Slashdot Mirror
It's Way Too Easy To Hack the Hospital (bloomberg.com)
schwit1 sends along a lengthy piece from Bloomberg about the chaos currently surrounding medical device security: The Mayo Clinic had assembled an all-star team of about a dozen computer jocks, investigators from some of the biggest cybersecurity firms in the country, as well as the kind of hackers who draw crowds at conferences such as Black Hat and Def Con. The researchers split into teams, and hospital officials presented them with about 40 different medical devices. Do your worst, the researchers were instructed. Hack whatever you can.
Like the printers, copiers, and office telephones used across all industries, many medical devices today are networked, running standard operating systems and living on the Internet just as laptops and smartphones do. Like the rest of the Internet of Things—devices that range from cars to garden sprinklers—they communicate with servers, and many can be controlled remotely. As quickly became apparent to Rios and the others, hospital administrators have a lot of reasons to fear hackers. For a full week, the group spent their days looking for backdoors into magnetic resonance imaging scanners, ultrasound equipment, ventilators, electroconvulsive therapy machines, and dozens of other contraptions. The teams gathered each evening inside the hospital to trade casualty reports.
"Every day, it was like every device on the menu got crushed," Rios says. "It was all bad. Really, really bad." The teams didn't have time to dive deeply into the vulnerabilities they found, partly because they found so many—defenseless operating systems, generic passwords that couldn't be changed, and so on.
Sooner or later, hospitals would be hacked, and patients would be hurt. He'd gotten privileged glimpses into all sorts of sensitive industries, but hospitals seemed at least a decade behind the standard security curve. "Someone is going to take it to the next level. They always do," says Rios. "The second someone tries to do this, they'll be able to do it. The only barrier is the goodwill of a stranger."
Like the printers, copiers, and office telephones used across all industries, many medical devices today are networked, running standard operating systems and living on the Internet just as laptops and smartphones do. Like the rest of the Internet of Things—devices that range from cars to garden sprinklers—they communicate with servers, and many can be controlled remotely. As quickly became apparent to Rios and the others, hospital administrators have a lot of reasons to fear hackers. For a full week, the group spent their days looking for backdoors into magnetic resonance imaging scanners, ultrasound equipment, ventilators, electroconvulsive therapy machines, and dozens of other contraptions. The teams gathered each evening inside the hospital to trade casualty reports.
"Every day, it was like every device on the menu got crushed," Rios says. "It was all bad. Really, really bad." The teams didn't have time to dive deeply into the vulnerabilities they found, partly because they found so many—defenseless operating systems, generic passwords that couldn't be changed, and so on.
Sooner or later, hospitals would be hacked, and patients would be hurt. He'd gotten privileged glimpses into all sorts of sensitive industries, but hospitals seemed at least a decade behind the standard security curve. "Someone is going to take it to the next level. They always do," says Rios. "The second someone tries to do this, they'll be able to do it. The only barrier is the goodwill of a stranger."
all the big hacks have been around money. stealing CC cards to buy stuff or wiring money right out of a bank account. what do i get out of hacking medical devices except a free and painful medical experience along with being forced to eat hospital food?
That's because the vendors are concerned the updates could break the device. Which is a valid concern as there have been many OS updates that have broke stuff over the years. Pretty much ever OS has had this issue at one time or another, not just Windows.
I'm wondering how feasible it is to have separate devices handle the security.
It should be more feasible than having every device be secure? any programmer from any supplier in the entire hospital can now break the security, and everything is down the drain...
seeing how cheap small computers are now, how hard would it be to put a small secure module before each machine securing everything? I think that would be a far more feasible approach in getting a hospital secure!
Imagine a broad attack where people in hospitals start dieing from the equipment. Add in attacks on other infrastructure and you'll have 9/11 times a thousand.
I've worked in a few hospital system. While I'm not an IT guy I'm an engineer and I often serve as a de-facto IT guy for companies. The quality of IT staff in the hospitals I've work with were for the most part deplorable. They tend to be understaffed, underfunded and underpaid and not supported well by management. It should surprise no one that they don't tend to get the best and brightest. While there are some good people, the system sets them up to fail. Quite frankly, hospitals are among the least secure and least well administered companies I've seen when it comes to IT. Their business is extremely complex and very few of the people working in it are IT focused, particularly those in positions of power. Worse a lot of the equipment uses special versions of software that either is not or (usually for regulatory reasons) cannot be updated.
What security people constantly miss is that our society is kind of founded on the goodwill of the stranger. That's also why there's little physical security at hospitals. Sure there are mentally sick people out there but it takes somebody especially incredibly sick and twisted to turn off somebody's pacemaker just for the hell of it.
I'm all for security, and there are some evil people out there, but really there are reasons why hospitals are often the least secured places anywhere you go
Which is your naive way of saying you don't think there are bad people in the world, and that you don't believe people do malicious things just for the hell of it. I have no such faith in humanity. In fact, I take it as a certainty it will happen.
So, let's ratchet this up a little.
Say, for instance, that the president of country A is known to have a heart problem. Now, say that country B has been the sworn enemy of country A ever since that crushing loss at the Quidditch World Cup in the 1800s.
Now, say that the president of country A is going in for heart surgery in a few months.
Do you really think a determined nation state might not decide that this is a great way to do an assassination? Before you say "of course not, that's silly", I remind you that Stuxnet existed to target and ruin very specific things, which means nation states already do this.
Now, take this to the level of really scary ... imagine bored script kiddies can access and muck with medical devices at will just for the lulz.
Because, really, I don't see any reason why these scenarios can't, won't, or haven't already happened.
