Category Archives: Security

Security related issues.

Hacking: Medical Devices

Hospital buildingYou have control over your own body, right? Well, scary scenarios in the healthcare industry are increasing in awareness. In the past, with the growth of technology, hacking was just for computers, but now it is expanding to other devices including medical ones. This is not technically “cyber crime”, but can easily turn into it when it falls into the wrong hands so I’m going to cover it anyways.

Internet of Things (IoT): “refers to scenarios where network connectivity and computing capability extends to objects, sensors and everyday items not normally considered computers, allowing these devices to generate, exchange and consume data with minimal human intervention. There is, however, no single, universal definition” (Internet Society, 2015).

The IoT is an important aspect in the healthcare industry (recently the term Internet of Healthcare Things IoHT was coined by medical field personnel). Examples include; heart rate monitors, pacemakers, medicine drips, MRI, etc. all that connect to the Internet and record information. As most of us know, objects that are connected to the Internet or have computer-type technology can be hacked. One example of this was two men in Austria hacked their morphine pump while admitted to the hospital to boost the dosage (Sarvestani, 2014). This resulted in one going into respiratory arrest and both men becoming addicted to morphine (Sarvestani, 2014). They were able to achieve this by retrieving the machine’s control codes online, this information typically can be found in the device manuals that are online for user reference.Hospira LifeCare PCA pump

A more streamlined, dangerous version of the morphine pump hack is what is known as MEDJACK. MEDJACK is a “medical device hijack” (Carman, 2015). How is this done? Don’t these hospitals have firewalls and preventative measures for stuff like this? Yes and no. While the network itself and it’s computers are protected with firewall and other security the devices themselves are not secured. According to Ashley Carman at SC Magazine “attackers maneuver though healthcare systems’ main networks by initially exploiting outdated and unpatched medical devices, such as an X-ray scanner or blood gas analyzer. They build backdoors into the systems through these internet-connected devices” (2015).

Another way that this is done is through a tool known as Shodan that is “used to scan open ports on the internet is often used by security researchers to uncover critical exposed infrastructure that should be better protected” (Murdock, 2016). According to a Kaspersky researcher in Jason Murdock’s article “[Shodan] can find out about the hardware and software connected [to the internet] and if you know, for example, what feedback an MRI or laser or cardiology device gives when you connect to its port, you can go to Shodan and find hundreds of these devices and if you know a vulnerability you can hack all of them” (2016).

istan medical mannequinUnfortunately, it gets worse. Pacemakers, including ones that are fully installed, are now on the list of hackable equipment. Students at University of South Alabama hacked into iStan, a simulated human being device (Storm, 2015). IStan has “internal robotics that mimic human cardiovascular, respiratory and neurological systems. When iStan bleeds, his blood pressure, heart rate and other clinical signs change automatically.” iStan, which is used by USA’s College of Nursing, breaths, bleeds from two locations, cries, secretes bodily fluids, speaks, groans, wheezes, gags, gasps, coughs and mumbles” (Storm, 2015) allowing it to fully respond as a human being. These students hacked into the iStan and were able to launch a brute force attack and denial of service (DoS) attacks which interfered with the devices ability to function, which in turn “killed” iStan (Storm, 2015). Another source discussing pacemaker hacking is Tarun Wadhwa on Forbes. Wadhwa discussed how pacemakers are vulnerable:

“Implanted devices have been around for decades, but only in the last few years have these devices become virtually accessible.  While they allow for doctors to collect valuable data, many of these devices were distributed without any type of encryption or defensive mechanisms in place.  Unlike a regular electronic device that can be loaded with new firmware, medical devices are embedded inside the body and require surgery for “full” updates.  One of the greatest constraints to adding additional security features is the very limited amount of battery power available” (2012)

Thankfully though, there has been no recorded incident of intended harm to another individual (and a very small amount of incidents of harm to oneself) through medical device hacking. The basics? If you can, do some research into the devices being used in your hospital room to see what vulnerabilities are available on the web (through how-to’s, videos, device manuals, etc.) and if at all possible, stay healthy to avoid the hospital- I wish this for everyone!

