I asked our (now famous) intern Jessica to share a sampling of some of the "crazier" things she's seen during her time at Virta. Read on for a selection of her findings while poking around on some medical devices.
"As an intern here at Virta, I spend a lot of my time trying to test the security of medical devices. Medical devices pose a unique challenge due to the embedded systems they host. While this reduces the attack surface available, it also opens up other avenues of exploitation, particularly through the unpatched holes in the system, or legacy protocols. Below are some of the more interesting finds I've encountered through my experience so far.
Telnet is a text-based system that allows administrators to connect to machines through the network (or the Internet) — a legacy protocol allowing a machine to be remote controlled. In its early days, it was successful because it didn't require a lot of resources to run, making it ideal for resource-constrained computers. But as computers have advanced, the flaws in Telnet are glaring.
As many security professionals know, Telnet is now a blue team's nightmare and a red team's dream. One of the biggest downsides of Telnet is that the entire session between the endpoints is usually in clear text. This means anyone who cares to listen over the wire can see exactly what is happening, from commands sent to credentials used to log in. There is also little to no authentication to prove the integrity of the packets sent, allowing man in the middle attacks. Telnet has be almost entirely replaced with a much more secure protocol, SSH.
Needless to say, I was shocked to find that every device I have tested so far has some instance of Telnet running on it, the most horrifying of which required no password to log in, which also gave a root shell upon connection. With these privileges, I was able to access the entire operating system at my leisure.
File Transfer Protocol (FTP)
FTP ranks somewhere close to Telnet on my personal top five list of insecure protocols. FTP is another legacy protocol designed to tax a system's resources as little as possible when transferring files between computers. One of the ways it keeps its overheard low is by sending all transmissions through clear text. This means any data, whether critical or not, is easily read through the network. Once again, you see a lack of checks for integrity in the packets as well, allowing man in the middle attacks.
I have frequently found FTP on medical devices, usually as a method of transferring critical patient safety information, such as drug libraries, to medical devices that dispense drugs. These drug libraries generally contain information like the minimum and maximum recommended doses for different medications, and were implemented to help curb user error when entering in medication information for the patients. Now, if an attacker were to get in the middle of this transaction, or find a way to replicate it, they could alter the drug libraries to unsafe dose limits, which introduces a serious potential for harm.
Old/Multiple Operating Systems
The last crazy item I will mention in this post is how many old operating systems I've found. I had heard that medical devices weren't being patched, but working on some of these systems really validated it for me.
There have been instances of operating systems dating back to the early 2000s. With the leaps and bounds technology has made from then to now, there are so many unpatched bugs that have been found in the equivalent standard desktop operating systems. Sometimes even multiple parts of various operating systems can be found in a single medical device. With so many different operating systems, it would be hard to keep track of what is and isn't vulnerable in each.
While this post points to many of the shortcomings in medical device security, I do want to highlight that we haven't seen many instances of cyber-physical attacks in the wild, though people are becoming increasingly aware of the looming threat. This gap gives the medical device community a unique opportunity to stay ahead of nefarious black hat hackers. Through collaboration with the information security community, manufacturers can produce high-quality devices that allow us all to get healthy faster, and with less worry."