Vulnerabilities in IoT devices.
Dave Bittner: Hello, everyone, and welcome to the CyberWire's Research Saturday. I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities, solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.
May Wang: We actually spent many years studying IoT devices, including medical devices, and we found lots of vulnerabilities.
Dave Bittner: That's Dr. May Wang. She is chief technology officer for internet of things security at Palo Alto Networks. The research we're discussing today is titled "Know Your Infusion Pump Vulnerabilities and Secure Your Health Care Organization."
May Wang: And actually, in our 2020 IoT threat report, which is vendor-agnostic report about the landscape of IoT security, we actually discovered, among all the medical devices we're observing, about 44% of them are infusion pumps. So it takes up a large quantity of all the medical devices we're seeing in hospitals and health care providers, et cetera. So we like to look into how vulnerable these infusion pumps are.
May Wang: And actually, at our research lab, we are able to crack into these infusion pumps. And as you know, Dave, these infusion pumps are used to send medications or fluids directly to patients' bodies. And in our research lab, we're able to hack into these infusion pumps and change the medication dosage that goes directly into a patient's body. So now the vulnerabilities of these pumps - we're not just talking about patient information, PII information leakage, et cetera, we're actually talking about life or death here. And it can affect hospitals' operations, can affect patient safety.
Dave Bittner: Well, can you give us an idea of the spectrum of devices that we're talking about when we're talking about infusion pumps? I mean, to what degree - are these modern devices? Are they connected to hospital networks? Do they go all the way out to the internet? What exactly are we talking about here?
May Wang: Yeah. We're seeing increasing amount of medical devices that are connected onto the network. And actually, the statistics we're seeing - years ago, we only see 20% of new medical devices are connected online. But now we are seeing 40% of new medical devices are connected to online. And when we are talking about connected onto the network, we're talking about these devices are connected onto the hospital's network. And in an ideal case, we would like to separate them into a separate VLAN, a separate virtual network, so that the access to these medical devices is controlled. But actually, for lots of hospitals we're working with, because of many different reasons - lack of IT support, et cetera - the situations are not that ideal. We often see in one VLAN, virtual network, we see both medical devices and your cellphones and printers and surveillance cameras - everything jammed into one VLAN. Then it makes the security control a lot harder.
May Wang: And we do see these - so when we are talking about these medical devices, we're talking about infusion pumps, imaging systems - for example, CT scanners, MRI scanners, ultrasound scanners, X-ray machines, and patient monitoring, point-of-care analyzers, nurse call stations, medical device gateways, medication dispenser, ECG machines, et cetera, you name it. So there's a very wide spectrum of medical devices we're seeing. And because these devices, they have different functionalities, they use different hardware, different operating systems, different applications, different protocols and different staff members are using them. So it's actually very hard to have one security mechanism or protocols, whatever it is, to secure all these devices. So we see lots of vulnerabilities among these devices.
Dave Bittner: Well, let's dig into what you all discovered when it comes to infusion pumps. I mean, can we go through some of the vulnerabilities that you all uncovered and the degree to which they are actually pretty serious?
May Wang: Yeah. We actually looked into more than 200,000 infusion pumps, and we found 3 out of 4 pumps are vulnerable. And, of course, the severity of vulnerability are different, but the - still, 75% of pumps are vulnerable. They have security vulnerabilities, or from our - the pumps we're protecting, we see alerts coming out of these pumps. And there are many CVEs that actually disclose the vulnerabilities of these pumps, and we actually, in the report, showed more than 10 CVEs that a majority of the vulnerabilities these pumps are having, and we categorized them into three major categories of vulnerabilities.
May Wang: The first one is they're leaking sensitive information. Some of the - so let me first talk about how these pumps work. If you go to a hospital, you stay in the hospital, you probably had infusion pumps work on you before. And usually, it's one infusion pump. It has a base station, and this base station talks to an infusion pump server somewhere in the backstage there. And for each infusion pump, there - the base station - usually, there are multiple pumps connected to this base station, and usually they are connected through hardware connections. And these - they can vary from two pumps to four pumps and can send in different medications to your body.
May Wang: And we do see - for some - and there's - multiple vendors provide these kind of infusion pumps. And for some vendors, we see they do have a secure messaging channel between the base station and the infusion pump server, but we also do see there are cleartext communication channels, and that actually opens up vulnerability. We can have May in the middle, we can hack in, we can access the communication information between the infusion pump and a server. And there are also vulnerabilities that you can actually physically access these infusion pump devices to gain access to sensitive information. So that's the first category - leakage of sensitive information.
May Wang: And then the second category is using default credentials to access these devices. Then you can, of course, get sensitive information, you can do all kinds of things - change the medication dosage, et cetera, once you have access to these pumps. And we do see lots of pumps are using the manufacturer default username, password. And for people without authorities, they can have unauthorized access.
May Wang: Then the third categories are vulnerabilities using third-party software stacks because lots of these infusion pumps - they can use third-party operating systems, they can use third-party TCP/IP stacks, use - some of the TCP/IP stacks are vulnerable, etc. So these are the main vulnerabilities we're seeing.
Dave Bittner: Now, to what degree are these vulnerabilities accessible remotely versus, you know, someone having to actually be in contact with the device itself - in the room with it?
May Wang: Actually, most vulnerabilities we're seeing are through network connections because these devices are connected to the network and because they have - either have the vulnerable third-party network stacks used, or they use default username and password, or they use cleartext communication channels. So all of these actually can be accessed remotely, and attackers can get access to these pumps from remote network. They don't have to be in the same room with these pumps.
