Connecting the network
These devices have their own connections to a home network, patient systems and emergency services networks, acting as conjoiner of what should be separate networks, Filkins says.
Alarmingly, medical establishments are woefully unprepared for BYOD, let alone the interconnectedness of multiple new medical devices coming online, she says. More than 80 percent of health care organizations allow personal devices in their enterprises, but less than 50 percent of them have any type of security policy around use, according to a recent Ponemon survey.Extrapolate this to the larger issue of managing devices implanted into humans, says Filkins, and the makings of a nightmare scenario are conjured. “Imagine something like murder by remote-controlled pacemaker,” she says.
Hacks on implanted medical devices have already been demonstrated (also at Black Hat 2011) when security researcher Jay Radcliffe sent commands to wirelessly disable his own insulin pump to gain the equivalent of ‘root' control of that device.Barnaby Jack, who last year wowed the Black Hat crowd with a talk about ATM vulnerabilities, at this year's gathering also demonstated how to hack into an insulin pump.
“Beyond their personal security, human chip implants pose new challenges philosophically and ethically,” says Will Irace, vice president of threat research at Fidelis Security Systems. “And I don't have reason to be confident that manufacturers design securely, let alone understand the new attack surfaces they're introducing.”
Vendors need to design in better security, say experts, but sometimes laws work against such safeguards. For example, Filkins cites the Food and Drug Administration's projected move to implement the unique device identification (UDI) standard in 2013, under which all implantable devices would have particular identifiers that would likely include the specific serial number of the device and a MAC or IP address. The ruling is intended to protect users by creating a stronger, more reliable means of reaching and updating connected medical devices.
However, these unique addresses will also make them identifiable and a target based on specific system vulnerabilities, Filkins says.Other critical devices, such as controllers, are also easy to identify and therefore target, says Matthew Luallen, who is on the adjunct faculty at DePaul University in Chicago and runs the school's hands-on cyber security and control systems course. Such was the case with Stuxnet, which originally targeted specific Siemens control systems used in Iranian nuclear plants.
Luallen, who also teaches courses through his own company, CYBATI, has been working with his students to inventory a large and growing number of control systems coming online with vulnerabilities – from amusement park rides to a Japanese bullet train.“Because these devices are connected, it's easy to find the specific control systems you're looking for,” says Luallen. “In our class, we create Metasploit code [a tool in the Ruby programming language by which third-party security researchers can investigate potential vulnerabilities] that can attack these systems in numerous ways.”
The attack surface associated with connecting control systems is messy and scary, he says, and attacks are repeatable and demonstrable by students who have little experience.
The makers of these newly connecting systems need to give more thought to protecting their systems, consumers and channels, says Luallen, among others. In particular, they should be encrypting their command-and-control channels. Many don't, he says.Encryption may not always be right for these machine communications, however. For example, think about what happens when a human implant fails, and the patient is nowhere near the administering system, says Filkins.
“Say your artificial heart fails and emergency responders can't resuscitate you to get the password to unlock the encryption on your heart,” she says. Even if they could, they might have an incompatible system.Along with encryption, access controls and authentication will need to be able to operate in an environment with multiple types of traffic. Specifically, these systems must determine what type of devices are sending traffic on the network and how to handle their entree based on what they do or do not know about those devices and users, says Mamoon Yunus, chief executive officer of Newton Mass.-based web services provider Crosscheck Networks.
“We believe access and information exchange between exotic endpoints will best be controlled through a gateway that sits behind the network firewall,” he says. This will serve as a proxy for identifying the device requesting access, signing and authenticating tokens and supporting information exchange.Other technologies, such as network access control (NAC) and guest networking are coming of age to support access from disparate employee-owned devices, adds Infonetics' Wilson. These are technologies that can sit on the network to scan a device requesting access to determine what the device is, its location, its security state and more. Then, it uses this information to make a decision on what action to take, such as sending requests from unknown devices to a separate guest network.