High level overview of current security issues in medical device security, what is being hacked by security researchers, who are the major security players, hacking predictions, FUD vs. Reality.
Medical Device Security: State of the Art -- NoConName, Barcelona, 2011
1. Medical Device Security: State of The Art Shawn Merdinger Network Security Analyst University of Florida & Shands Hospital Academic Health Center NoConName, Barcelona 16 September, 2011
2. Thoughts so far…. I’m very excited to speak at NoConName again Did VoIP phone security talk in 2006 A big thank you to Nico Cons take a lot of work and organization Done out of PASSION and not for $$$$ Important work that builds global connections, research opportunities and friendships
3. Obligatory Speaker Slide Doing security for 10 years Started at Cisco, did internal product hacking Also worked at TippingPoint, and a few other places… Did some private consulting Now: work and school in academic health center University of Florida Hospital, medical school, dentistry, pharmacy, nursing, etc. Network operations, some research on medical devices Getting 2nd master’s degree in Public Health Conference talks and travel when I can
4. Talk Overview What are medical devices How bad are the risks Who is doing research How you can get involved Trends and predictions Resources
5. Talk Goals You will have…. A better idea of medical device security risks Real world versus FUD and media hype Learned about current research Players, trends Gained insight for your own research, career Ideas / targets for vuln research, conference talks Learned useful medical device security resources Industry knowledge, Keep up to date, follow changes
6. What is a Medical Device? Some are obvious Implants, Infusion Pump, Radiation Many grey areas EMR (electronic medical record) Software Apps (iPad, etc.)
7. SCADA for the Human Body Parallels with SCADA security challenges Specialized devices Built on top of COTS (i.e. Windows, SQL, Java, etc.) Long operational timelines No downtime, critical operations Not designed to be patched Vendor maintained “Black Box” “Lost decade” Missed the opportunity to secure DigitalBondblog post
14. Security Risks to Medical Devices Software Quality Many software recalls already! Vendors not ensuring product security Always an afterthought “Bolt security on, not bake it in” Complexity Hard enough just to make devices “work” Now we must “secure” it? Integration into IT infrastructure = more attack surface Interference in wireless frequencies among devices
15. Security Risks Now part of integrated information systems Electronic Medical Record, data collectors Lack of FDA and FCC regulation and oversight Increasing, especially medical apps FDA Proposal July, 2011 Who owns (pays) for the problem (and fix)? Vendor, integrator, consultant, doctor, patient
16. It will get worse before it gets better But how do we really know how bad? Formal reporting incidents complex and tedious Lots of anecdotal reports Is it a software flaw? A bug? An attack? Identification of actual hacking is a huge challenge Few formal processes today Expect lots and lots of
17. It will get worse before it gets better Cyber STUXNET-like attack targeting medical devices Nation-state / terrorism / secondary attack Competitors hacking each other’s devices Evil blackhats, hacktivists, disgruntled employees Possible, but doubtful. FUD alert!!!
18. So how bad is the risk? It depends…. 1st biggest risk today is poor software design Errors, crashes, bad user interfaces 2nd biggest risk is “collateral damage” COTS software Pwnd by virus, trojans, bots Complexity of environment 3rd biggest risk is disgruntled, evil or stupid employees Other risks Competitors, industrial sabotage Terrorism, nation-state, “Cyber” Growing “hacker” and security researcher interest Sexy topic, esoteric new gear, very personal, hot area
19. Real world threat: Power Outage San Diego Blackout (Arizona + Mexico) 1 person made a mistake 300km away sub-station Yuma, AZ
20. Real world threat: Imposter Florida hospital Obtained legitimate I.D. Pwnd How? Wanted more access Activity raised questions Weird statements Strange background Impersonated COP Difficult situation Underage, Juvenile Background check Wanna be? Frank Abagnale
21. Real world threat: Evil Employee Ghostexodus… Security guard “Hacked” hospital HVAC Posted on forums Youtubed his “hack” Pwned by Wesley McGrew
22. Poor Software: Therac-25 First major failed medical device (1980s) Radiation treatment -- linear accelerator Software bug Race condition Result in too much radiation (125 x normal dose)
24. Secure from What? How do you define “secure” Proving a negative = impossible How do you prove “secure” Cannot prove that a device is secure Can only prove resistance to tested attacks VS.