Dave Bittner: Now, in your experience, the organizations that you all are working with - is there an awareness that they have these issues? I mean, how are they approaching these sorts of IoT vulnerabilities with their medical devices?
May Wang: Yeah, that's a very good question, Dave. We do see that hospitals are investing more heavily into security mechanisms to protect these medical devices, but there are lots of challenges to protect these medical devices. Just give you one example - compared to - these medical devices, compared to our traditional IT devices - Dave, you probably change your cell phone every other year and change your laptop every two or three years, et cetera. But these medical devices are actually in the field for many years. For example, a typical lifespan of an infusion pump is 8 to 10 years. So even if the medical device vendors can come out with the perfectly secured medical devices, it's almost impossible for them to see what kind of security vulnerabilities - what kind of security risk can come out in 8 to 10 years.
May Wang: So now we're dealing with lots of legacy devices. How do we protect these legacy devices from new malwares, ransomware attacks, et cetera? And also, for these infusion pumps, they're actually very mobile. They, you know - today it's in floor six, and tomorrow it can be in floor eight...
Dave Bittner: Right.
May Wang: ...And how do you keep track of these mobile devices? And they can join different VLANs. They can join a different virtual network on a daily basis, and they - some of these devices even transfer from hospital to hospital. So how do you keep track of these devices and how do you secure these devices are actually very challenging topics for almost all hospitals. And, needless to mention, all hospitals are seeing increasing amount of cyberattacks on a daily basis.
Dave Bittner: Are you aware of any instances where infusion pumps specifically have been hit by some outsider in any - you know, shut down or DDoSed or ransomwared or anything like that?
May Wang: We know there have been multiple attacks specifically targeted at IoT devices - for example, the very well-known WannaCry, NotPetya, Mirai attacks, et cetera. And, you know, Dave, in the hospitals, nobody wants to talk about the attacks. Nobody wants to tell anybody, OK, my hospital's infusion pumps have been compromised, and my - the CT scanner have been compromised. But because we are working with all these hospitals, we actually see lots of attacks, an increasing amount of attacks.
Dave Bittner: So what are your recommendations then? If I'm someone who works in the medical field and I'm charged with protecting these devices - I'm on the cybersecurity team - how do I go about this? What do you recommend?
May Wang: I think there are some basic steps people can do sort of, like, in the hospital, the basic cybersecurity hygienes (ph) we can do. The very - of course, in the ideal case, you want to keep all your medical devices up-to-date with the upgrades and the patches. But that's another issue for these medical devices because these devices are in real operations. And once they are working, nobody wants to touch them. And there are also patches that we have seen and experienced that they work very well in the test labs, in the - before they roll out to the real world, but once they're patch into devices in hospital setting, they sometimes can break these devices. And also, needless to mention, the FDA regulation - and so lots of hospitals very afraid to touch any medical devices so that they have to go through the HIPAA compliance, et cetera. So there are lots of legacy devices out there, and there are lots of challenges to really keep these devices have the up-to-date software and security protections. So that's kind of the reality we have to live with.
May Wang: And our recommendation is, first of all, you need to have the visibility. You need to know how many infusion pumps you have, how many medical devices you have at any given time and what they are, what they're doing, what their status is. And that's actually the very first thing. Almost every customer - every potential customer we talk to, they need lots of help to help them figure out what kind of devices are connected onto their network at any given moment. So that's the first thing - visibility.
May Wang: And after you know what devices you have connected onto your network, you need to keep continuous monitoring about the security status of these devices. You need to have a holistic risk assessment because a device that was secure yesterday doesn't mean it's still secure today. So we need to have a real-time monitoring system to know if any device is out of norm, is showing any abnormal behaviors.
May Wang: And the third one is to apply risk reduction policies, to have the right VLAN set in place, which - having the right identification of devices is the foundation for set up the right VLAN so that you can decide which device gets into what VLAN. And based on the device identification, you can set up the right policies. For example, if a X-ray machine is using a Windows system and my laptop is also using Windows system, and - obviously, these two devices should have very different policies in terms of security.
May Wang: And then the fourth one is to prevent threats. Now, we're all talking about zero-day protection, et cetera, so we need to have the security mechanisms in place to prevent these threats from happening.
Dave Bittner: I'm just imagining, you know, someone like you having a little minor mishap at your house and ending up at the E.R. And, you know, before you let them treat you, you make them prove that all of their devices are up-to-date and fully patched.
May Wang: (Laughter) You know, Dave, believe it or not, we're seeing lots of unbelievable things on these medical devices, and there are...
Dave Bittner: Yeah.
May Wang: ...Some new trends that's pretty scary. I just give you one quick example. Years ago, we didn't...
Dave Bittner: Yeah.
May Wang: ...See any crypto mining on any of the medical devices, but now we see at least 5% of all the vulnerabilities came from crypto mining. Can you imagine the MRI machine is scanning your body is also running crypto mining at the same time?
Dave Bittner: Yeah. The last thing you want is a laggy medical device because somebody's, you know, mining Bitcoin or Ethereum on it. It's a shame that there's no honor among thieves, that, you know, that they - that these sorts of things are out of bounds. But I suppose that's the world we're in now.
May Wang: Yup. It's - we - and especially with the latest change in the world, we're definitely seeing increasing amount of attacks to hospitals...
Dave Bittner: Yeah.
May Wang: ...As well. Yeah.
Dave Bittner: Our thanks to Dr. May Wang from Palo Alto Networks for joining us. The research is titled "Know Your Infusion Pump Vulnerabilities and Secure Your Health Care Organization." We'll have a link in the show notes.
Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Rachel Gelfand, Liz Irvin, Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here next week.