It's Way Too Easy To Hack the Hospital

schwit1 sends along a lengthy piece from Bloomberg about the chaos currently surrounding medical device security: The Mayo Clinic had assembled an all-star team of about a dozen computer jocks, investigators from some of the biggest cybersecurity firms in the country, as well as the kind of hackers who draw crowds at conferences such as Black Hat and Def Con. The researchers split into teams, and hospital officials presented them with about 40 different medical devices. Do your worst, the researchers were instructed. Hack whatever you can.

Like the printers, copiers, and office telephones used across all industries, many medical devices today are networked, running standard operating systems and living on the Internet just as laptops and smartphones do. Like the rest of the Internet of Things—devices that range from cars to garden sprinklers—they communicate with servers, and many can be controlled remotely. As quickly became apparent to Rios and the others, hospital administrators have a lot of reasons to fear hackers. For a full week, the group spent their days looking for backdoors into magnetic resonance imaging scanners, ultrasound equipment, ventilators, electroconvulsive therapy machines, and dozens of other contraptions. The teams gathered each evening inside the hospital to trade casualty reports.

"Every day, it was like every device on the menu got crushed," Rios says. "It was all bad. Really, really bad." The teams didn't have time to dive deeply into the vulnerabilities they found, partly because they found so many—defenseless operating systems, generic passwords that couldn't be changed, and so on.

Sooner or later, hospitals would be hacked, and patients would be hurt. He'd gotten privileged glimpses into all sorts of sensitive industries, but hospitals seemed at least a decade behind the standard security curve. "Someone is going to take it to the next level. They always do," says Rios. "The second someone tries to do this, they'll be able to do it. The only barrier is the goodwill of a stranger."

Re:how does anyone make money off this?

[amalcolm]

When I'm lying on an oncology machine about to be zapped with high-power microwaves I'd prefer not to have to worry about some wanker changing the dose (up OR down) just for kicks.

This is not surprising

[naris]

Medical equipment vendors definitely need to address this.

However, that being said, anyone that hacks medical devices should be taken out and shot. This would be a good cause for reviving capital punishment in those jurisdictions that have retired it.

Re:This is not surprising

[gstoddart]

However, that being said, anyone that hacks medical devices should be taken out and shot

Which is your naive way of saying you don't think there are bad people in the world, and that you don't believe people do malicious things just for the hell of it. I have no such faith in humanity. In fact, I take it as a certainty it will happen.

So, let's ratchet this up a little.

Say, for instance, that the president of country A is known to have a heart problem. Now, say that country B has been the sworn enemy of country A ever since that crushing loss at the Quidditch World Cup in the 1800s.

Now, say that the president of country A is going in for heart surgery in a few months.

Do you really think a determined nation state might not decide that this is a great way to do an assassination? Before you say "of course not, that's silly", I remind you that Stuxnet existed to target and ruin very specific things, which means nation states already do this.

Now, take this to the level of really scary ... imagine bored script kiddies can access and muck with medical devices at will just for the lulz.

Because, really, I don't see any reason why these scenarios can't, won't, or haven't already happened.

And while it's been a fairly open secret that medical devices have terrible security for years, now it's been fairly well confirmed publicly that medical devices have utterly terrible security. Which means I think the likelihood of this has moved from "plausible" to "start planning for it".

This should be a wakeup call. It's bad enough every piece of consumer electronics and the entire IoT apparently have crap security, if any at all. But having pretty much every medical device be almost without any form of security is scary.

Re: This is not surprising

[Rei]

It continually amazes me how much so many people don't care about security, or design it in as an afterthought. I've worked on the Linux client for a MMORPG, and their entire security model was built around "TCP will protect us". No actual attempt to verify that packets coming from a client or the server were actually from who they said they were. No attempt to make sure that any fields within them were valid. And no care to actually fix the problem out of fear of "breaking things". I once had to write a zero-day exploit for a particularly egregious bug (based on popen injection) that would allow any ordinary player with a non-hacked client to execute arbitrary other code on other players machines, before they'd let me implement the very simple fix.

For many people, security is "that thing that doesn't matter unless someone is actively abusing it, and then only fix the particular thing that's being actively abused".

Even protocols which practically summon abuse down on them are often designed without any sort of security in mind. I was reading a while back about MainlineDHT, the distributed hash table networking system that enables trackerless torrents in bittorrent. You know, if there's anything out there that you'd expect parties with resources to want to hack (to monitor for copyright abusers, to disrupt the network, to return compromised information, etc) it'd be something like that, they'd be naive to think otherwise. But the protocol is so pathetically weak it practically screams, "Please, Sybil attack us, it'll only take 10 minutes for you to implement the attack!" You can turn a standard MainlineDHT implementation into a Sybil-attacking information simply by changing it to respond to all requests by claiming that you are the host that the client was requesting instead of directing them toward the requested client. The program doesn't even have to remember all the lies it told to other clients, they're trusted instantly and completely, and in fact, the clients that they lied to forward the lies to others. A program that wants to pretend to be a million nodes incurs no additional performance, hardware, or networking requirements over a normal client with just one identity, beyond the data flood that they're trying to receive or manipulate.

Sybils can be hard to entirely prevent, particularly if you want to support clients behind NAT and you don't want to involve any external "trusted" identity-verifying system. But for crying out loud you don't have to make it so easy for them, on a target that you just know people are going to want to attack.

Re:how does anyone make money off this?

[rmdingler]

all the big hacks have been around money.

You can bet money will be the impetus for industry reform in this, as well.

The operative difference is it will be to stem the outflow of it from lawsuits and increased insurance premiums.

I'll be waiting for the first hack/murder to show up on Investigative Discovery... the victim won't even need to have life insurance as incentive for the perpetrator-spouse's big payday.

not money - terror

Imagine a broad attack where people in hospitals start dieing from the equipment. Add in attacks on other infrastructure and you'll have 9/11 times a thousand.

Re:how does anyone make money off this?

[Lab+Rat+Jason]

The Ashley Madison hacks weren't about money... it was about righteous indignation. There is every reason to believe that when a high profile person with a "differing" point of view needs to go into the hospital for something, that this very thing could happen. Plus I'm sure there is some hacker out there who believes there is street cred to be had by being the first person to commit a murder *directly* through the internet.

Re:Happens in all vertical market applications

[eth1]

It's not just medical devices. Anything reasonably proprietary has historically had the security by obscurity defense and that hasn't changed. Why do you think manufacturers of SCADA gear, connected sensors, etc. beg customers to put them on their own disconnected network?

Putting systems that could cause death or widespread mayhem on isolated networks is a good idea regardless of the security of the applications. It's one more layer an attacker has to bypass.

The problem is that doing so has become an excuse to NOT secure the applications.