CyberWire Daily - Encore: Vulnerabilities in IoT devices.
Episode Date: December 24, 2022Dr. May Wang, CTO of IoT Security at Palo Alto Networks, joins Dave Bittner to discuss their findings detailed in Unit 42's "Know Your Infusion Pump Vulnerabilities and Secure Your Healthcare Organiza...tion" research. Unit 42 recently set out to better understand how well hospitals and other healthcare providers are doing in securing smart infusion pumps, which are network-connected devices that deliver medications and fluids to patients. This topic is of critical concern because security lapses in these devices have the potential to put lives at risk or expose sensitive patient data. Unit 42's discovery of security gaps in three out of four infusion pumps that they reviewed highlights the need for the healthcare industry to redouble efforts to protect against known vulnerabilities, while diligently following best practices for infusion pumps and hospital networks. May walks us through Unit 42's work. The research can be found here: Know Your Infusion Pump Vulnerabilities and Secure Your Healthcare Organization Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me.
I have to say, Delete.me is a game changer. Within days of signing up, they started removing my
personal information from hundreds of data brokers. I finally have peace of mind knowing
my data privacy is protected. Delete.me's team does all the work for you with detailed reports
so you know exactly what's been done. Take control of your data and keep your private life Thank you. JoinDeleteMe.com slash N2K and use promo code N2K at checkout.
The only way to get 20% off is to go to JoinDeleteMe.com slash N2K and enter code N2K at checkout.
That's JoinDeleteMe.com slash N2K, code N2K. Hello everyone and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner and this is our weekly conversation with researchers and analysts
tracking down threats and vulnerabilities,
solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace.
Thanks for joining us.
We actually spent many years studying IoT devices, including medical devices, and we found lots of vulnerabilities.
and we found lots of vulnerabilities.
That's Dr. May Wong.
She is Chief Technology Officer for Internet of Things Security at Palo Alto Networks. The research we're discussing today is titled
Know Your Infusion Pump Vulnerabilities and Secure Your Healthcare Organization.
And now, a message from our sponsor, Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs, yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks
and a $75 million record payout in 2024,
these traditional security tools expand your attack surface
with public-facing IPs that are exploited by bad actors
more easily than ever with AI tools.
It's time to rethink your security.
Zscaler Zero Trust Plus AI stops attackers
by hiding your attack surface, making apps and IPs invisible, eliminating lateral movement, connecting users only to specific apps, not the entire network, continuously verifying every request based on identity and context, simplifying security management with AI-powered automation, and detecting threats using AI to analyze over
500 billion daily transactions.
Hackers can't attack what they can't see.
Protect your organization with Zscaler Zero Trust and AI.
Learn more at zscaler.com slash security.
And actually in our 2020 IoT Threat Report,
which is vendor agnostic report about the landscape of IoT security, we actually discovered among all the medical devices we're observing,
about 44% of them are infusion pumps.
So it takes up a large quantity of all the medical devices we're seeing in hospitals and healthcare providers, etc.
So we like to look into how vulnerable these infusion pumps are.
And actually at our research lab, we are able to crack into these infusion pumps are. And actually at our research lab, we are able to
crack into these infusion pumps. And as you know, Dave, these infusion pumps are used to
send medications or fluids directly to patients' bodies. And in our research lab, we're able to
hack into these infusion pumps and change the medication dosage that goes directly into a
patient body. So now the vulnerabilities of these pumps, we're not just talking about patient
information, PII information leakage, et cetera. We're actually talking about life or death here.
And it can affect hospitals, operations, can affect patient safety. Well,
can you give us an idea of the spectrum of devices that we're talking about when we're
talking about infusion pumps? I mean, to what degree are these modern devices? Are they
connected to hospital networks? Do they go all the way out to the internet?
What exactly are we talking about here?
Yeah, we're seeing increasing amount of medical devices are connected onto the network.
And actually, the statistics we're seeing, years ago, we only see 20% of new medical devices are connected online.
But now we are seeing 40% of new medical devices are connected online, but now we are seeing 40% of new medical devices are connected
to online. And when we are talking about connected onto the network, we're talking about these
devices are connected onto the hospital's network. And in an ideal case, we would like to separate
them into a separate virtual network so that the access to these medical devices is controlled.
But actually, for lots of hospitals we're working with, because of many different reasons,
lack of IT support, etc., the situations are not that ideal.
