CyberWire Daily - Vulnerabilities in IoT devices. [Research Saturday]
Episode Date: May 14, 2022Dr. May Wang, Chief Technology Officer at Palo Alto Networks, joins Dave Bittner to discuss their findings detailed in Unit 42's "Know Your Infusion Pump Vulnerabilities and Secure Your Healthcare Org...anization" research. Unit 42 recently set out to better understand how well hospitals and other healthcare providers are doing in securing smart infusion pumps, which are network-connected devices that deliver medications and fluids to patients. This topic is of critical concern because security lapses in these devices have the potential to put lives at risk or expose sensitive patient data. Unit 42's discovery of security gaps in three out of four infusion pumps that they reviewed highlights the need for the healthcare industry to redouble efforts to protect against known vulnerabilities, while diligently following best practices for infusion pumps and hospital networks. May walks us through Unit 42's work. The research can be found here: Know Your Infusion Pump Vulnerabilities and Secure Your Healthcare Organization Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. data products platform comes in. With Domo, you can channel AI and data into innovative uses that
deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to
your role. Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.
Hello, everyone, and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and analysts
tracking down threats and vulnerabilities,
solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace.
Thanks for joining us.
We actually spent many years studying IoT devices, including medical devices,
and we found lots of vulnerabilities.
That's Dr. Mei Wang.
She is Chief Technology Officer for Internet of Things Security at Palo Alto Networks.
The research we're discussing today is titled
Know Your Infusion Pump Vulnerabilities and Secure Your Healthcare Organization.
And now, a message from our sponsor, Zscaler, the leader in cloud security.
the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs,
yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks and a $75 million record payout in 2024.
These traditional security tools expand your attack surface with public-facing IPs
that are exploited by bad actors more easily than ever with AI tools.
It's time to rethink your security.
Zscaler Zero Trust Plus AI stops attackers by hiding your attack surface,
making apps and IPs invisible, eliminating lateral movement,
connecting users only to specific apps, not the entire network,
continuously verifying every request based on identity and context, Thank you. Protect your organization with Zscaler Zero Trust and AI. Learn more at zscaler.com slash security.
And actually in our 2020 IoT Threat Report,
which is vendor agnostic report about the landscape of IoT security,
we actually discovered among all the medical devices we're observing, about 44% of them
are infusion pumps. So it takes up a large quantity of all the medical devices we're seeing in hospitals and healthcare providers, etc.
So we like to look into how vulnerable these infusion pumps are.
And actually at our research lab, we are able to crack into these infusion pumps.
And as you know, Dave, these infusion pumps are used to send medications or fluids directly to patients' bodies.
And in our research lab, we're able to hack into these infusion pumps and change the medication dosage that goes directly into a patient body.
So now the vulnerabilities of these pumps, we're not just talking about patient information, PII information leakage,
et cetera. We're actually talking about life or death here. And it can affect hospitals,
operations, can affect patient safety. Well, can you give us an idea of the spectrum
of devices that we're talking about when we're talking about infusion pumps. I mean,
to what degree are these modern devices? Are they connected to hospital networks? Do they go
all the way out to the internet? What exactly are we talking about here?
Yeah, we're seeing increasing amount of medical devices are connected onto the
network. And actually, the statistics we're seeing,
years ago we only see 20% of new medical devices
are connected online,
but now we are seeing 40% of new medical devices
are connected to online.
And when we are talking about connected onto the network,
we're talking about these devices
are connected onto the hospital's network.
And in an ideal case, we would like to separate them into a separate virtual network so that the access to these medical devices is controlled.
But actually, for lots of hospitals we're working with, because of many different reasons, lack of IT support, etc., the situations are not that ideal. We often see in the one VLAN virtual network, we see both medical devices and your cell phones and printers and surveillance cameras, everything jammed into one VLAN.
Then it makes the security control a lot harder.
And we do see these.
