Stories
Slash Boxes
Comments

SoylentNews is people

posted by Fnord666 on Tuesday February 25 2020, @09:02AM   Printer-friendly
from the don't-add-them-to-begin-with dept.

Why fixing security vulnerabilities in medical devices, IoT is so hard:

When your family opened up that brand-new computer when you were a kid, you didn't think of all of the third-party work that made typing in that first BASIC program possible. There once was a time when we didn't have to worry about which companies produced all the bits of licensed software or hardware that underpinned our computing experience. But recent malware attacks and other security events have shown just how much we need to care about the supply chain behind the technology we use every day.

The URGENT/11 vulnerability, the subject of a Cybersecurity and Infrastructure Security Agency advisory issued last July, is one of those events. It forces us to care because it affects multiple medical devices. And it serves as a demonstration of how the software component supply chain and availability of support can affect the ability of organizations to update devices to fix security bugs—especially in the embedded computing space.

URGENT/11 is a vulnerability in the Interpeak Networks TCP/IP stack (IPNet), which was licensed out to multiple vendors of embedded operating systems. IPNet also became the main networking stack in Wind River VxWorks, until Wind River acquired Interpeak in 2006 and stopped supporting IPNet. (Wind River itself was acquired by Intel in 2009 and spun off in 2018.) But the end of support didn't stop several other manufacturers from continuing to use IPNet. When critical bugs were discovered in IPNet, it set off a scare among the numerous medical device manufacturers that run it as part of their product build.

The average medical or Internet of Things (IoT) device relies on multiple free software or open source utilities. These pieces of software are maintained by any number of third parties—often by just one or two people. In the case of Network Time Protocol (ntp)—software that is in billions of devices—its code is maintained by a single person. And when the OpenSSL Heartbleed vulnerability came out in 2014, the OpenSSL project had two developers working on it. While there are many more developers working on it now, the Heartbleed crisis is emblematic of what happens when we use free software in our devices—the software gets adapted, not really patched, and not really maintained on the device, and little benefit goes back to the project.

The S in IoT stands for Security


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 4, Insightful) by All Your Lawn Are Belong To Us on Tuesday February 25 2020, @11:24AM (11 children)

    by All Your Lawn Are Belong To Us (6553) on Tuesday February 25 2020, @11:24AM (#962318) Journal

    Another is purpose - why is a pacemaker on the internet?? And what does it have to do with NTP or OpenSSL? I do not want my pacemaker running OpenSSL! ;)

    I don't blame you for not wanting your medical device to be internet-facing. The answer, paraphrasing Heinlein, is the same answer to most questions beginning with "Why?": Money. For a device that requires either periodic log monitoring or needs to be reprogrammed, using the Internet is going to be nearly inevitable simply on cost/benefit grounds. The alternative is that you pack up your device and walk it to your physician's office or DME company and let them connect up to it, or make the device cost a few hundred or thousand more to maintain some other nebulous system of connectivity. (Even then, the data from those devices are taking and aggregated with other data. Do you really expect them to use an airgapped device to do that? If so, that's quaint.)

    Even if you have the time to walk the device (or yourself) to them, your physician does not. He or she needs to look for ways to save time as well because insurance reimbursements never truly go up - the insurers are always finding ways to force the medical community to do more with less.

    It's the real driver behind all telehealth: The people paying the bills want it as cheap as possible, which means using the most expedient options that achieve the purpose. Now if your device never requires monitoring or adjustment, or whatever device it is will never have a firmware adjustment, then connectivity makes no sense. But any such device is probably of limited utility anyway.

    --
    This sig for rent.
    Starting Score:    1  point
    Moderation   +2  
       Insightful=2, Total=2
    Extra 'Insightful' Modifier   0  
    Karma-Bonus Modifier   +1  

    Total Score:   4  
  • (Score: 1, Insightful) by Anonymous Coward on Tuesday February 25 2020, @03:12PM (1 child)

    by Anonymous Coward on Tuesday February 25 2020, @03:12PM (#962381)

    > Even if you have the time to walk the device (or yourself) to them, your physician does not.

    Right -- this looks like the source of the problem. Not enough doctors, possibly due to the AMA (in USA) controlling the number of new MD's minted every year. Scarcity of doctors --> doctors raise their prices.