25. MedDev Security is Hot! Pacemakers in 2008 BlackHat and DEFCON Public exposure US Congress involved meh.
26. MedDev Security is Not New “Best Practices” Documents Several Working Groups, Consortiums Good info, but no power or stick to drive change “Work together with vendors…blah, blah” HIMSS medical device security workgroup in 2004 University HealthSystem Consortium Medical Device Security effort in 2005 Formal FDA Statements FDA guidance for COTS software published in 2005 Addresses patching for vulnerabilities
31. Academic Researchers Dr. Kevin Fu, University Massachusetts Heart pacemaker (2008) Dr. Tadayoshi Kohno, University Washington Heart pacemaker (2008) Dr. Mark Gasson, University Reading Infected RFID tag in hand Dr. Nathanael Paul, Oak Ridge National Lab Insulin pump (2010) Steve Hanna, UC Berkeley Automated External Defibrillators BobakMortazavi, UC Los Angeles Pulse Oximeter
33. Security Research Predictions What will we see in the next 2 years? More of what security researchers can get… Personal medical devices (hacking their own) Low-end medical equipment (Ebay) Pharmacy dispenser cabinets (device aftermarket) Home medical equipment (grandmother’s box) Other medical equipment (defibrillator)
34. Hacker Access to Medical Devices Access to MedDev Documentation Hackers love documentation MedDev vendors have tight document control Very difficult to find and download Restricted information, Non-disclosure agreement Access to Devices Difficult to acquire in many cases US Federal Law restricts sale of some devices US aftermarket is a very grey area
35. Ebay & Medical Devices Medical pharmacy cabinets, patient monitoring, diagnostics systems, data storage, COW (Computer on Wheels), etc. Ebay search results: medical ethernet
36. Security Research Predictions Apps, Apps, Apps 17,000 medical apps Many types Personal health monitoring Specialty (PACS Dicom, Electronic Medical Record) Connected to medical devices (diabetic insulin pumps) Month of Medical App Bugs? Need this for Med Apps -> DerbyCon (30 Sept., 2011)
37. Trends to Watch Expect big industry and gov’t fight What is a medical device? Who has regulatory control? Lobby money, politics, etc. Who owns the problem? Who is legally liable? US Supreme Court “Medtronic ruling” impact? Limits vendor liability if FDA approved device Lots and lots more FUD Fear, Uncertainty, Doubt Media sensationalism
38. Trends to Watch:Stifled Security Research Researchers are reluctant to name vendors Why? Fear of getting sued by companies Research scares powerful people Media coverage adds to fear Academics want research funding Jerome Radcliff = Public fighting with Medtronic Stay tuned to this…. “Cone of Silence”
39. Careers and Job Outlook Expect growth and demand for security pros Will accelerate in next 1-3 years Industry is building a new ecosystem Vendors, device manufacturers, consultants, hospital IT Hot security areas Healthcare IT Security Hospitals, vendors, consulting Medical mobile apps security analysis Expect a certification process from FDA Big security firms (McAfee, Symantec, etc.) Boutique firms (Fishnet)
40. Want to hack? Target Mobile Medical Apps. Why? Cheap, accessible platform Ties into other medical devices = broad attack surface Research, attack tools and docs available Security evaluation of multipleapps Development set-up for iPhone / Android Look at marketplace, target popular apps When hacking, look for Personal information disclosure Read, write, modify, destroy data Crash + execute + exploit Send your bugs to CERT/CC and FDA and FCC Write whitepapers, talk at security conferences
41. Resources USENIX HealthSec Conference http://www.usenix.org/event/healthsec11 http://www.usenix.org/event/healthsec10 Draft Guidance - Mobile Medical Applications (July, 2011) http://www.fda.gov/downloads/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments/UCM263366.pdf IEC 80001‐1: Application of Risk Management for IT‐Networks Incorporating Medical Devices http://www.iso.org/iso/catalogue_detail.htm?csnumber=44863 Getting Started with IEC 80001: Essential Information for Healthcare Providers Managing Medical IT‐Networks http://www.aami.org/publications/Books/80001‐GS.html HITSP – Health Information Technology Standards http://www.hitsp.org
42. Resources Medical Device Security Center www.secure-medicine.org Medical Device Isolation Architecture Guide, Department of Veterans Affairs http://www.himss.org/Content/files/VA_VLAN_Guide_040430.pdf FDA: Cybersecurity for Medical Devices is a Shared Responsibility http://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm189111.htm FDA Medical Device related databases http://www.fda.gov/MedicalDevices/DeviceRegulationandGuidance/Databases/default.htm
