Tag Archives: synopsys

Security of Medical Devices Needs Care

Medical devices, such as pacemakers, insulin pumps and defibrillators, could become lethal in the hands of a hacker tampering with them remotely. A new study that shows medical devices—and patients—are vulnerable to cyber attacks is a wake-up call for manufacturers, according to a Silicon Valley software company that sponsored the study.

Device manufacturers must change their culture and look at security as an equal to patient safety, says Chris Clark, principal security engineer of strategic initiatives for Mountain View, Calif.-based Synopsys.

The company’s study, which surveyed about 550 employees of device manufacturers and healthcare delivery organizations (HDOs), found that nearly 70% of manufacturers and nearly 60% of HDOs believe an attack on a device built or in use by them is likely to occur during the next 12 months.

The most surprising finding, Clark says, is that about 40% of manufacturers and 45% of HDOs—despite being aware of the risks—take no steps to prevent medical-device attacks.

See also: How to Make Smart Devices More Secure  

There are, however, some positive takeaways, he says. The study, conducted by the IT research organization Ponemon Institute, showed that “a significant percentage” of HDOs are concerned about the risk of insecure medical devices, and many are taking measures to test them for vulnerabilities. That’s a good sign, Clark says, because most study respondents work for small organizations “with limited resources and expertise in this area.”

Security painfully lacking

About 60% of respondents work for organizations with fewer than 1,000 employees, 10% said they had no budget for device security and 40% said their annual budget was less than $500,000.

The study found that 59% of respondents employed by HDOs rated the importance of medical device security as very high relative to all other data and IT security measures deployed. Yet, only 37% of those who work for manufacturers consider such security of very high importance.

A cyber attack on a medical device can manifest in various ways. This tells us the manufacturers still operate under the pretense that security is an HDO issue, and medical device security will be a lower priority for the foreseeable future, Clark says. “This statistic alone should be of great concern and a critical lesson for HDOs who are truly interested in protecting their infrastructure.”

An attacker could take control of a device to administer inappropriate or harmful treatment to a patient, Clark says. The attacker could dispense the wrong dosage of medication via an infusion pump, manipulate the electrical output of a pacemaker, crash or render a device inoperable, access the data stored or transmitted by a device or use it to pivot to other systems or devices within the same network.

Hospitals risk erosion of patient confidence

Each of these scenarios has a physical impact to a device or group of devices, but the real danger is a loss of confidence in the ability of HDOs to deliver quality care and protect patient information, Clark says. “A breach could be catastrophic for a hospital system.”

The Synopsys study found that 80% of respondents who work for medical device manufacturers or HDOs say medical devices are very difficult to secure. The top reasons cited for device vulnerability include accidental coding errors, lack of knowledge/training about secure coding practices and pressure on development teams to meet product deadlines.

Security an afterthought

Securing medical devices also is difficult, Clark says, because security is not a primary consideration early in the design process. “This, along with the need for flexible communications that are often unencrypted or have no security characteristics, create a wide range of challenges.”

Respondents in the Synopsys study were surveyed before the WannaCry ransomware attack in May. The worldwide cyber attack targeted computers running the Microsoft Windows operating system and, within a day, reportedly infected more than 230,000 computers and medical devices in more than 150 countries.

See also: Can Your Health Device Be Hacked?  

Healthcare organizations are “some of the most commonly targeted cyber attack victims, second to only the banking and financial industry,” Clark says. “If you couple that trend with the results of this survey showing how little is being done to protect medical devices, it’s not unreasonable to expect things to get worse before they get better.”

Most stakeholders, though, are “genuinely concerned” about the impact of insecure medical devices—“both in terms of patient safety and risk to their organizations,” Clark says. “What remains to be seen is whether the industry steps up to voluntarily address these challenges or the U.S. Food and Drug Administration takes a more aggressive stance.”

This article originally appeared on ThirdCertainty. It was written by Gary Stoller.

WannaCry Portends a Surge in Attacks

The landmark WannaCry ransomware attack, I believe, may have been a proof of concept experiment that inadvertently spun out of control after it got released prematurely.

But now that it’s out there, WannaCry signifies two developments of profound consequence to company decision-makers monitoring the cybersecurity threat landscape:

  • It revives the self-propagating internet worm as a preferred way to rapidly spread new exploits, machine to machine, with no user action required.
  • It lights up the cyber underground like a Las Vegas strip billboard, heralding a very viable style of attack. WannaCry already has begun to spur hackers to revisit self-spreading worms, an old-school, highly invasive type of attack.

The unfolding “kill switch” subplot supports my analysis.

First, a recap: WannaCry is an exploit that spreads on its own, seeking out Windows laptops, desktops and servers that lack a certain security patch issued in March by Microsoft.

See also: How to Keep Malware in Check  

WannaCry first appeared on the internet on a Friday morning and swiftly swept across the globe, reminiscent of the I Love You and Code Red worms of yore. It infected 200,000 Windows machines in 150-plus countries. Hardest-hit were institutions of the U.K.’s National Health Service, as well as Spanish and Russian utility companies.