We often see in one VLAN virtual network, we see both medical devices
and your cell phones and printers and surveillance cameras, everything jammed into one VLAN. Then it
makes the security control a lot harder. And we do see these. So when we are talking about these
medical devices, we're talking about infusion pumps, imaging systems, for example, CT scanners, MRI scanners, ultrasound scanners, x-ray machines, and patient monitorings, point of care analyzers, nurse call stations, medical device gateways, medication dispenser, ECG machines, etc., you name it.
So there's a very wide spectrum of medical devices we're seeing.
And because these devices, they have different functionalities,
they use different hardware, different operating systems, different applications,
different protocols, and different staff members are using them.
So it's actually very hard to have one security mechanism or protocols, whatever it is, to secure all these devices.
So we see lots of vulnerabilities among these devices.
Well, let's dig into what you all discovered when it
comes to infusion pumps. I mean, can we go through some of the vulnerabilities that you all
uncovered and the degree to which they are actually pretty serious? Yeah, we actually look into more
than 200,000 infusion pumps. And we found three out of four pumps are vulnerable and of course the
severity of vulnerability are different but the still 75 percent of pumps are vulnerable they have
security vulnerabilities or from our the pumps we're, we see alerts coming out of these pumps.
And there are many CVEs that actually disclose the vulnerabilities of these pumps.
And we actually, in the report, showed more than 10 CVEs
that a majority of the vulnerabilities these pumps are having.
And we categorize them into three major categories of vulnerabilities.
The first one is they're leaking sensitive information. So let me first talk about how
these pumps work. If you go to hospital, you stay in hospital, you probably had infusion pumps work
on you before. And usually it's one infusion pump has a base station.
And this base station talks to an infusion pump server
somewhere in the backstage there.
And for each infusion pump, the base station,
usually there are multiple pumps connected to this base station.
And usually they are connected through hardware connections.
And they can vary from two pumps to four pumps
and can send in different medications to your body.
And we do see for some,
and there's multiple vendors provide these kind of infusion pumps.
And for some vendors, we see they do have secure
messaging channel between the base station and the infusion pump server. But we also do see
there are clear text communication channels, and that actually opens up a vulnerability.
We can have a man in the middle, we can hack in, we can access the communication information between the infusion pump and the server.
And there are also vulnerabilities that you can actually physically access these infusion pump devices to gain access to sensitive information.
So that's the first category, leakage of sensitive information. And then the second category is using default credentials to access these devices.
Then you can, of course, get sensitive information.
You can do all kinds of things, change the medication dosage, et cetera, once you have access to these pumps.
access to these pumps. And we do see lots of pumps are using the manufacturer default username, password, and for people without authorities, they can have unauthorized access.
Then the third categories are vulnerabilities using third-party software stacks because lots of these infusion pumps,
they can use third-party operating systems,
they can use third-party TCP IP stacks,
use some of the TCP IP stacks are vulnerable, etc.
So these are the main vulnerabilities we're seeing.
Now, to what degree are these vulnerabilities accessible
remotely versus someone having to actually be in contact with the device itself, in the room with
it? Actually, most vulnerabilities we're seeing are through network connections because these
devices are connected onto the network. And because they either have
the vulnerable third-party network stacks use, or they use default username and password,
or they use clear text communication channels. So all of these actually can be accessed remotely and attackers can get access to these pumps from remote network.
They don't have to be in the same room with these pumps.
Now, in your experience, the organizations that you all are working with, is there an awareness that they have these issues?
are working with? Is there an awareness that they have these issues? How are they approaching these sorts of IoT vulnerabilities with their medical devices? Yeah, that's a very good question, Dave.
We do see that hospitals are investing more heavily into security mechanisms to protect
these medical devices, but there are lots of challenges to protect these medical devices. Just give you
one example. These medical devices compared to our traditional IT devices, Dave, you probably
change your cell phone every other year and change your laptop every two, three years, etc.
But these medical devices are actually in the field for many years. For example, a typical lifespan of an infusion pump is 8 to 10 years.
So even if the medical device vendors can come out with the perfectly secured medical devices,
it's almost impossible for them to see what kind of security vulnerabilities,
what kind of security risk can come out in 8 to 10 years.
So now we're dealing with lots of legacy devices.
How do we protect these legacy devices
from new malwares, ransomware attacks, etc.?
And also for these infusion pumps,
they're actually very mobile.
these diffusion pumps, they're actually very mobile.
Today it's in floor six and tomorrow it can be in floor eight.
And how do you keep track of these mobile devices?
And they can join different VLANs and they can join different virtual network on daily basis.
And some of these devices even transfer from hospital to hospital.
So how do you keep track of these devices and how do you secure these devices are actually
very challenging topic for almost all hospitals. And needless to mention, all hospitals are seeing
increasing amount of cyber attacks on daily basis.
