Dentrix G6.6 is pretty dang secure since I set out to secure Dentrix through the "squeeky wheel" method. They have database usernames called ADMIN and DTXUSER that have passwords based off a database passphrase that the dentist creates, much like Dentrix G6.2, except these are the only 2 usernames in the database. The database passphrase itself is stored in a file on each workstation, making the passphrase unavailable to an attacker trying to gain access over the internet.
The only issue is the Dentrix Developer Program. Lets say your Lighthouse 360 and you enrolled in the Dentrix Developer Program to gain database access...
You give Dentrix some $$ and Dentrix gives you an API and some executables. One of these is called DTXCreateUser, and it does what you might think, it creates a database username and password for your application to read and write to the Dentrix database, which is Faircom ACE 10.3.
Lighthouse has no control or say over this username and password.. This password is the same for ALL installations that Lighthouse installs for ALL their customers. Lets say I as a dentist decide to leave Lighthouse 360, guess what? That database username and password is still in the database.
Lets say a hacker who is familiar with dentistry finds a database server exposed to the internet, he could in theory have a list of usernames and passwords from different vendors enrolled in the Dentrix Developer Program.. and could try to authenticate off that list. It isn't actually that hard to find a server exposed since Dentrix uses unique ports for its database service.
I did find a server a Dentrix G4 office that was exposed to the internet this weekend from searching the Shodan search engine. But what can you do about it? You could alert HHS or the FBI but it is doubtful either agencies will do anything about it. It's possible the shares themselves are password protected... I have contacted both agencies in the past about servers exposed to the internet, and have never heard anything about it. I am now currently not allowed to contact the FBI, but I guess I could try HHS. I have never understood why the government does not do more to protect citizens.
![]()
Searching for Dexis 10 databases on shodan yields 18 databases:
![]()
18 databases could be a lot of patients... Feel free to email someone in the government about it. I emailed OCR\HHS and I am waiting for a response. I posed a question: Why can't the government get a court order to find out whose office each database goes to, and then contact that dental office to get stop the databases being exposed to the internet? I will update this blog post if they respond.
Anyways, I am sure the developers at Henry Schein Practice Solutions can think of something better then what is currently being used.. so we shall wait and see.. I alerted this to US-CERT (VU#524021) and they asked me to work with Dentrix but I explained to them about the FTC and how we have a poor working relationship, and technically I haven't heard anything from Henry Schein Practice Solutions since emailing them... so... why not make a blog post about it? Plus my emails to the schein mail server never arrive to who I intend to send them to. I tried emailing someone in tech support last month over a problem with printing treatment plans and had to use the dental office's email address because my gmail address didn't go through. Someone at schein put a filter on my email address a couple of years ago, since the FTC thing happened. Plus they aren't allowed to talk to me... I have a friend that works at Dentrix so I talked to him about it.
Other people in the dental industry have their own problems, but I decided long ago to make Dentrix my project, and I ALWAYS see my projects to the finish.
I also have a beef with OCR\HHS for not investigating databreaches that I reported to them, but we will save that for another post!!!!!!!!!!! These were FTP servers.. 1 is being investigated..
The only issue is the Dentrix Developer Program. Lets say your Lighthouse 360 and you enrolled in the Dentrix Developer Program to gain database access...
You give Dentrix some $$ and Dentrix gives you an API and some executables. One of these is called DTXCreateUser, and it does what you might think, it creates a database username and password for your application to read and write to the Dentrix database, which is Faircom ACE 10.3.
Lighthouse has no control or say over this username and password.. This password is the same for ALL installations that Lighthouse installs for ALL their customers. Lets say I as a dentist decide to leave Lighthouse 360, guess what? That database username and password is still in the database.
Lets say a hacker who is familiar with dentistry finds a database server exposed to the internet, he could in theory have a list of usernames and passwords from different vendors enrolled in the Dentrix Developer Program.. and could try to authenticate off that list. It isn't actually that hard to find a server exposed since Dentrix uses unique ports for its database service.
I did find a server a Dentrix G4 office that was exposed to the internet this weekend from searching the Shodan search engine. But what can you do about it? You could alert HHS or the FBI but it is doubtful either agencies will do anything about it. It's possible the shares themselves are password protected... I have contacted both agencies in the past about servers exposed to the internet, and have never heard anything about it. I am now currently not allowed to contact the FBI, but I guess I could try HHS. I have never understood why the government does not do more to protect citizens.
Searching for Dexis 10 databases on shodan yields 18 databases:
Anyways, I am sure the developers at Henry Schein Practice Solutions can think of something better then what is currently being used.. so we shall wait and see.. I alerted this to US-CERT (VU#524021) and they asked me to work with Dentrix but I explained to them about the FTC and how we have a poor working relationship, and technically I haven't heard anything from Henry Schein Practice Solutions since emailing them... so... why not make a blog post about it? Plus my emails to the schein mail server never arrive to who I intend to send them to. I tried emailing someone in tech support last month over a problem with printing treatment plans and had to use the dental office's email address because my gmail address didn't go through. Someone at schein put a filter on my email address a couple of years ago, since the FTC thing happened. Plus they aren't allowed to talk to me... I have a friend that works at Dentrix so I talked to him about it.
Other people in the dental industry have their own problems, but I decided long ago to make Dentrix my project, and I ALWAYS see my projects to the finish.
I also have a beef with OCR\HHS for not investigating databreaches that I reported to them, but we will save that for another post!!!!!!!!!!! These were FTP servers.. 1 is being investigated..