You may recall that self-spreading Windows worms were all in vogue a decade ago. The most infamous probably was Conficker. I wrote extensively about Conficker for USA Today. But for all the attention Conficker drew, it never delivered any overtly malicious payload. It simply spread.

WannaCry, by contrast, is spreading with a purpose. It carries with it instructions to encrypt each infected machine’s hard drive. Then it requests a $300 ransom, payable in bitcoin, to decrypt the drive.

So why do I think WannaCry was released prematurely? Because $300 is low for a ransom demand, especially for a ransomware attack aimed at the business sector and designed to scale globally. It makes more sense that $300 was a placeholder amount.

“This looked like a shotgun approach to compromise as many systems as quickly as possible before anti-virus definitions could catch up,” says Andrew Spangler, principal malware analyst at Nuix, an intelligence, analytics and cybersecurity solutions company. “It’s possible the attackers were not even aware of how effective this propagation method would be.”

Kill switch discovered

On Friday night, a researcher going by the handle “Malware Tech” reported that he had reverse-engineered WannaCry and discovered a “kill switch” sitting at a domain name that the author had not yet actually registered.

A kill switch also is somewhat unusual for ransomware. It could have been included as a tool to give the attacker the ability to release the ransomware in small doses, shutting it down to make tweaks. But WannaCry’s creator neglected to follow through and register his kill switch’s domain name.

That made it possible for Malware Tech to come along, discover the unregistered domain name, register it and thus take control of the kill switch. He then was able to shut down the original version of WannaCry—by hitting the kill switch.

Yet to no one’s surprise, within a matter of hours, slightly tweaked variants of the original version began circulating. “Updated WannaCry variations have since been released,” says Ray Pompon, principal threat researcher at F5 Networks, an application services and security company. “The danger is still real.”

Good guys, bad guys engage in cyber duel

To be specific, new variants with a slightly modified kill-switch domain are spreading. A very small change connects the malware’s kill switch to a slightly different domain and creates a viable variant, says Chris Doman, threat engineer at AlienVault. “This allows WannaCry to continue propagating again,” Doman says.

Fortunately, other good-guy researchers have taken it upon themselves to hustle to register the kill switch domains of any new variant that turns up and follow Malware Tech’s example to kill the variant when possible.

“The cat-and-mouse (chase) will likely continue until someone makes a larger change to the malware, removing the kill-switch functionality completely,” Doman says. “At that point, it will be harder to stop new variants.”

Security patching more vital than ever

The kill switch subplot aside, one might ask why did it took this long—nearly a decade after Conficker—for cyber criminals to incorporate a Windows worm into an attack designed for monetary gain?

Part of the reason is that Microsoft has put forth a tremendous effort to stay on top of newly discovered Windows vulnerabilities. Under its bug bounty program, it pays researchers handsomely to discover and report fresh Windows vulnerabilities. And it pours vast resources into issuing security patches in a timely manner.

See also: It’s Time for the Cyber 101 Discussion  

With respect to the specific Windows bug leveraged by WannaCry, Microsoft issued a patch in March. Still, the digital world we live in is both amazing—and amazingly complex. That means implementing security patches across an organization of any size can be an onerous process.

The result is that vulnerability management, and security patching, lags well behind in the vast majority of organizations. This is true for patches issued by Microsoft, Oracle, Java, Adobe and any other widely used business system you care to name.

“Numerous organizations have fallen victim to these attacks because they failed to apply the patches in a timely manner or were using legacy systems that could not be patched,” says Andreas Kuehlmann, senior vice president and general manager of the Software Integrity Group at Synopsys.

Unintended help from government

An X-factor also came into play. It turns out that the National Security Agency knew all about this particular Windows bug and, in fact, possessed a tool to take advantage of it. Nothing wrong with that. Our intelligence agencies need to have the capability to match or exceed the cyber capabilities of China, Russia or North Korea.

The X-factor that made a difference was this: Hackers stole that information from the NSA and published it online—delivering it on a silver platter to the creator of WannaCry.

“Now that weapons-grade cyber attack tools are in the wrong hands, it is clear that tools and techniques previously reserved for use by nation-states are being integrated into crime ware for profit,” says Josh Gomez, senior security researcher at Anomali. “This means we can expect to see more of these exploits and tools leveraged in future attacks, each one likely surpassing the previous in sophistication and stealth.”

Hang on to your hats, folks. Buckle your seat belts. Company networks’ defenses sorely need shoring up: This, we know all too well. And now attacks are all but certain to ratchet to an unprecedented level of intensity.

Observes Jonathan Sander, chief technology officer at STEALTHbits Technology: “This massive attack is a potent mix of phishing to attack the human, worm to spread via unpatched Microsoft systems and ransomware to get the bad guys their payday. … The reason for WannaCry’s success is our collective failure to do the basic security blocking and tackling of patches, user education and consistent backups. As long as we fail to remove vulnerabilities and watch our files, bad guys will exploit us by exploiting our systems.”