Are you aware of any instances where infusion pumps specifically have been hit by some outsider?
Any shutdown or DDoS or ransomware or anything like that?
We know there have been multiple attacks specifically targeted at ILT devices.
For example, the very well-known WannaCry, NotPedia, Mirai attacks, etc.
And you know, Dave, in hospitals, nobody wants to talk about the attacks.
Nobody wants to tell anybody, okay, my hospital's infusion pumps have been compromised, the CT scanner
have been compromised.
But because we are working with all these hospitals, we actually see lots of attacks
and increasing amount of attacks.
So what are your recommendations then?
If I'm someone who works in the medical field and I'm charged with protecting these devices, I'm on the cybersecurity team, how do I go about this?
What do you recommend?
I think there are some basic steps people can do, sort of like in the hospital, the basic cybersecurity hygienes we can do. Of course, in an ideal case, you want to keep all your
medical devices up to date with the upgrades and the patches. But that's another issue for
these medical devices because these devices are in real operations. And once they are working,
nobody wants to touch them. And there are also patches that we have seen and experienced
that they work very well in the test labs before they roll out to the real world. But once they're
patched into devices in hospital setting, they sometimes can break these devices. And also needless to mention the FDA
regulation and so lots of hospitals very afraid to touch any medical devices so that they have
to go through the HIPAA compliance, et cetera. So there are lots of legacy devices out there
and there are lots of challenges to really keep these devices, have the up-to-date software and security protections.
So that's kind of the reality we have to live with.
And our recommendation is, first of all, you need to have the visibility.
You need to know how many infusion pumps you have, how many medical devices you have at any given time and what they are, what they're doing, what their status is.
And that's actually the very first thing almost every customer, every potential customer we talk to, they need lots of help to help them figure out what kind of devices are connected onto their network at any given moment.
So that's the first thing, visibility.
And after you know what devices you have connected onto your network, you need to keep continuous monitoring about the security status of these devices. You need to have a holistic risk assessment
because a device that was secure yesterday
doesn't mean it's still secure today.
So we need to have a real-time monitoring system
to know if any device is out of norm,
is showing any abnormal behaviors.
And the third one is to apply risk reduction policies
to have the right VLAN set in place,
which having the right identification of devices
is the foundation for set up the right VLAN
so that you can decide which device gets into what VLAN.
And based on the device identification,
you can set up the right policies.
For example, if an x-ray machine is using a Windows system
and my laptop is also using Windows system,
and obviously these two devices should have
very different policies in terms of security.
And then the fourth one is to prevent threats.
Now we're all talking about zero-day protection, etc.
So we need to have the security mechanisms in place to prevent these threats from happening.
I'm just imagining someone like you having a little minor mishap at your house and ending up at the ER.
minor mishap at your house and ending up at the ER. And before you let them treat you, you make them prove that all their devices are up to date and fully patched. You know, Dave, believe it or
not, we're seeing lots of unbelievable things on these medical devices. And there are some new
trends that's pretty scary. I just give you one quick example.
Years ago, we didn't see any crypto mining on any of the medical devices.
But now we see at least 5% of all the vulnerabilities came from crypto mining.
Can you imagine the MRI machine scanning your body is also running crypto mining at the same time?
Yeah, the last thing you want is a laggy medical device because
somebody's mining Bitcoin
or Ethereum on it. It's a
shame that there's no
honor among thieves,
that these sorts of
things are out of bounds, but I suppose that's
the world we're in now.
Yep, and especially
with the latest change
in the world, we're definitely seeing increasing amount of attacks to hospitals as well.
Yeah.
Our thanks to Dr. Mei Wang from Palo Alto Networks for joining us.
Our thanks to Dr. Mei Wang from Palo Alto Networks for joining us.
The research is titled Know Your Infusion Pump Vulnerabilities and Secure Your Healthcare Organization.
We'll have a link in the show notes.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home. Black Cloak's award-winning digital executive protection
platform secures their personal devices, home networks, and connected lives. Because when
executives are compromised at home, your company is at risk. In fact, over one-third of new members
discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Rachel Gelfand,
Liz Ervin, Elliot Peltzman, Trey Hester,
Brandon Karpf, Eliana White, Puru Prakash,
Justin Sebi, Tim Nodar, Joe Kerrigan,
Carol Terrio, Ben Yellen, Nick Vilecki,
Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard,
Peter Kilby, and Iben, Rick Howard, Peter
Kilby, and I'm Dave Bittner. Thanks for listening. We'll see you back here next week.