By Gunter Ollmann @gollmann
The US Food and Drug Agency (FDA) released an important safety communication targeted at medical device manufacturers, hospitals, medical device user facilities, health care IT and procurements staff, along with biomedical engineers in which they warn of risk of failure due to cyberattack - such as through malware or unauthorized access to configuration settings in medical devices and hospital networks.
Have you ever been to view a much anticipated movie based upon an exciting book you happened to have read when you were younger, only to be sorely disappointed by what the director finally pulled together on the big screen? Well that’s how I feel when I read this newest alert from the FDA. Actually it's not even called an alert… it's a "Safety Communication"… it's analogous to Peter Jackson deciding that his own interpretation of JRR Tolkien's 'The Hobbit' wasn't really worthy of the title so to forestall criticism he named the movie 'Some Dwarves and a Hobbit do Stuff'.
This particular alert (and I'm calling it an alert because I can't lower myself to call it a safety communication any longer) is a long time coming. Almost a decade ago me and my teams at the time raised the red flag over the woeful security of hospital networks, then back in 2005 my then research teams raised new red flags related to the encroachment of unsecured WiFi in to medical equipment, for the last couple of years IOActive's research team have been raising new red flags over the absence of security within implantable medical devices, and then on June 13th 2013 the FDA releases a much watered down alert where the primary recommendations and actions section simply states "[m]any medical devices contain configurable embedded computer systems that can be vulnerable to cybersecurity breaches". It's as if the hobbit has been interpreted as a midget with hairy feet.
Yes I joke a little, but I am very disappointed with the status of this alert covering an important topic.
The vulnerabilities being uncovered on a daily basis within hospital networks, medical equipment and implantable devices by professional security teams and researchers are generally more serious than what outsiders give credit. Much of the public cybersecurity discussion as it relates to the medical field to date has been about people hacking hospital data systems for patient records and, most recently, the threat of targeted slayings of people who happen to have vulnerable implanted insulin pumps and heart defibrillators. While both are certainly possible, they're what I would associate with fringe events.
I believe that the biggest and most likely threats lie in non-malicious actors - the tinkerers, the cyber-crooks, and the "in the wrong place at the wrong time" events. These medical systems are so brittle that even the slightest knock or tire-kicking can cause them to fail. I'll give you some examples:
- Wireless heart and drug monitoring stations within emergency wards that have open WiFi connections; where anyone with an iPhone searching for an Internet connection can make an unauthenticated connection and have their web browser bring up the admin portal of the station.
- Remote surgeon support and web camera interfaces used for emergency operations brought down by everyday botnet malware because someone happened to surf the web one day and hit the wrong site.
- Internet auditing and scanning services run internationally and encountering medical devices connected directly to the Internet through routable IP addresses - being used as drop-boxes for file sharing groups (oblivious to the fact that it's a medical device under their control).
- Common WiFi and Bluetooth auditing tools (available for android smartphones and tablets) identifying medical devices during simple "war driving" exercises and leaving the discovered devices in a hung state.
- Medial staff's iPads without authentication or GeoIP-locking of hospital applications that "go missing" or are borrowed by kids and have applications (and games) installed from vendor markets that conflict with the use of the authorized applications.
- NFC from smartphone's and payment systems that can record, playback and interfere with the communications of implanted medical devices.
These are really just the day-to-day noise of an Internet connected life - but one that much of the medical industry is currently ill prepared to defend against. Against an experienced attacker or someone determined to cause harm - well, it's as one sided as a lone hobbit versus the combined armies of Middle Earth.
I will give the alert some credit though, that did clarify a rather important point that may have been a stumbling block for many device vendors in the past:
"The FDA typically does not need to review or approve medical device software changes made solely to strengthen cybersecurity."
IOActive's experience when dealing with a multitude of vulnerable medical device manufacturers had often been disheartening in the past. A handful of manufacturers have made great strides in securing their devices and controlling software recently - and there has been a change in the hearts and minds over the last 6 months (pun intended) as more publicity has been drawn to the topic. The medical clients we've been working most closely with over recent months have made huge leaps in making their latest devices more secure, and their next generation of devices will be setting the standard for the industry for years to come.
In the meantime though, there's a tremendous amount of work to be done. The FDA's alert is significant. It is a formal recognition of the poor state of security within the industry - providing some preliminary guidance. It's just not quite a call to arms I'd have liked to see after so many years - but I guess they don't want to raise too much fear, nor the ire of vendors that could face long and costly FDA re‑evaluations of their technologies. Gandalf would be disappointed.
(BTW I actually liked Peter Jackson's rendition of The Hobbit).