securing medical devices using adaptive testing methodologies · pdf filesecuring medical...
TRANSCRIPT
SESSION ID:SESSION ID:
#RSAC
Daniel Miessler
Securing Medical Devices Using Adaptive Testing
Methodologies
ASD-R10
Director of Advisory ServicesIOActive, Inc.@danielmiessler
SESSION ID:SESSION ID:
#RSAC
Daniel Miessler
Securing Medical Devices Using Adaptive Testing
Methodologies
ASD-R10
Director of Advisory ServicesIOActive, Inc.@danielmiessler
#RSAC
About
3
18 years in information security
Technical testing background (net/web/mobile/IoT)
Director of Advisory Services at IOActive
Previously a founding member and principal at HPE Fortify on Demand
Work on a number of OWASP projects: IoT Security, and OWASP Game Security Framework Project
Read, write, podcast, table tennis
#RSAC
Agenda
4
Why we care?
The problem
Adaptive Testing Methodology
Practical takeaways
#RSAC
Why do we care?
#RSAC
6
- J&J insulin pump (Animus OneTouch Ping)- Jay Radcliffe, diabetic and researcher - Unencrypted command traffic- Could send unauthorized insulin injections
Recent Issues: Johnson & Johnson
Image: REUTERS / Weigmann
#RSAC
7
- St. Jude pacemaker- Many vulnerabilities found - PR + Shorting of stock- Vulns included wireless god key- MedSec found the vulns- Muddy Waters shorted stock
Recent Issues: St. Jude
#RSAC
8
Hospitals being ransomed: US Hospitals
Hollywood Presbyterian Hospital
Tried to get help from authorities, ended up paying $17,000
Methodist Hospital
Refused to pay, had to shut down part of the hospital
Many, many more
#RSAC
9
Hospitals being ransomed: NHS
One NHS area had to transfer patients because they were shut down
34% of Health Trusts in the U.K. hit with ransomware within the last 18 months
60% of Scottish trusts
Other countries affected as well, including Germany
#RSAC
10
Bitcoin Readiness (a depressing state)
When ransomware happens the payment is usually in bitcoin
Companies getting hacked often don’t know anything about bitcoin
The time it takes to learn about and acquire bitcoin often costs companies massive amounts of money
Many are hiring law firms to acquire and hold bitcoin for them in case they get hacked
I like the preparation piece, but it’s still quite depressing
#RSAC
11
A Dangerous Combination
- Home users- Schools- Governments- Small businesses
#RSAC
12
A Dangerous Combination
- The medical space is
extremely vulnerable
to these issues.
#RSAC
The problem
#RSAC
Recent Issues
14
- Lots of vulnerabilities found
#RSAC
A Disconnect
15
The attack surface for medical devices is simply larger than the maturity of standardized procedures to test those surface areas.
0
25
50
75
100
125
Current Attack Surface Future Attack Surface Testing Maturity
#RSAC
The Attack Surface
16
- Hardware physical interfaces- Physical networking ports- Debug / admin ports- WiFi / RF- Data transfer and storage- Cryptographic implementations- HL7 implementations- Hardware sensors- Input parsing / validation- Command / data authentication
#RSAC
Attack Surface vs. Testers
17
- How many devices are there already?- How many have been tested?- How many devices will there be?- How many testers will be required to
look at them?
#RSAC
Problem: Tester Desensitization
18
- Comprehensive testing methodologies are usually massive
- Testers can usually only read them once or twice
- They can’t use them over time- You only get a couple of strikes
regarding irrelevant content
#RSAC
The Adaptive Testing
Methodology approach
#RSAC
Adaptive Testing Methodology
20
Contextual testing based on attributes of the target or situation
#RSAC
Adaptive Testing Methodology
21
Contextual testing based on attributes of the target or situation
Can apply to web apps, hosts, IoT, medical devices, etc.
#RSAC
Adaptive Testing Methodology
22
Contextual testing based on attributes of the target or situation
Can apply to web apps, hosts, IoT, medical devices, etc.
Attribute types (potential)
Target attack surfaces
Time available
Tools available
Skill level available
#RSAC
23
#RSAC
24
OWASP IoT: Medical Device Testing
#RSAC
25
#RSAC
Real-world Usage
26
Third-party testing requirements
Trying to avoid tester fatigue from vendors
Profile a piece of hardware using Adaptive Testing
See which surface areas are in play
Create a customized testing methodology for that device/ecosystem
Reduce the size of a testing methodology by 50-300%
Every section is relevant
#RSAC
Lessons learned over the years
27
Visibility is king in security
You can’t defend what you can’t see and don’t understand
Medical devices have many unseen attack surfaces
Because it’s an ecosystem, flaws in one can lead to overall weakness
With vulnerabilities, 1 + 1 + 1 often equals 7
#RSAC
Takeaways
28
Visibility is problem #1
#RSAC
29
Monolithic testing methodologies can lead to tester fatigue
Takeaways
#RSAC
30
Simple methodology is consumable, and consumable methodology gets used
Takeaways
#RSAC
31
Simple methodology is consumable, and consumable methodology gets used
Takeaways
#RSAC
32
Friends don’t let friends ship things without understanding the attack surface
Takeaways
#RSAC
33
Friends don’t let friends buy things without understanding the attack surface
Takeaways
#RSAC
34
Friends don’t let friends install / implement things without understanding the attack surface
Takeaways
#RSAC
35
Place stress on approachable simplicity for understanding attack surfaces
Takeaways
#RSAC
36
Modularize and streamline your testing methodologies to avoid them being disregarded.
Takeaways
#RSAC
37
Focus on breadth before depth when covering attack surfaces.
Takeaways
#RSAC
Resources
38
OWASP Internet of Thingshttps://www.owasp.org/index.php/OWASP_Internet_of_Things_Project
I Am The Cavalryhttps://www.iamthecavalry.org
#RSAC
Future work: Medical Security Scenarios Project
39
Medical Security Scenarios Project
#RSAC
Future work: Medical Security Scenarios Project
40
Medical Security Scenarios Project
Attack surface
Vulnerability type
Skill-level required
Life-threatening or not
#RSAC
Thanks
41
Email: [email protected]@danielmiessler.com
Twitter: @danielmiessler
Podcast: Unsupervised Learningdanielmiessler.com/ul
Reach out any time! Participate.
We’re always hiring at IOActive!