By Cesare Garlati, chief security strategist, prpl Foundation
Healthcare is an industry that is coming to rely on connected devices and smart sensors to help medical professionals provide more effective patient care. However, there have been cases where the US Food and Drug Administration (FDA) was forced to warn hospitals against using a popular internet-connected drug infusion pumps, and even hospital doors are at risk with the discovery of a bug that enabled hackers to pop secure doors. Recently, a researcher uncovered almost 1,500 vulnerabilities in automated healthcare equipment.
Attacks like this may be harmful to human lives as medicine applied in wrong dosages becomes a potentially lethal weapon and physical security becomes weakened.
With the healthcare Internet of Things (IoT) market set to be worth $117 billion by 2020, according to MarketResearch, there’s an increasing need for manufacturers to reengineer vital systems to ensure they can’t be misused. So, what is going wrong?
Proprietary software prone to reverse engineering
The first issue raised is to do with proprietary software in these devices, namely that the old concept of ‘security by obscurity’, which is no longer an effective defence. These designs are simply no longer a secret; or at least they can be reverse engineered to remove any residual ‘obscurity’.
The truth is that firmware binary code is usually published somewhere online if one knows where to look, to help users with ongoing maintenance. And if it isn’t, there is a wealth of sophisticated debugging tools around, such as the Joint Test Action Group’s tool called JTAG, which can be used to extract a copy of the software from the device itself. Or interactive code disassemblers like IDA can generate assembly language source code from machine executable code. So in combination with other tools and techniques it is becoming easier than ever to reverse engineer a binary image, work out what it does, where its vulnerabilities are and how to exploit them.
Dangers in software engineering process
Hazards of the software engineering process produce vulnerabilities in some of the most widely attacked software out there. As a consequence, users are subjected to a never-ending river of updates and patches. If the IT department does not keep up with timely patching, an entire organisation’s network and digital assets may be subject to exploitation of these vulnerabilities.
For example: Microsoft Windows – Among the most exploited software ever designed. On the one hand this is because it is hugely popular throughout the world; Adobe Flash – Flash has earned a nasty reputation for a constant arrival of new vulnerabilities. Many security experts recommend disabling or uninstalling Flash. Flash is now being shunned by major publishers, and most recently the BBC decided to drop support for Flash; Apple iOS – Even version 9, Apple’s most recent effort, contained patches for over 100 vulnerabilities. There are about 856 CVEs in iOS, almost 400 in 2015 alone!
Broken firmware updates
Because in most IoT devices there’s no boot up mechanism to establish whether the software running on the chip is signed, certified or otherwise approved by the vendor, they are open to exploit. It is a serious and fundamental flaw that firmware is rarely cryptographically signed, meaning that an attacker could in theory replace it with new software of their choosing. This is akin to hiding the key from criminals then allowing them to replace the lock.
Chip firmware in IoT devices should be updateable, but not in a way that potentially allows anyone to re-flash it with their own code.
Lateral movement plus pivoting
Lateral movement and pivoting once inside a compromised system is a tactic favoured often by sophisticated attackers within corporate systems, but it can also be taken advantage of within IoT and connected devices themselves.
The strategy is the same; to establish an initial foothold within the system and eventually gain command-and-control access to an endpoint. Attackers look to escalate privileges on non-administrative users or systems to gain access to more high value targets.
One thing is for sure, a major factor affecting all challenges is complexity. IoT systems are extremely complex with many ‘moving parts’. Yet a vulnerability that may affect one device used in a particular context might not affect equivalent devices from other manufacturers.
At this early stage of IoT development, it is important for stakeholders to be vigilant in analysing systems and subsystems for potential vulnerabilities, especially in healthcare environments where lives are most vulnerable.
prpl (pronounced ‘Purple’) is an opensource, community-driven, collaborative, non-profit foundation targeting and supporting the MIPS architecture, and open to others, with a focus on enabling next generation datacentre-to-device portable software and virtualised architectures.
