[markwakeford]

This is a commercial medical laboratory Washer-disinfector. The reporting is most likely mandated based on its usage in a medical setting. Some of these devices print out reports that are required to be stored. I suppose this would allow them to easily keep those records paperless.

I am in no way justifying the lack of security but I think its important to understand that its unlikely to be opened up for a free for all connected to the public internet.

[kijin]

> its unlikely to be opened up for a free for all connected to the public internet.

Unfortunately, that kind of thought process is how you end up with dozens of vulnerable devices connected to a hospital intranet. Everything works fine as long as nobody tries anything fishy, but all you need is one device with a buggy Bluetooth implementation to bring down the whole house of cards and kill a bunch of people.

[i336_]

Apologies for my denseness, but how could buggy Bluetooth bring everything down?

I vaguely recall something about a faulty hospital device with Bluetooth or Wi-Fi being posted here a little while ago, but I'm not certain.

[kijin]

Buggy means vulnerable in this context. A vulnerability in the Bluetooth or Wi-Fi stack is a good way for someone to compromise a machine remotely.

Once you compromise one machine, you're inside the firewall and in a much better position to exploit vulnerabilities in other machines in the network.

[flukus]

Was there something wrong with having a serial connection to another device that handled the reporting like every other machine?

>I am in no way justifying the lack of security but I think its important to understand that its unlikely to be opened up for a free for all connected to the public internet.

Considering hospitals and technology I don't think this distinction matters much. There only line of defense seems to be isolation but things like wireless devices are becoming more common.

[detaro]

> Was there something wrong with having a serial connection to another device that handled the reporting like every other machine?

From the manufacturer docs, that is the most common option for these things: https://www.miele.de/media/ex/hk/Professional/CSSD.pdf

Slightly cynical answer: In medical environments? Then the device on the other end of the serial connection is probably vulnerable and/or horribly outdated, either by being an embedded device made to the same (lack of) quality standards, or by being a desktop PC running Windows 2000, or software requiring to run as Domain Admin for no good reason, ...

[flukus]

I would hope it's one way link, so the PC may be compromised but the operation of the machine wouldn't be.

[i336_]

> I think its important to understand that its unlikely to be opened up for a free for all connected to the public internet.

That just gave me an idea...

https://www.shodan.io/search?query=%22PST10+WebServer%22

> No results found

Can't say I'm sad about that.

(Searching for just "PST" finds a single irrelevant SMB share.)

[tedunangst]

How did hospitals ever wash dishes two years ago?

[jessriedel]

They kept worse records. Don't we expect some procedures that were impossible in the past to become mandatory in the future when enabled by new tech?

[flukus]

Or they kept the same records and had users log them into another system, which was about 2 seconds of work. AFAIK the only important stats for medical washers is the max temperature reached and how long it maintained a certain critical temperature. They also have redundant checks anyway, like a pad that put in that would change color at a certain temperature, much like those radiation pads you see in TV shows.

[Someone]

If that took them "about 2 seconds of work", I bet "They kept worse records.", the statement you reacted to, wasn't just correct, but an understatement.