discovering and disclosing vulnerabilities in medical … · 2020. 5. 1. · bluetooth...
Post on 25-Aug-2020
8 Views
Preview:
TRANSCRIPT
DISCOVERING AND DISCLOSING VULNERABILITIES IN MEDICAL DEVICES
Curtis Simpson, CISODor Zusman, Security Researcher
Agenda
The vulnerability researcher mind set
Disclosure study cases: URGENT/11, CDPwn
What is vulnerability disclosure? Why do we even do it?
The threat landscape
Takeaways & Questions
Medical & Clinical Devices
Patient SafetyMedical Device Behavior
DisruptionRansomware
Data BreachPersonal Health Info
InventoryLocating Medical Devices
UtilizationMaximizing Efficiency
Exposure“The other side of the house.”
The New (Insecure) Endpoint• Designed to Connect
• No Security or Agents
• Hard to Update
• Multiple Manufacturers
• Billions of Devices
• Vulnerable
Source: Armis research and various market analysts
The Traditional Endpoint Security Challenge
Trad
ition
al
Ente
rpris
e
Switches
Printers
VOIP
Point of Sale
Medical Devices
Manufacturing
Web, PCs and Servers
Unm
anag
ed &
IoTAccess Points
Bluetooth
Security Cameras
Smart TVs
Smart HVAC
Smart Lighting25+
Billio
n C
onne
cted
Dev
ices
BYO
D
(PC
& M
obile
)Smartphones
Laptops
Tablets
90% of Devices Will Be “Un-agentable”
of security professionals believe IoT devices are more vulnerable than computers.
of enterprises have experienced an IoT security incident.
of security professionals say their security is inadequate for IoT devices.
Source: “State of Enterprise IoT Security in North America: Unmanaged and Unsecured,”A commissioned study conducted by Forrester Consulting on behalf of Armis, July 2019
©2019 Armis Inc. All Rights Reserved.
IoT Devices: Unmanaged & Unsecured
84% 67% 74%
Unmanaged and IoT Devices are Targets
Just last month!
“The attacks have prompted stark warnings to hospitals from the Department of Homeland Security and from Interpol, which warned of a “significant increase” in cyberattacks targeting hospitals around the globe.”
The Cybersecurity 202: Hospitals face a surge of cyberattacks during the novel coronavirus pandemic
Openness benefits defenders more than it benefits attackers
Attackers target the weakest link in the chain
Good defense requires a detailed knowledge of offense
Challenging industry norms leads to improved security
Potential threats/anomalies discovered in the wild
Research un-manageable devices (Medical/OT/IoT etc..)
Research attacks that will directly impact our clients
Disclose and mitigate the issue correctly in a timely manner
If we could find it - a bad actor will/has too
Why did we do Urgent/11 or CDPwn?
0
5
10
15
20
25
30
1 2 3 4 5
Bluetooth vulnerabilities found in Android since BlueBorneSeries1 Series2 Series3
What is it and why should I care?
Been around for 32 years, runs on over 2 Billion devices
Only 13 CVE’s listed on MITRE
Real-time Operating System owned by WindRiver
VxWorks is everywhere
Healthcare
Auto
Manufacturing
Aerospace
Infrastructure/Network
Defense
Security
High Tech
VxWorks is used by everybody
6 Remote Code Execution (RCEs)5 Information Leaks, Denial of Service, Logical Flaws
11 Critical Zero Day Vulnerabilities in VxWork’s TCP/IP Stack – IPnet
Affects VxWorks versions for the last 13 years (v6.5 and up)
Affects hundreds of millions of devices
URGENT/11 Timeline
03/13/19First contact with WindRiver PSIRT
03/24/19Armis started
tracking IPNet based devices
04/03/19WindRiver contactis leaving WindRiver
04/09/19Managed to get a response
from the PSIRT
04/11/19Armis grants WindRiver an
extension on the 90-day period
04/18/19WindRiver receives
POC’s
05/10/19Armis receives patches for
approval
05/19/19Armis approves the patches
06/04/19WindRiver & Armis
sends an advisory to affected clients
07/01/19Armis suspect more OS’s
might be affected and contacts ICS-CERT/CISA
(DHS)
07/29/19Public disclosure &
Whitepaper
Original 90-days responsible disclosure period
Total 138 days
URGENT/11 Timeline
07/01/19Armis suspect more OS’s
might be affected and contacts ICS-CERT/CISA
(DHS)Started tracking down other effected vendors
Government agencies don’t talk to each other (just like on TV)
Contacted by the FDA
Potential vendors that are affected might still be out there..