(THIS POST IS NOT INTENDED TO INDUCE FEAR, ANGER, OR ANY OTHER EMOTION TOWARDS MEDICAL PERSONNEL, STAFF, HOSPITALS, IT STAFF, EQUIPMENT DEVELOPMENT, OR OTHER GROUP OF INDIVIDUALS HANDLING, PRODUCING, USING, UPDATING, OR INVOLVED IN MEDICAL DEVICES)

[Editors note: Maybe it SHOULD though… induce fear that is. -The Code Curmudgeon]

References:

Carman, A. (2014, June 4). ‘MEDJACK’ tactic allows cyber criminals to enter healthcare networks undetected. SC Magazine. Retrieved from http://www.scmagazine.com/trapx-profiles-medjack-threat/article/418811/

Internet Society. (2015, October). The Internet of Things: An overview. InternetSociety.org. Retrieved from https://www.internetsociety.org/sites/default/files/ISOC-IoT-Overview-20151014_0.pdf

Murdock, J. (2016, February 15). How a security researcher easily hacked a hospital and its medical devices. International Business Times. Retrieved from http://www.ibtimes.co.uk/ho w-security-researcher-easily-hacked-hospital-its-medical-devices-1544002

Sarvestani, A. (2014, August 15). Hospital patient hacks his own morphine pump. MassDevice.com On Call. Retrieved from http://www.massdevice.com/hospital-patient-hacks-his-own-morphine-pump-massdevicecom-call/

Storm, D. (2015, September 8). Researchers hack a pacemaker, kill a man(nequin). Computer World. Retrieved from http://www.computerworld.com/article/2981527/cybercri me-hacking/researchers-hack-a-pacemaker-kill-a-man-nequin.html

Wadhwa, T. (2012, December 6). Yes, you can hack a pacemaker (and other medical devices too). Forbes. Retrieved from http://www.forbes.com/sites/singularity/2012/12/06/yes-you-can-hack-a-pacemaker-and-other-medical-devices-too/#5ab6b78313e0

Get Your Free WiFi From Elvis

man dressed like Elvis in front of Welcome to Las Vegas sign
Want some free WiFi?
Ah, the lure of free open WiFi! Who can resist? Avoid flakey signal from your smartphone, get faster access and avoid data usage caps. But there is no such thing as a free lunch. When Elvis offers you free WiFi it’s best to think twice, because when someone offers free WiFi it comes with a cost, usually your privacy and security.

It might be a coffee shop who expects you to buy coffee, or a hotel who wants you to stay there instead of down the street. Or maybe the hotel has decided they can additionally sell advertising to you while you’re using the “free” WiFi to make a little extra money. Like the Elvis impersonator you should know what you’re really getting into. If think you’re getting your picture taken with the real Elvis, then perhaps you deserve what you get, especially in cases where the provider is taking the role of the huckster and offering something for “free” (as in puppy) when the hidden cost is your privacy.

With open or free WiFi the risks are always there in the form of unknown others on the network. I have found as I travel that hotel WiFi for example is a constant source of machine probes and attacks. Luckily my computer is well configured and I see the attempts. In spite of that I take the paranoid view and have avoided and free WiFi for over a year, until last week that is.

I was at the IQPC sponsored ISO 26262 Functional Safety conference in Berlin speaking on automotive cybersecurity. The WiFi performance in Berlin was no worse than others both at the hotel I was staying at and the conference hotel. By which I mean that it’s aggressively mediocre at about 1.5 Mbps. This would be reasonable performance for a 2G cellular network, but seems slow for WiFi. Now the reason I’m using it is that the cellular speed I get when roaming around the world is even slower – about 128kbps. So here I am making poor security decisions based on slow network performance. There’s a lesson to be learned there and perhaps a whole article about how we make poor security decisions.

And this is where this hotel stands out different than others, at least hotels in the USA. The attacks didn’t immediately start as I’ve seen at others, for example the Hilton in Long Beach, CA. (Yes, I’m purposely shaming their insecure public WiFi) But after working for a few minutes several of my web connections started failing when they refreshed. There were complaints about needing to re-login to Outlook, Google and other apps that require authentication.

Hotel MITM 1 of 3 So I started poking by clicking the little lock icon in the URL and as it turns out they were failing because the certificate for https was suspicious.

Hotel MITM 2 of 3As you do in these situations, I took a look at the certificate by pressing the “show certificate” button. In this case the certificate was supposed to be for Office 365,MITM safe office.com but instead it was signed by… wait for it… the hotel!!! Essentially they were doing a man-in-the-middle (MITM) attack. This means they were pretending to be Microsoft by self-signing a root certificate and saying “Microsoft is who we say it is”.

Hotel MITM 3 of 3

Probably this was for some silly injection of advertising or some other annoying but not necessarily evil purpose. Remember Lenovo doing this on their computers recently? In that case it was widely published and got a cute media name “Superfish“.