43. Resources HIMSS Manufacturer Disclosure Statement for Medical Device Security – MDS2 (2004) MDISS - Medical device Innovation, Safety and Security Consortium www.mdiss.org North Carolina Healthcare Information & Communications Alliance Vendor Security Matrix (2003) Killed by Code: Software Transparency in Implantable Medical Devices http://www.softwarefreedom.org/resources/2010/transparent-medical-devices.html Therac-25 http://www.bowdoin.edu/~allen/courses/cs260/readings/therac.pdf http://sunnyday.mit.edu/papers/therac.pdf http://www.ircrisk.com/blognet/?tag=/cancer
44. Thanks! MedSec group on LinkedIn – please join Twitter: @shawnmer shawnmer@ufl.edu shawnmer@gmail.com
Notas del editor
Points:I’m very excited to speak at NoConName againDid VoIP phone security talk in 2006 A big thank you to NicoCons take a lot of work and organizationDone out of PASSION and not for $$$$Important work that builds global connections, research opportunities and friendships
Doing security for 10 yearsStarted at Cisco, did internal product hackingAlso worked at TippingPoint, and a few other places…Did some private consultingNow: work and school in academic health centerUniversity of FloridaHospital, medical school, dentistry, pharmacy, nursing, etc.Network operations, some research on medical devicesGetting 2nd master’s degree in Public HealthConference talks and travel when I can
What are medical devicesHow bad are the risksWho is doing research – academic, hackers, companiesHow you can get involved – ideas for your own hacking funTrends and predictionsResources
After this talk, you will hopefully have…. Abetter idea of medical device security risksReal world versus FUD (fear uncertainty, doubt) and media hype Learned about current researchPlayers, trendsGained insight for your own research, careerIdeas / targets for vuln research, conference talksLearned useful medical device security resourcesIndustry knowledge, Keep up to date, follow changes
Points:Some devices are classified as medical devices, some are not.There is a lot of “Grey Area” – for example with a iPad is not a medical device by itself, but if a iPad is used to view a medical image like the picture on the right, then does it become a medical device? It is unclear from a government and regulation position RIGHT NOW….but that will likely change.
Points:Medical devices are in many ways like SCADA systems.SpecializedBuilt on top of COTS – commercial off the shelf systemsLong operational timelinesNo downtime, critical operationsNot designed to be patchedVendor maintained “Black Box”The “Lost Decade” is a reference to a blog post by Dale Peterson at DigitalBond. The main point is that we have let vendors “off the hook” as far as holding them responsible and pushing for more secure SCADA software. We are at more risk than ever, and we really had a chance to make a difference but we blew it…
Points:Notice all of the computers and medical equipment. Most of that is running on Windows, or maybe an embedded Linux.In the near future we will see more devices. We will also see more remote access – specialist doctors will operate from hundreds of kilometers away
Points:Medical networks are very complicated. There are many different devices, operating systems, protocols (including wirelesss)The core network is the same old stuff we are used to – switches, routers, etc.Pay attention to the BAN – Body Area Network – this is going to be a growth area and new personal health devices will now be connecting to the network. Perhaps someday nano sensors in bloodstream – each with a ipv6 address!
And you thought he didn’t have any “heart” (looking for a Spanish word that fits “heart” in this context)It is true, Dick Cheney has no heartbeat. The pump makes a “whhhiirrrr” noise!
This is a scary picture. Marketing guys like this one a lot.But it is a good example of how most people see this technology and how it fits.
Some examples of medical devices that are for personal use.
Grandma’s got a new computer! And it hooks up to her blood pressure machine!This is a Intel product and is in clinical trials and testing.Will provide video conferencing, connection to medical devices like blood pressure, glucose monitors, etc.Will provide medication reminders, alerts, appointment reminders.I predict this will be the first big solution for home medical use. We *might* see this at Defcon 20 ;-)
Software Quality is not great in medical devices and there have been many software recalls alreadyVendors not ensuring product security and it is the “same old story” of security being a afterthought and having to later “Bolt security on, not bake it in” from the beginningMedical devices are complex and it is hard enough just to make devices “work” -- now we must “secure” it?The integration into IT infrastructure means a wider attack surfaceMore devices can lead to interference in wireless frequencies among devices
Points:Now part of integrated information systemsLack of FDA and FCC regulation and oversight, this is changingWho owns the problem? Who pays for the fix? What are the costs and for who?Vendor, integrator, consultant, doctor, patient?
