a set of default passwords set at the factory. These should be changed as soon as practical to ensure the security of the unit. These default passwords are:
Webpage Configuration : Username = dm Password = web
Video FTP : Username = dm Password = ftp
FTP Admin : Username = dmftp Password = ftp
Telnet : Username = dm Password = telnet
Serial : Username = dmconsole1 No Password as default