So when we are talking about these medical devices,
we're talking about infusion pumps, imaging systems,
for example, CT scanners, MRI scanners, ultrasound scanners,
x-ray machines, and patient monitorings, point-of-care analyzers, nurse call stations, medical device gateways, medication dispenser, ECG machines, etc., you name it. medical devices we're seeing. And because these devices, they have different functionalities,
they use different hardware, different operating systems, different applications, different
protocols, and different staff members are using them. So it's actually very hard to have one
security mechanism or protocols, whatever it is, to secure all these devices. So we see
lots of vulnerabilities among these devices. Well, let's dig into what you all discovered
when it comes to infusion pumps. Can we go through some of the vulnerabilities that you all
uncovered and the degree to which they are actually pretty serious?
all uncovered and the degree to which they are actually pretty serious?
Yeah, we actually look into more than 200,000 infusion pumps and we found three out of four pumps are vulnerable.
And of course, the severity of vulnerability are different, but still 75% of pumps are different. But still, 75% of pumps are vulnerable. They have security vulnerabilities,
or from the pumps we're protecting, we see alerts coming out of these pumps. And there are many CVEs
that actually disclose the vulnerabilities of these pumps. And we actually, in the report,
disclose the vulnerabilities of these pumps. And we actually, in the report, showed more than 10 CVEs that are majority of the vulnerabilities these pumps are having. And we categorize them
into three major categories of vulnerabilities. The first one is they're leaking sensitive
information. So let me first talk about how these pumps work. If you go to hospital,
you stay in hospital, you probably had infusion pumps work on you before. And usually it's one
infusion pump has a base station. And this base station talks to an infusion pump server somewhere
in the backstage there. And for each infusion pump, the base station, usually there are multiple pumps connected
to this base station.
And usually they are connected through hardware connections.
And they can vary from two pumps to four pumps and can send in different medications to your
body.
four pumps and can send in different medications to your body. And we do see for some, and there's multiple vendors provide these kinds of infusion pumps. And for some vendors, we see they do have
secure messaging channel between the base station and the infusion pump server. But we also do see
there are clear text communication channels, and that actually opens up a vulnerability.
We can have a man in the middle.
We can hack in.
We can access the communication information between the infusion pump and the server.
And there are also vulnerabilities that you can actually physically access these infusion pump devices to gain access to sensitive information.
So that's the first category, leakage of sensitive information.
And then the second category is using default credentials
to access these devices.
Then you can, of course, get sensitive information.
You can do all kinds of things, change the medication dosage, etc.
Once you have access to these pumps.
And we do see lots of pumps are using the manufacturer default username, password.
And for people without authorities, they can have unauthorized access.
Then the third categories are vulnerabilities using third-party software stacks
because lots of these infusion pumps, they can use third-party operating systems.
They can use third-party TCP IP stacks, use some of the TCP IP stacks are vulnerable, etc.
So these are the main vulnerabilities we're seeing.
Now, to what degree are these vulnerabilities accessible remotely versus someone having to actually be in contact with the device itself, in the room with it?
to actually be in contact with the device itself, in the room with it?
Actually, most vulnerabilities we're seeing are through network connections because these devices are connected onto the network.
And because they either have the vulnerable third-party network stacks used
or they use default username and password or they use clear text communication channels.
So all of these actually can be accessed remotely,
and attackers can get access to these pumps from remote network.
They don't have to be in the same room with these pumps.
remote network. They don't have to be in the same room with these pumps. Now, in your experience,
the organizations that you all are working with, is there an awareness that they have these issues?
How are they approaching these sorts of IoT vulnerabilities with their medical devices?
Yeah, that's a very good question, Dave. We do see that hospitals are investing more heavily into security mechanisms to protect these medical devices.
But there are lots of challenges to protect these medical devices.
Just give you one example.
These medical devices compared to our traditional IT devices, Dave, you probably change your cell phone every other year and change your laptop every two, three years, et cetera. But these medical devices are actually
in the field for many years. For example, a typical lifespan of an infusion pump is eight to
10 years. So even if the medical device vendors can come out with the perfectly secured medical devices,
it's almost impossible for them to see what kind of security vulnerabilities,
what kind of security risk can come out in 8 to 10 years.
So now we're dealing with lots of legacy devices.
How do we protect these legacy devices from new malwares, ransomware attacks, etc.?
And also for these infusion pumps, they're actually very mobile.
Today it's in floor six and tomorrow it can be in floor eight.