Armis tagged Alaris PCU as vulnerable
Armis <==> Client <==>Alaris
Meanwhile at Defcon 27
Meanwhile at Defcon 27
IPnet IP Stack was developed by Interpeak in the early 2000’s
Interpeak was acquired by WindRiver in 2007 and its an integral part of VxWorks since
Apparently, Interpeak did sell software before being acquired
Device VendorsOperating System
YOU
Device VendorsOperating System
YOU
So is it solved?
Patient Monitor
Patient Monitor
Patient Monitor
If you could do anything on a device..
If you could do anything on a device..
If you could do anything on a device..
©2020 Armis – Confidential & Proprietary, Under Embargo until 8 AM PST Feb. 5, 2020 37
5 critical zero-day vulnerabilities in the Cisco Discovery Protocol (CDP)
Impacts tens of millions of devices
95% of F500 uses Cisco Communication Solutions
Cisco IP Phone 8800 SeriesCisco IOS XR Routers
Cisco NX-OS Switches
Cisco NX-OS Switches
Cisco Firepower Firewalls Cisco NCS Systems Cisco IP Phone 7800 Series
38
39
XYZ NETWORKVLAN 1
IoT NETWORKVLAN 3
INTERNET
CORE SWITCH
CORPORATE NETWORKVLAN 2
Cisco are a security aware company, security disclosures happen all the time.
Cisco has an experienced PSIRT (they even have a 24/7 hotline)
CDPwn Timeline
08/29/19First contact with
Cisco PSIRT
10/10/19Armis receives patches for
approval10/16/19
Armis approves the patches
11/03/19Armis identifies additional vulnerabilities and grants
Cisco another 90-day period
11/04/19Armis started
tracking CDPwn vulnerable devices
01/07/20Cisco issues CVE’s
02/05/20Public disclosure &
Whitepaper
Original 90-days responsible disclosure period
Total 160 days
Second 90-days responsible disclosure period
So what did we learn from our experiences?
Working with the vendor on patch’s is just the tip of the iceberg
Contacting the relevant parties was hard
Extended responsible disclosure period
Making sure patches are deployed is next to impossible
Even vendors are not aware of the supply chain, so, how can you?
Discloser was a breeze
Original responsible disclosure period
Cisco patched it == its dead
Some patches are even pushed automatically or semi-automatically
Cisco wrote the code and is maintaining it constantly
How the pro’s do it
How the pro’s do it
Back to Basics: 3 Critical Questions
46
What Do I Have?• Full asset inventory• Identify & classify• Managed, unmanaged, IoT
Why Do I Care?• Track Behavior & traffic• Provide threat assessment
What Action?• Quarantine devices• Suspicious or malicious
What We Have Found
MRI machine (and others) communicating with Command & Control in Russia.
Many WannaCry infected medical devices spreading across a flat open network.
Infusion pump compromised by malware while connected to patient.
X-Ray machines and others sending patient information and diagnosis unencrypted over the internet.
Medical crash carts being used to access Facebook, have accessed phishing websites.
Our MISSIONEnable enterprises to adopt new types of connected devices without fear of
compromise by cyber attack.
UNAUTHORIZED NETWORK BRIDGEPrinter Allowed Anyone To Connect A printer connected to the wired network had an open hotspot, allowing unauthenticated access to anyone.
How Armis Works
©2019 Armis Inc. All Rights Reserved. 50
Managed DevicesBYOD Devices Unmanaged and IoT Devices Off-Network Devices
FIREWALL NAC SIEM
WLC Switch Virtual App
EN
DP
OI
NT
SI
NF
RA
ST
RU
CT
UR
ES
ER
VI
CE
S
Armis Device Knowledgebase
Armis threat detection engine
Armis device knowledge base
• Crowd-sourced• Cloud-Based• 110M+ devices tracked• 10M unique device profiles
©2020 Armis Inc. All Rights Reserved.
top related