Dec 20, 2013

Hacking Medical Systems

Image a world where computers are everywhere, ubiquitious. Everything (like in thing) is connected and able to communicate. A world where your car can talk to you fridge to tell it that you will be home in 10 minutes and it can start to unfreeze your pizza already. Wait! Isn't that our world of today?

Although we are not quite there yet, trends are pointing in this direction. The Internet of Things is becoming more real day by day. So is the increased use of technology in medical contexts. We get used to the idea of smart grids and computer viruses attacking nuclear facilities but we are still shocked when it comes to hacks that target the life of individual, everyday people rather than in a business or governmental context. What happens if hackers would target your cardiac stimulator? Or your insulin pump? Imagine a hacker modifies your medical records while you are in hospital and you get treated with medicine you are allergic to. Sounds like science-fiction? I don't think so.


The state of medical IT-Security

US hacker Jerome Radcliffe is researching on the topic of human SCADA systems and security in medical devices. He managed to manipulate an insulin pump which communicates unencrypted over proprietary wireless protocolls.

A group of researchers around Kevin Fu has proven that pacemakers and implantable cardiac defibrilators have major security issues. Not only were they able to intercept traffic being sent between the gadgets and a doctor and to manipulate the data transmitted, they were also able to directly access the pacemakers and defibrilators. By doing so they could change the behavior of the implants or even make them stop. Yep, make a pacemaker stop helping to make your heart beat. No fun, right?

But this is only a fraction of medical security's scary story. Looking inside hospitals reveals a lot more. An increasing number of medical diagnosis tools gets connected to networks and can be remotely controlled. A wrong piece of information in a critical moment like an operation can make the difference between life and death.

The core of the problem: Money! (ugh, right ...)

So how can it be that such a vital part of our infrastructure - medical treatment - has severe issues when it comes to IT-Security? For one, a lot of medical systems run on proprietary hard- or software that is difficult to debug and to update. Although medical systems are subject to strict quality-assurance procedures, IT-Security is still perceived as a "nice-to-have" feature rather than a "must-have". Other requirements like functionality have simply higher priority. Clients are convinced by impressive features, not by hygiene factors like security (the perception and value-add of IT-Security is a topic in itself which I won't expand on in this article). 

Acquiring new equippment is a matter of cost and budget and a lot of medical centers and hospitals simply can't afford to upgrade to new, more secure systems. This urges hospitals sometimes to buy cheaper systems from Asian producers. Does this ring a bell? Hasn't there been the discussion about APT1 and the speculations about the Chinese trying to attack Western infrastructure? And meanwhile we keep importing their proprietary systems into our medical treatment centers? I'm not saying that I believe in the Chinese threat very much, but if you do so then this could be something you should be worried about.

Medical hacks in the past

Hacking medical facilities does not seem to be very popular or everyone who is doing it is very stealthy about it. I hope for the former but there have been medical hacks in the past. Fortunately the authorities take the risk being imposed by hacking into medical systems very seriously as it can be seen in the case of Jesse William McGraw. McGraw aka "Ghost Exodus" hacked a hospital network to install a botnet which he wanted to use to DDoS a rival hacker group's website. In 2011 he got sentenced to 110 months in federal US prison.

TL;DR: Medical systems often operate on proprietary, outdated hard- and software. This leads to insecure systems hence imposes a danger to people's health and safety.

No comments:

Post a Comment