A Quiet Threat in a Trusted System
Hospitals and clinics everywhere use a special kind of image file to store medical scans like MRIs and X-rays. These files are called DICOM files. They’ve been around for over two decades and are trusted in the healthcare world to safely carry and share patient images.
But recently, researchers uncovered a dangerous weakness in how DICOM files are built. At the very start of a DICOM file is a section called the “Preamble.” It’s a small space, just 128 bytes long, that doesn’t follow any strict rules. This was meant to make DICOM files more flexible for different systems. However, this flexible space can be used in a very harmful way.
Hackers can hide small programs inside this part of the file. A computer may see the file and think it’s just a normal medical image, but if the file is opened in a certain way, it might actually run a harmful program instead. This creates a hidden danger in something that seems completely safe.
One File, Two Faces
The reason this trick works is because a file can act like more than one type at the same time. A DICOM file can also be made to act like a Linux program. These are called polyglot files. They are specially made files that behave differently depending on how you open them. One system might treat it as an image, another might treat it as a program.
In this case, the researchers took a normal DICOM file and added a special kind of Linux program inside it. These programs are called ELF files. ELF stands for Executable and Linkable Format, which is just a technical name for a Linux app or software.
They found a way to pack the ELF program inside the DICOM file using the flexible parts of the file that are usually used for storing image information. When opened with a medical image viewer, the file looks completely fine. But when run like a program, it can open up a way for hackers to take control of the computer or steal sensitive data.
Critical Vulnerabilities: The Dark Side of Pacemaker Technology
Even more alarming, this file doesn’t need the internet to cause damage. Once the file is on the system, the harmful program is already inside it. Many hospitals share medical images through USB drives, CDs, or secure networks. That means the bad file can travel from one system to another, spreading the danger without being noticed.
How Simple Tools Can Become Powerful Weapons
The method used to create this attack isn’t very complicated. The researchers started by writing a small Linux program. They then used regular tools to turn this into a working ELF file. After that, they inserted the program into the DICOM file using a custom script. Once the file was ready, they gave it permission to be run on a Linux system.
When someone runs this file, it acts like a normal Linux program and performs whatever task it was designed for. That might be something as serious as opening a secret access point or sending data to another computer.
Because the harmful code is hidden inside a file that also works as a medical image, antivirus software or security systems may not notice anything unusual. Even if the file is opened in a viewer to check what’s inside, it will still display the expected scan or image. This makes it very hard to spot the problem.
How Cyber Attacks on Industrial Control Systems Can Endanger Lives ?
There’s also no easy fix. The problem lies in how DICOM files are structured. Changing that structure could break systems already used in hospitals and clinics. Some protective steps are possible, like checking the beginning part of each file to make sure nothing harmful is hiding there. But many hospitals don’t have the tools or awareness to do this on their own.