Points:It will get worse before it gets betterToday, there are problems with how we measure and track vulnerabilities in medical devicesRely on medical people to report bugs. Lot of informal reports and stories of bugs, exploitsWe are at the early stages of medical device forensics, being able to recognize a attack or a bugExpect lots of “facepalms” because it is frustrating and we will see a lot of stupid bugs and attacks happen that should have no chance.It is like 1995 as far as security and medical devices. We have not even seen the “ping of death” yet!
Points:A real nightmare possibility is a Stuxnet attack targeting medical equipment – like a radiation machineWho would do this? TerroristsCompetitors trying to hurt each other in the marketEvil hackers, hactivists, disgruntled employeesThis is what the media likes to sensationalize. It is “sexy” and scares people.Reality is this is possible, but not very likely to happen SOON. But we will see this in the next 2-5 years.
Points:So what are the biggest risks to medical devices today?bad softwareWindows box that medical device runs on gets Pwned with a virus/wormEvil or stupid employee – for example, checking webmail account with the browser of a medical device PC….yes, it happens all the time!Other risks are what I talked about in the slide before.
Points:What will hurt you?Things like power outages caused by one guy 300 kilometers away.And of course the back-up generators failed at two hospitals.Had to move people from Intensive Care Unit (most severe ill people) to other hospitals – transport, movement, stress
17 year old student in Florida obtained legitimate I.D.He was discovered because he wanted more access to hospital areas and this raised questions – he also made some weird statements (undercover police office on secret case)These are difficult situation with people this young. Hard to do background check.Maybe he thought he was Frank Abagnale from the movie “Catch me if you can?”
Points:The security guard infected hospital computers with his own special botnet.He also hacked the hospital HVAC (heating and AC)Bragged online about a “Fire Sale” -- same line as from Die Hard 4 and the cyberattack that “everything must go.” This got a lot of attention.Tracked down and busted online by Wesley McGrew.Now in Texas prison for 9 years. And there is no Air Conditioning in Texas prisons.
Points:This was the first major medical device failure caused by a software bug.Killed several people. Injured many others.Root cause was a race condition programming error that would give 125 times normal dose.
Points:McAfee software update put many PCs into a non-bootable state. Each PC had to physically be worked on to recover.This affected many hostpitals.Great example of how complexity is the enemy of security. This is supposed to protect you and instead hurts you!
Points:Kind of a philosophical slide What does it mean to be secure?How can you prove something is secure? You cannot do this!If someone tells you “it is secure” the first question you should as is “secure from what?” In computer security, you can only prove that it resists tested attacks.
Points:Because of academic research and recent hacker conference presentations, medical device security is now HOT.I’m not overly impressed. MEH.
Points:Medical device security may be HOT now, but it has been around for years, at least since 2003.Lots of meetings, best practices documents, “we have to work together”In 2005, FDA provided info on how and when should add patches. The problem with patching medical devices is that if there are changes to the function, it has to go through FDA re-certification, which is expensive, complex and takes time.
Points:This should be the scariest slide. Why? Because this says there is no one really regulating software.FDA does not regulate software. It regulates medical devices.We are back to the question of “what is a medical device?”
Points:But FDA does do some good things, like have reporting databases like MAUDEThis provides tracking of issues, and there are several security-related categories to search
Points:This is an example free-text search for “buffer overflow” and the resulting 10 records.
Points:Will talk about who the “players” are in the field these days.
Points:All of these people have university web pages, papers, etc. online.
Medical device presentations from 2011 Blackhat and Defcon 19Jerome Radcliff – hacked his own insulin pumpTim Elrod and Stephan Morris - Fishnet security guys. Working on Dicomfuzzing tools. See the Fishnet website for more information.
Points:What will we see in the next 2 years?More of what security researchers can get…Personal medical devices (hacking their own)Low-end medical equipment (Ebay)Pharmacy dispenser cabinets (device aftermarket)Home medical equipment (grandmother’s box)Other medical equipment (defibrillator)
Points:Hackers love documentation. It allows them to learn all about the software. Medical device companies typically have VERY tight document control.You will not typically be able to easily find technical manuals, admin guides, etc. Access to devices can be hard. US laws restricts the sale of some types of devices – you have to be a legitimate medical providoe, doctor, etc.There is a very grey aftermarket. If you look hard enough for a device, you can probably find it.Exceptions would be implantable devices…those are very hard to get.
