Hard-coded credentials placing dental offices at risk

Henry Schein is one of the largest names in the dental industry. The company says that more than 35,000 dental practices rely on their flagship product – Dentrix – to cover both the clinical and business side of day-to-day operations.

The downside to this large market share, according to researcher Justin Shafer, is that Dentrix customers have been unknowingly exposed to risk and regulatory action after the latest version of the software shipped with a flaw that was supposed to have been patched two years ago.

Another troubling aspect to this story is the silence from CERT on the matter. The vulnerability was disclosed CERT last year, but nothing’s happened since. Considering patient data is being placed at risk from both network-based and physical attacks; the situation is one where responsible (coordinated) disclosure has failed. That’s unfortunate, because the researcher did everything right, but the problem remains.

2013:

In 2013, Justin Shafer, an IT professional working in the dental industry, reported a vulnerability to CERT concerning hard-coded credentials in Dentrix that are shared across multiple installation sites. The credentials are used to access the Dentrix database back end and administrators cannot change them.

The nightmare scenario would be an attacker obtaining credentials from one site and using them to access patient records at other dental offices. At the time, Henry Schein was supporting Dentrix version G5 and in order to address the problem released version G5.1 Hotfix 1 in February of 2013.

Later that year, a computer was stolen from a dentist’s office in Rocklin, California, turning the nightmare scenario into reality. Dr. Rob Meaglia, another Dentrix customer, told patients in a notification letter that the data stored in the database was encrypted.

He made those claims based on his belief in the marketing statements from Henry Schein that the Faircom standard encryption (used by Dentrix G5) was protecting information. But it wasn’t.

The Faircom standard encryption at the time didn’t ensure that a decryption key was needed for accessing database contents. When called on this fact, Faircom started using the term Data Camouflage, in order to avoid confusion with standard encryption algorithms.

2014:

In March of 2014, Shafer provided details and proof-of-concept code to CERT proving that Dentrix G5.1 Hotfix 1 was still vulnerable due to hard-coded credentials. According to his notes on the disclosure, all of the passwords for the DTXUSER account start with ‘S876’ and five additional characters. He was able to brute force the rest of the password with a Perl script.

Convinced that this was a problem, CERT assigned VU #176231 to him, and added that they’d contact Henry Schein directly. According to emails from CERT, a fix would be available in June, but not released until November.

In August of 2014, Shafer tested his research against Dentrix G6 Beta and discovered that it too had hard-coded credentials. Using the previously assigned VU number, he reported his findings to CERT.

It’s also worth mentioning that in March of 2014, PHIprivacy.net filed an FTC complaint against Henry Schein alleging that the company, and their Dentrix software, violated the FTC Act by deceiving customers as to the security of its product, including the fact that hard-coded credentials “have put and continue to put patient databases at risk…”

2015:

Earlier this month, Shafer contacted Salted Hash because it has been more than a year since he has heard from CERT about his vulnerability report. Again, his report isn’t new, as it addresses a previously disclosed issue in Dentrix that has existed in several software versions for two years.

Attempts by Salted Hash to reach CERT on the matter have been met with silence, which is frustrating given the fact that there are at least 35,000 dental practices using the software.

Reached by email, Henry Schein said they’ve dealt with “security issues by promptly releasing a proactive and customer-oriented solution and has issued multiple software updates to augment the security features already in the solution.”

“We are very committed to helping our customers meet their obligations to protect patient information. Of course, the best prevention for protecting against data breach is for a practice to implement security not only across their technology assets (e.g., securing networks and computers, implementing firewalls) but also best practices for office physical security, administrative, and organizational security. Ensuring these four tenets of practice security will create safeguards that greatly reduce security risks and increase security coverage that no one vendor can provide.”

The company also says they are attempting to increase customer awareness of the need to take proper precautions, and work with them on applying security features in Dentrix. An example of this awareness training, the statement added, can be seen in four of the last five Dentrix magazine editions where articles on security are published.

The only article Salted Hash was able to locate related to awareness training is from April 30, 2015. In it, Henry Schein advises customers to have security assessment performed, while at the same time promoting the assessment services of a business partner in order to make things easier.

When asked about the magazine, Shafer said that most of his clients ignore it, but he didn’t offer any specifics as to why.

“Henry Schein is committed to security and continues to work to resolve any new security concerns, as it is the industry norm to continuously update and improve software. Our current Dentrix roadmap includes additional security enhancements to assist our customers in securing their data,” added the company’s statement.

It isn’t clear why CERT has stopped communicating on VU #176231, but experts familiar with process of working with them to disclose an issue have told Salted Hash that silence isn’t uncommon.

Security experts look to CERT to stay current on the latest developments on flaws and vulnerabilities. But if CERT sits on information that has been responsibly disclosed and never shares with the public, then organizations are sitting in the dark, lacking crucial information that could be used to prevent a security incident.

“When a medical company opts to ignore a reported vulnerability, especially when the researcher went out of their way to report and work with the vendor citing patient data concerns, it is disturbing and telling,” said Brian Martin of Risk Based Security.

“In this case, it is quite troubling that Dentrix is not being responsive to the researcher, not providing a timely solution, and not working with him to further test software patches. Instead, they are relying on their same original flawed process for creating software updates, apparently refusing to implement security testing, and ultimately putting their customers further at risk.

“Even worse, the U.S. government body designed to help coordinate and disclose these vulnerabilities, along with viable solution information, doesn’t appear to be helping at all. Working with vendors and being understanding of their development process is one thing, but allowing customers to be at continued risk for almost four years is unacceptable.”

Shafer has demonstrated how the vulnerability works to Salted Hash, but in the interest of patient protection, he has requested that such details not be published. However, he did list a number of flaws in the software directly that have existed since version G5.

Due to the fact that most dental offices lack basic security, their databases and Dentrix installations are sitting ducks.

Some dental offices, Shafer explained, leave their server exposed to the DMZ in the router, or use weak wireless security, allowing the attacker to authenticate to the database over the Internet without ever stepping into the office. Given that Adobe Flash is used in Dentrix, an attacker could leverage a new or existing exploit and access patient records that way.

In their statement, Henry Schein said that they’ve updated to Faircom 10.3 in order to address some security concerns, and they’ve altered the password generation algorithm. However, despite these updates, Shafer was still able to determine the database GUID, admin password and DTXUSER password in Dentrix G6 using a wireless connection from a client’s parking lot.

So while the company has updated various security controls in the years since, the vulnerability reported in 2013 still exists and can be exploited.

Salted Hash will continue to follow this story and report on any additional developments. Should CERT respond to questions – this story will be updated.

EDIT: Earlier instances of US-CERT in this article were altered on 20 MAY 2015 to CERT. Partially funded by the DHS (who fully funds US-CERT), the CERT Coordination Center (CERT/CC) at the Software Engineering Institute at Carnegie Mellon University (CERT) is the organization that issued VU notes and handles disclosure.