DICOM stands for Digital Imaging and Communication in Medicine, which is a protocol used to transfer files.
PACS, or Picture Archiving and Communication System is a databased used to store those files tranferred by DICOM.
They use the following ports:
| PACS | DICOM |
|---|---|
| 80 | 104 |
| 8080 | 11112 |
| 8443 | - |
| 9443 | - |
The risks vary on the threat actor’s motivations, but the main ones are
To find these, you can just use shodan, fofa or censys with the following queries:
| SHODAN.IO | CENSYS.IO | FOFA.INFO |
|---|---|---|
country:COUNTRY_CODE port:104 or 11112 DICOM |
services.extended_service_name:DICOM and services.port:104 or 11112 |
“DICOM” && protocol=”dicom” && country=”COUNTRY_CODE” |
These will look for PACS that are available to connect to. You can also replace the DICOM ports for the web ones (as listed in the ports section) since PACS also uses web services to facilitate access and not need the usage of viewers/toolkits.
But in case you still wanna use a viewer, here’s a list:
| VIEWER | OS | TYPE |
|---|---|---|
| Horos | MacOS | GUI |
| DCMTK | All | CLI |
| Orthanc | Windows & Linux | CLI & GUI |
| DCM4CHE | All | CLI |
Once everything is set up accordingly, enter the target host and port and use a C-GET request on the patient level with the query Patient-ID="*".
The query will retrieve pretty much all medical records.
Web based PACS can be relatively more difficult than using a viewer since in some cases it may involve login pages as well, but for every will there’s a way.
Usually medical systems use Windows, which can be vulnerable to an authentication bypass via SQLi, since it uses MSSQL.
These systems can also have another flaw when the sysadmin forgets to setup a password or the password is too weak, such as the following:
admin:admin
admin:password
pacs:pacs
pacs:password
orthanc:orthanc
To avoid a threat actor from accessing unauthorized medical records, preventing lawsuits from happening or ruining your hospital’s reputation, you can follow this little list of simple steps.