For Superfish the purpose was to put ads into your browser. Lenovo pre-installed it on a bunch of their computers, presumably for some additional revenue. The problem is that once you break down the certificate trust chain with this kind of attack, you leave the user at great risk. Someone can steal their credentials and really spy on any supposedly secure communication they have. This is to say nothing of having extra ads put onto your computer.

For the record, self-signing root certificates is only acceptable in a development or testing situation. Putting untrusted certificates in the wild is dangerous since no one can rely on them. Worse yet is pretending to be a certificate authority and jumping in the middle of a transaction or communication that the users think is secure. Not only is this unethical, but it really should be illegal.

Lesson learned again… Don’t use free WiFi and always pay attention to your URL lock icon.

Cybersecurity SQL Injection Irony

letters on cork board spelling ironyIt’s been a funny week for the SQL Injection Hall-of-Shame. As those who follow the Hall-of-shame know, there’s a pretty steady trickle of new incidents published regarding SQLi. It’s usually a few every month, not as many as are currently going into my new IoT Hall-of-Shame but still very regular.

So I was surprised that this week we have two new entries and they’re both cybersecurity companies. It’s partially funny, partially sad and partially scary.

First up is Staminus. They’re a DDoS protection company and seem to have a very good product. I spend more time on the SwSec and AppSec side of things but the kind of work they do is also important. However when you’re a security company, it’s just funny to people when you get hacked.

In this case Staminus was not only vulnerable to sql injection, but they were also doing other bad cybersecurity practices. In particular they seem to be storing customer credit card data unencrypted. One tenet of security is that you can never stop all attacks. You have to prepare for the inevitable day when someone breaches your system. That’s why it’s important that we have strong encryption, complaints from the FBI notwithstanding.

Following the attack the hackers actually left a funny message. The published a document called Tips when running a security company and detailed all the weaknesses they discovered due to bad security practices. In their defense, security expert Brian Krebs noted that anti-DDoS companies are regular targets for attackers.

Also in the news this week was well-known computer security company Symantec. They have a large share of the enterprise computer security market with their Symantec Endpoint Protection (SEP) product. SEP allows companies to manage the security software for all of their computers from a central management console (SEPM) and this was the tool that has the vulnerabilities.

As it turns out there are two vulnerabilities in SEPM, one is cross-site request forgery and one is SQL injection. While Symantec has called this a routine advisory, it was serious enough for US-CERT to issue an update advisory telling people to patch their SEPM software. US-CERT (United States Computer Emergency Readiness Team) is the government body in the US that keeps track of cybersecurity issues.

Yes, cybersecurity issues can and do happen to everyone. But we can all get at least a bit of a laugh when companies who’s only job is security are the targets. This is especially true when the issues involved are simple and preventable like SQL injection.

Internet Scam Scam

piggy bank cyber crimeI got a very funny email at work today. I try to keep up on my junk e-mail folder in Outlook so that I won’t accidentally miss something important. Today there was one with the subject “Urgent Information” that was listed as “From: Internet Scam Investigation” so of course I was intrigued.

For those who aren’t really familiar with internet security best practices, NEVER EVER EVER open an email from an unknown sender, especially with a name like Internet Scam Investigation because there is no legitimate organization that does such things.

Another good indicator of malmail (malware-email) is the generic “Urgent Information” subject. Again, people I know that actually have urgent information for me don’t do that. The combination of bad subject and bad sender should put your finger on the delete button so fast that your mouse gets hot. The only warning flag that was missing was an unexpected attachment – delete those too. Don’t worry about what’s in them, it’s nothing good. When in doubt, throw it out – or in other words delete it. For more on those look at my earlier post on personal computer security.

So of course I opened the email and read it. Now take note, this is a very foolish thing to do if you don’t know what you’re doing. Do what I say, not what I do in this case. I opened it as as cybersecurity professional in a controlled environment where it couldn’t hurt me. Don’t try this at home!

In short, the email warns that there are a lot of scams out there that are promising you money and you should be aware of them. If you really want to know if any are legit, these are the Nigerians that will tell you the truth.

For your amusement only, the full email is below. And after that some links to computer security software, for those who haven’t caught up with the 21st century yet.

Security Alert

Be on the alert for personal security. NO ONE SENDS YOU MONEY IN EMAIL. And at the very least make sure you’re running some kind of security software on your computer, like those below. If you have questions are suggestions please let me know.

Resources