If you weren't already living your life worrying that medical devices were getting hacked, I hate to tell you what we learned at Defcon.
When it comes to understanding the cybersecurity threats we face today, few people have the technical chops and deep experience that Daniel Regalado boasts. A former hacker who used to breach ATMs, Regalado now studies vulnerabilities in IoT devices. As principal security researcher at ZingBox, he helps companies defend themselves against new and quickly evolving attacks—like WannaCry and Petya.
His recent presentation at Defcon's IoT Village was a demonstration of how IV pumps can be hacked—which is just as freaky as it sounds. We chatted with him about Defcon, IoT device vulnerabilities, and how deep learning may be a game changer for cybersecurity.
Defcon: Where ethical hackers and IoT vendors collaborate
Cybersecurity geeks flock to Defcon. It's a major conference that brings the security community and vendors together each year. As Wired reports, security researchers at Defcon's Voting Village recently caused a stir after speedily and successfully hacking voting machines. Cybersecurity experts like Regalado were there, too, shining some much-needed light on how vulnerable today's IoT-connected medical devices really are and what can be done to protect them.
When asked why conferences like Defcon and Black Hat are so valuable to the IT security community, Regalado said, "Anyone who attends them will learn about the latest vulnerability found in their own industry, so if you are a bank or a hospital or any other type of company, you will always find a vulnerability specific to your own industry. It's a great environment where we can see researchers and vendors working together toward protection of multiple assets or devices in the network environment."
IV pumps are more hackable than you might think
Regalado's one mission at this year's Defcon was to show how IV or infusion pumps could be physically hacked and explain what the consequences to human health could be if that were to happen in real life. He presented two main findings: First, he and his team were able to bypass an IV pump's integrity check and change the application at runtime. As a result, Regalado says, "We could alter the display on the pump so that when it booted up, we could put up any scary ransomware-like message we wanted, like, 'Hey, this pump has been hijacked. You need to send us some bitcoins.'"
Next, he was able to write permanent changes directly to the internal chip within the device—something that's normally well protected and shouldn't be accessible to attackers. Why's this a big deal? You usually need to enter a five-digit PIN to access an IV pump's configuration settings. "We were able to modify the integrity of the OS and the application, so we overrode that PIN with any number we wanted, which means we were able to get into the configuration settings of the pump."
Revealing IoT medical device vulnerabilities
Here's where it gets really scary: Regalado and his colleagues were able to silently swap two key configuration settings on the IV pump: the volume to be infused (VTBI) and the rate per hour. If a medical professional tried to use the pump, entering what they thought were the correct values for the VTBI and the rate when preparing an insulin dose for a patient, those values would actually be reversed behind the scenes without anyone's knowledge. The impact on the patient's health could be very serious, causing grave damage.
The vulnerabilities didn't end there. Regalado was also able to access the pump's internal flash memory, and then, he tricked it into connecting to a specific Wi-Fi access point, intercepting communications between the pump and the server to which it connected. Although all these simulated hacks were executed in person, that fact shouldn't give businesses a false sense of security. "Insider threats are more common than outsider threats," Regalado says. "My strategy is to assume that there is going to be a physical attack on your device and then put security controls in place to protect any device that someone is able to physically play with."
If this is freaking you out right now, we get it. Some IoT vendors are participating in bug bounty programs, where vendors collaborate with security researchers to identify and fix vulnerabilities before hackers can exploit them—helping IT leaders improve their cybersecurity. If you're at the C-level of a hospital that uses multiple medical devices, for example, Regalado advises you to "encourage the vendors of your devices to participate in a bug bounty program, so if there is a vulnerability in their devices, they are open to working with the researchers to proactively detect and fix them."
There are other, more hands-on ways to protect your IoT devices. New IoT security solutions identify and profile IoT devices on the network, using deep learning to understand what normal network behavior looks like. They can assess whether a particular device is deviating from normal behavior and alert the customer if that happens so they can take action. Today, we're dealing with WannaCry, but before long, an entirely new type of attack we've never seen before will show up to wreak havoc. Rather than patching a single vulnerability, these IoT security solutions learn what unusual behaviors seem suspicious and flag them, so businesses can better prepare for future hacks.
Researchers like Regalado are working diligently in collaboration with IoT vendors to better protect the devices businesses and their customers rely on in the Wild West of IoT security. By pursuing collaboration and taking advantage of advancements in security technology, IT leaders can do their part to protect their IoT environments, too—and get a better night's sleep in the process.