And while it's been a fairly open secret that medical devices have terrible security for years, now it's been fairly well confirmed publicly that medical devices have utterly terrible security. Which means I think the likelihood of this has moved from "plausible" to "start planning for it".
This should be a wakeup call. It's bad enough every piece of consumer electronics and the entire IoT apparently have crap security, if any at all. But having pretty much every medical device be almost without any form of security is scary.
Lost at C:>. Found at C.
It continually amazes me how much so many people don't care about security, or design it in as an afterthought. I've worked on the Linux client for a MMORPG, and their entire security model was built around "TCP will protect us". No actual attempt to verify that packets coming from a client or the server were actually from who they said they were. No attempt to make sure that any fields within them were valid. And no care to actually fix the problem out of fear of "breaking things". I once had to write a zero-day exploit for a particularly egregious bug (based on popen injection) that would allow any ordinary player with a non-hacked client to execute arbitrary other code on other players machines, before they'd let me implement the very simple fix.
For many people, security is "that thing that doesn't matter unless someone is actively abusing it, and then only fix the particular thing that's being actively abused".
Even protocols which practically summon abuse down on them are often designed without any sort of security in mind. I was reading a while back about MainlineDHT, the distributed hash table networking system that enables trackerless torrents in bittorrent. You know, if there's anything out there that you'd expect parties with resources to want to hack (to monitor for copyright abusers, to disrupt the network, to return compromised information, etc) it'd be something like that, they'd be naive to think otherwise. But the protocol is so pathetically weak it practically screams, "Please, Sybil attack us, it'll only take 10 minutes for you to implement the attack!" You can turn a standard MainlineDHT implementation into a Sybil-attacking information simply by changing it to respond to all requests by claiming that you are the host that the client was requesting instead of directing them toward the requested client. The program doesn't even have to remember all the lies it told to other clients, they're trusted instantly and completely, and in fact, the clients that they lied to forward the lies to others. A program that wants to pretend to be a million nodes incurs no additional performance, hardware, or networking requirements over a normal client with just one identity, beyond the data flood that they're trying to receive or manipulate.
Sybils can be hard to entirely prevent, particularly if you want to support clients behind NAT and you don't want to involve any external "trusted" identity-verifying system. But for crying out loud you don't have to make it so easy for them, on a target that you just know people are going to want to attack.
Hello from Sputnik 2. I am receiving you.
No some vendors say there system can't be walled off and we need remote access to them / they must be able to send data to our systems. Have you read the list of ports that are doc's say must be open to us?
I worked in hospital IT for over a decade. Your speculation is entirely wrong.
Good idea. Nobody does that.
It's not just medical devices. Anything reasonably proprietary has historically had the security by obscurity defense and that hasn't changed. Why do you think manufacturers of SCADA gear, connected sensors, etc. beg customers to put them on their own disconnected network? I've done a lot of work in this sector and see lots of this all the time --
- Currently shipping devices running old versions of Windows, Linux, etc. with no way to patch them
- Simple passwords that can't easily be changed
- Obviously hacked-on network connectivity, where the connection is running vulnerable firmware unmodified from the firmware provided in a test kit by its manufacturer (complete with default passwords)
Manufacturers of these devices have historically not cared. Look at magnetic stripe credit cards -- the system was designed in an era where a magstripe encoder was a magical tool that cost thousands of 1970s dollars. That was the only thing that kept the technology safe. Other devices rely on the fact that no one knows their proprietary firmware (or so they think.) Avionics systems were designed in an era where the Internet didn't exist for the public. My experience has been that vendors do not fix security problems even when presented with them. Medical devices might be a different story if the FDA gets serious about it.
I think that if Microsoft, Amazon, Google, etc. get their way and force everyone into the cloud, it'll take a few major hacks into things like these for people to change their security mindset.
And this is where the anti-regulation assholes drop in and start whining about the free market and the burdens of regulation, etc etc etc.
Hint: For-profit companies don't do things out of the goodness of their hearts. Until it starts to cost them money (fines for violating the regs) they do not give a single fuck. If people start dying, they'll just do a cost/benefit analysis based on how much they'd have to settle for with the dead person's family when they inevitably sue them vs. the cost of following the rules.
Never underestimate the power of stupid people in large groups.
It's worse than that. Even the machines in doctors offices are vulnerable, because they are only supposed to install HIPA approved software, and so, e.g., they run the (presumably) most recently approved version of MSWindows. Connected to the internet.
Basically there's no awareness of even a potential threat.
OTOH, they don't browse random web sites. They may not have Flash installed. (I didn't ask to check just what they had installed, it was just blatantly MSWindows...I don't even know which version.) So they probably avoid attack by lurkers.
I suppose the first estimate of vulnerability would be "How many doctors offices were running botnet software?", but I don't know how frequent it is. A simple Google search shows that it happens.
I think we've pushed this "anyone can grow up to be president" thing too far.
Yes, let's take, for example, the morphine pump. The CADD Prizm - the most widely used, at least in the US morphine pump. It has no network capacity, requires a proprietary cable, and must be physically accessed to make changes. Data is retrieved bi-monthly when used in the home or more frequently in a clinical setting. Anyone who has access has far more simple (and less traceable) ways to cause harm to the patient.
I don't actually know of any other brands certified for use in the US. There may be others but they're expensive to get certified and don't just randomly get connected to networks. They're also set to read only unless specifically connected to an authenticated device - often an older computer, with serial ports, and that's probably not even connected to a network at all.
Here, have a link:
http://www.smiths-medical.com/...
"So long and thanks for all the fish."