Points:Here are some examples of what I found on US Ebay doing search for “medical ethernet”If I wanted to start targeting devices, I would buy them off of Ebay, and start doing network attacks.If it has a network interface, it’s a target for full port scans, nessus, fingerprinting, etc. Look for any listening services and go after them. Will probably see telnet, etc.Pro Tip: passive sniff the network interface using a hub when you first boot up device. Does it “phone home” over the network?
Points:There are many medical apps available for Apple and Android.Some are just for entering data, like tracking blood pressure and manual data entry.Others apps are viewers for special images like x-raysI think we need a Month of Medical App Bugs to raise awareness. Even better would be a quarter of bugs – that is 90 days, with a bug on a different app for each day.Look at what is happening to SCADA. DerbyCon is a new hacker conference. 100 SCADA bugs in 100 days presentation.
Points:Trends to watchWe are going to see industry and government conflict over medical devicesWhat is a medical device? Who has the power to regulate?Expect politics and lobby money to influence. The medical device industry spends lots of money to lobby politicians.The biggest question of all: Who is legally liable? Who can get sued if something bad happens.US Supreme court ruled that if the device is passed by FDA, then there is “limited liability” – this means the company might have to pay for damages, but not as much as if the damage was because of negligence.We can expect more Fear, Uncertainty, Doubt and Media sensationalism – making the story seem a bigger threat than it really is in the real world.
Points:Notice that in almost all of the research the companies and specific products are not named. If there was full-disclosure a lot more information and company name would be made public.I believe this is because many researchers are afraid of getting sued by companies.Also, University academic researchers want funding money, so they do not want to make companies and industry angry.It is different with some researchers. Jerome Radcliff at first did not name the company in his Blackhat presentation because he was working with them. However, the company Medronic and he have different opinions on fixes and other issues, and now to put more pressure on Medtronic, Jerome has made more information public.This is a situation to watch.
Points:Healthcare security is a hot area. Demand will grow for security professionals in the next few years.Why? Because of new technology (like Electronic Medical Record) and new risks.You have choices where to go: vendors / device makers, be a consultant, work in hospital ITWatch the big security players and medical IT – they are really trying to get into the market!Some cool boutique firms like Fishnet as well.
Points:If you want to do some hacking, why not do a security evaluation of medical apps.Remember there are so many at around 17,000I recommend finding bugs in multiple apps, and publish a “month of medical app bugs”Build a test environment on your PC – use Apple and Android developer kits.What to look for in App bugs?Personal information hidden in AppTry to read, write, modify/change, or destroy data in the AppCrash and get executable code l33tBe a Whitehat hacker and send your bugs to CERT/CC, FDA and FCCWrite a whitepaper, publish your tools, talk at security conferences
Points:Some helpful resources.USENIXHealthSec has papers and some video of talks. Very good resource. Only been going for 2 years, so you know this is a new topic.
Points:Medical Device Security Center – mostly academics here, but some good papersIsolation Guide is how the US department of veteran's affairs handles medical device security – they have 50,000 devices and have created 3,500 separate VLANs. This is a good start, but there is a lot of overhead with managing changes, both in network and new device features.
Points:MDISS – has a very useful question paper to give to medical device vendors – asks them about security in the product in a technical fashion. This document is old and needs updating, but it is a start.North Carolina has a better technical questionnaire document to give to vendors. Use this with the MDISS document and you have a good set of questions.“Killed by code” – is a paper advocating open source code in medical devices. Lots of alwyers in this organization and it is one to watch as more vulnerabilities come to public attention and the lawyers get involved more.Therac-25 – some documents on the first really bad medical device failure that killed people.
Points:I started MedSec on LinkedIn about 2 years ago. The group now has over 200 people. Many of the academic people I mentioned are in the group, and also people from big companies, medical device vendors, consultants, etc. Please send a request to join the group and I will add you. A lot of the information comes from me posting news, papers, talks, research, etc. It is also a good way to contact other researchers and companies.You can email me at shawnmer@ufl.edu or shawnmer@gmail.com