And how do you keep track of these mobile devices? And they can join different VLANs
and they can join different virtual network on daily basis. And some of these devices even
transfer from hospital to hospital. So how do you keep track of these devices and how do you
secure these devices are actually very challenging topic for almost all hospitals.
And needless to mention, all hospitals are seeing increasing amount of cyber attacks
on daily basis.
Are you aware of any instances where infusion pumps specifically have been hit by some outsider,
any shutdown or DDoS or ransomware or anything like that?
We know there have been multiple attacks
specifically targeted at IoT devices.
For example, the very well-known WannaCry, NotPedia,
Mirai attacks, etc.
And you know, Dave, in hospitals,
nobody wants to talk about the attacks.
Nobody wants to tell anybody, okay, my hospital's infusion pumps have been compromised. The CT
scanner have been compromised. But because we are working with all these hospitals, we actually see lots of attacks and increasing amount of attacks.
So what are your recommendations then?
If I'm someone who works in the medical field and I'm charged with protecting these devices, I'm on the cybersecurity team, how do I go about this?
What do you recommend?
What do you recommend?
I think there are some basic steps people can do, sort of like in the hospital, the basic cybersecurity hygienes we can do.
Of course, in an ideal case, you want to keep all your medical devices up to date with the upgrades and the patches.
But that's another issue for these medical devices because these devices are in real operations.
And once they are working, nobody wants to touch them.
And there are also patches that we have seen and experienced that they work very well in the test labs before they roll out to the real world. But once they are patched into devices in hospital setting, they sometimes can break these devices. And also needless to mention the FDA
regulation and so lots of hospitals very afraid to touch any medical devices so that they have
to go through the HIPAA compliance, et cetera.
So there are lots of legacy devices out there and there are lots of challenges to really
keep these devices have the up-to-date software and security protections.
So that's kind of the reality we have to live with.
And our recommendation is, first of all, you need to have the visibility.
You need to know how many infusion pumps you have, how many medical devices you have
at any given time and what they are, what they're doing, what their status is. And that's actually
the very first thing almost every customer, every potential
customer we talk to, they need lots of help to help them figure out what kind of devices
are connected onto their network at any given moment. So that's the first thing, visibility.
And after you know what devices you have connected onto your network, you need to keep continuous monitoring about the security status of these devices.
You need to have a holistic risk assessment because a device that was secure yesterday doesn't mean it's still secure today.
So we need to have a real-time monitoring system to know if any device is out
of norm, is showing any abnormal behaviors. And the third one is to apply risk reduction policies
to have the right VLAN set in place, which having the right identification of devices is the foundation for set up the right
VLAN so that you can decide which device gets into what VLAN. And based on the device identification,
you can set up the right policies. For example, if an x-ray machine is using a Windows system
and my laptop is also using Windows system. And obviously, these two devices should have very
different policies in terms of security. And then the fourth one is to prevent threats. Now we're
all talking about zero-day protection, etc. So we need to have the security mechanisms in place
to prevent these threats from happening.
I'm just imagining, you know, someone like you having a little minor mishap at your house and ending up at the ER.
And, you know, before you let them treat you, you make them prove that all their devices
are up to date and fully patched.
You know, Dave, believe it or not, we're seeing lots of unbelievable things on these medical devices.
And there are some new trends that's pretty scary.
I just give you one quick example.
Years ago, we didn't see any crypto mining on any of the medical devices.
But now we see at least 5% of all the vulnerabilities came from crypto mining.
Can you imagine the MRI machine scanning your body is also running crypto mining at the same time?
Yeah, the last thing you want is a laggy medical device because somebody's mining Bitcoin or Ethereum on it.
It's a shame that there's no honor among thieves, that these sorts of things are out of bounds.
But I suppose that's the world we're in now.
Yep.
And especially with the latest change in the world, we're definitely seeing increasing amount of attacks to hospitals as well.
Yeah. Our thanks to Dr. Mei Wang from Palo Alto Networks for joining us.
The research is titled Know Your Infusion Pump Vulnerabilities and Secure Your Healthcare Organization.
We'll have a link in the show notes.
We'll have a link in the show notes.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant.
Thank you. Thanks for listening.
We'll see you back here next week.