Time to Stop the Bleeding on Medical Device Security

There has been much discussion recently around the insecurity of medical devices, yet attackers are still determining how to best leverage these devices once compromised. What does this mean for device manufacturers and the medical facilities that use them?

The amount of attention being paid to the security of IoT devices continues to increase, and rightly so. The security of most of these devices is pretty terrible at the moment, and while interest from researchers will help improve that situation, it’s a long-term project. These things don’t change overnight.

If you need evidence, have a look at the state of affairs with medical devices. For years now, security researchers such as Billy Rios and many others have been warning about how poor - and in some cases non-existent - the defensive measures are on most medical devices. Things such as medicine dosing machines, insulin pumps, and all manner of other devices that sit in hospital rooms and medical offices around the world and are vital to the care of patients are now exposed to the Internet. And to attackers.

Like the Internet itself, these devices were not built with security in mind. They were built to do specific jobs and to be resilient, but they were not designed to be resistant to attack. Because the idea of someone wanting to compromise a drug pump wasn’t something that the designers and engineers were thinking about. But that’s what attackers are doing, and they’re having an easy time of it.

A pair of security researchers wanted to find out how attackers are looking for vulnerable devices online, what kind they’re looking for, and what they do when they locate them. So they put together a honeypot network of 10 intentionally vulnerable devices of different kinds. The devices were running Windows XP, still the operating system of choice for many of these machines, and they mimicked the Web interfaces and other details of the devices. And then they set them loose on the Internet to fend for themselves.

The attacks came quickly and they were just as successful as you’d think. Attackers hit the honeypot devices with a variety of different techniques, and the researchers said they saw more than 55,000 separate logins to the devices over the Web and via SSH and 24 exploits used successfully against the machines. They discovered hundreds of separate malware samples on the devices, all of which aren’t unexpected.

But the odd thing is that once the attackers were on the devices, they didn’t actually do anything malicious. A lot of the malware that researcher Scott Erven and his partner discovered on the compromised devices was designed for other purposes, like stealing financial data. That’s not much use on an infusion pump, but in a real-world situation some of those devices would be connected to the internal network of the facility, giving attackers a nice foothold for further movement.

The attackers may not know what they have their hands on when they hit one of these devices right now, but don’t expect that to last. Like defenders, attackers constantly change and adapt their tactics and learn new techniques, and this won’t be any different. Erven said making a few changes now could have a major effect in defeating many attacks.

“We have to stop bringing this stuff into our environments. We don’t always know the perfect solution going forward, but we clearly know what’s failed in the past,” Erven said.

Dennis Fisher


Gartner 2017 Magic Quadrant for Enterprise Data Loss Prevention (DLP)

Dennis Fisher

Dennis Fisher is editor-in-chief at Duo Security. He is an award-winning technology journalist who has specialized in covering information security and privacy for the last 15 years. Prior to joining Duo, he was one of the founding editors of On the Wire, Threatpost and previously covered security for TechTarget and eWeek.