Tuesday, November 10, 2015

Hospital Held Hostage

  A number of people alerted me that a recent episode of CSI:Cyber, which aired on 11/1/15, had as its theme a cyber attack on a hospital.  The episode was entitled "hack E.R." (see what they did there??? :-) )

   The episode begins with an ominous image showing up on computer screens and all systems in a fictional hospital being under the control of an online attacker.  They threaten to kill a victim every four hours if not paid a ransom.  They then kill a victim by causing an infusion pump to deliver a fatal dose of morphine while preventing the patient's heart monitor from alarming.

   We then follow the CSI:Cyber team and the hospital staff as they try to solve the mystery and track down and stop the attacker.  I won't give a full synopsis nor a review.  You can find some of that here and here (spoiler alert - these linked articles do give away the ending).

   Let's review what was potentially real and some of the deficiencies of the episode.  First the realistic.
  • The first device attacked was an infusion pump.  There were well publicized vulnerabilities in Hospira infusion pumps earlier this year.
  • The attacker was asking for a ransom.  We have seen many "ransomware" attacks in recent years and these are on the rise.
  • The CSI team mentions that many medical devices use no, or weak, authentication methods.  This is true.
  • The actual attack started from a smart TV.  Smart TV, game systems and other consumer devices have little or no security controls and can be found connected to business computer networks.
  • Further investigation determined that the attack actually started from a custom hardware chip added to the smart TV.  This same thing happened with credit card readers in stores a couple of years ago.
  • The hospital had a "flat network" meaning that the virus code to could travel unimpeded to any device in the hospital.  This is unfortunately all too common.
  • The attacker was motivated to attack this particular hospital.  Most online attacks are financially motivated, but there are plenty politically motivated and directed attacks.  These are often called "hacktivism".
  • Having incorrect information in a medical record (electronic or paper) could be disastrous.
  • The attacker had easy physical access to the computer network.  Many companies don't do a good job of protecting walk-up access to systems, networks and data.

   Wow, that's a lot of reality.  Some of the plot was a bit of a stretch.
  • The attacker was able to control all the medical devices in the whole hospital.  That's extremely
    unlikely.  There is so much variation among these devices.  If anyone could come up with a single software program that could be used to control it all, they could sell that an be a billionaire!
  • Or even to find an exploit that would effect such a wide variety of systems is unlikely.
  • If that wasn't enough... the virus was able to jump to the portable defibrillator.  While a virus can travel when copied to standard media devices like usb thumb drives, there's more involved when trying to infect a device that has limited intelligence.
  • Also, the CSI team was able to respond and write custom protection code much faster than a normal human could
  • The ending was a big stretch... I'll comment on that at the end of this post.

   Still, there's plenty for us to think about.

   Medical devices are just one type included in the fastest growing part of the internet, dubbed the Internet of Things or IoT.  The IoT is made up of devices that typically don't have the full set of capabilities of a computer or even a smart phone.

   There are three major security problems with IoT devices:
  1. they are often devices that were not originally designed to be networked on the Internet - like many medical devices, light bulbs, cars, kitchen appliances, etc.
  2. they often have custom operating code that is not as well reviewed as computer operating systems like Window or Linux.
  3. both of these issues mean that there is often insufficient testing for relatively simple problems.
   Our homes, cars and healthcare aren't the only areas where we have concerns.  There is retail and banking with millions of point-of-sale devices and ATMs, manufacturing with robotic assembly lines and warehouses and, of course, the power grid.

   Here are some general security points for people who build, buy or use IoT devices:

Vendors:

  • Build Security In.  Security controls should be part of the design.  As we say, security needs to be baked in, not bolted on.
  • Test. Test.  Then test some more.  Assume customers will use devices in unexpected ways.
  • Document your designs and understand your code - so you can more quickly fix problems when they occur.
  • Own problems... when they occur.
Corporate Buyers:
  • Ask questions - can the vendor explain how their device works and the security controls?
  • Test.  Test.  Then test some more!
  • If it uses electricity then the security team needs to look at it.
  • Understand how these devices communicate.
  • Assume that someone will connect it to the Internet at some point.
  • Segment networks when possible.
  • Devise compensating controls.
Home Buyers:
  • Ask questions - understand what personal data these devices will collect, transmit or store, and where will they store it?
  • Are there options to turn off some features?
  • Does the company have a Privacy Policy? What will they do with the data they collect about you?
  • Unfortunately with most consumer products you often only have two choices: use the product and accept what happens with your data, or don't buy the product. (for example, most of the smart lightbulbs do not have configuration options)
   So, how did it end for the hospital on CSI:Cyber?...

Spoiler Alert!  If you don't want to know how the show ends, stop reading now... you have been warned!

   I found the solution and the end of the show very unsatisfying.  I mean the solution to the mystery and not the tying up of the character's personal emotional issues (which happened a bit too quickly but I don't watch the show nor know the characters).

   Doctors are smart people.  But the depth of action of the malware, the use of hardware chip added to a smart TV, and the modifications made along the way could not be pulled off by an amateur.  If an attack to this extent is even possible right now, the execution would be highly complex and take an expert.

   However, there are experts out there...

No comments:

Post a Comment