    If my doc is going to adjust a setting on a device that is inside me, I want to be looking right at them when they do it. I do recognize that the doc may not be looking right at me...but I should be able to drag their attention away from their screen if I squawk in person!

    • (Score: 0) by Anonymous Coward on Tuesday February 25 2020, @04:23PM

      by Anonymous Coward on Tuesday February 25 2020, @04:23PM (#962417)

      I'd love to know how you think the AMA does that. (Hint: they don't.... Second hint: state licensing boards issue medical licenses Third hint: the number of residency slots is what limits new physician production, and that isn't controlled by the AMA Fourth hint: I'm not saying the AMA doesn't like to try and influence the number, just that it's not as simple as you're putting out.) But as I said, it has absolutely nothing to do with that: In the US it is Medicare and the Insurance Industry that is the tail which wags the dog of US healthcare, and has for over 20 years now. You think a greater supply would lower physician reimbursements and therefore more physicians would be available to see you face to face. The reality is that lower physician reimbursements will cause all physicians to figure out how to do more with less even harder, and you'd probably never physically see the Doctor at all. It would accelerate that which you're trying to stop. This is where telemedicine is taking us. But anyway...

      And it's more than devices inside of you. Awhile back I felt like my CPAP machine needed to be able to deliver more pressure to me. A call to my Doc, who got the data from the DME provider, and an automated pressure level reset later and I'm sleeping better. Didn't have to unplug my machine from the wall. Didn't even get charged a consult visit, which I appreciated.

      But let's play along and say the Doc is right there next to you. (I agree this is preferable - there's few things worse than telemedicine for intrinsically sucking the humanity out of medical care). Still... how's the Doc going to connect to your device? Are you going to want them to wire a USB port to your body? Or an DB-9 to use RS-232? There are devices that do have leads coming outside the body like LVADs do for their power supply. But any orifice (natural or surgeon-made) is an infection risk. And how much more are you willing to pay for your device such that it uses something other than off-the-shelf protocols?

  • (Score: 2) by RS3 on Tuesday February 25 2020, @04:12PM (4 children)

    by RS3 (6367) on Tuesday February 25 2020, @04:12PM (#962412)

    Money is certainly the huge factor, but time is also. For some reason most people don't seem to consider time and timelines when discussing things.

    A friend's mom recently had a pacemaker installed. In the old days pacemakers just produced pulses, but now they monitor things too. The point being- if she has a problem that she might not be aware of, the pacemaker system might signal an alert to someone somewhere. It comes with a base station that "talks" directly to cell network. I'm not sure how it communicates with the pacemaker, but for sure the pacemaker itself is not "online".

    And I seriously doubt the base station is "online", rather, probably initiates communication with some kind of address somewhere.

    An option would be to use an external wearable monitor, such as a "Holter", but they're uncomfortable and skin contact pads need to be replaced every so often. And then it has to be taken to a medical center to read out the data.

    Maybe an option could be a semi-sneakernet system where the pacemaker's monitor station would not be online. The patient (or someone) would insert a USB drive and the system would copy some data that then could be uploaded or emailed to a medical center. If changes were needed to the pacemaker's parameters, the monitoring station could be taken to a medical center and programmed manually, or maybe a parameter file could be emailed and checked against a cert, the base station would only accept it if it passes integrity checks, etc. Point being- base station would not be online, exposed to repeated attacks.

    BTW, it seems obvious that none of the gruntwork would be done by physicians; no more than the other things that are typically done by nurses and med techs.

    • (Score: 0) by Anonymous Coward on Tuesday February 25 2020, @04:50PM (3 children)

      by Anonymous Coward on Tuesday February 25 2020, @04:50PM (#962433)

      Of the different ways pacemakers can be classified one is demand versus automatic. Demand pacemakers are always sensing the heart rhythm and when it detects a lack of impulse (either atrial or ventricular) it then delivers the impulse - it senses when you're missing a beat and delivers it. This is different from the 'old school' of automatic where a shock is delivered in time according to its' own frequency whether your heart was going to supply the impulse or not. And a little different from that is an ICD, which senses when your heart is going dysrhythmic and delivers a defibrillating pulse to try and reset the beat. The first and last types can very much benefit from being able to deliver telemetry. It can be very helpful to the client that a central monitoring station reads that a device has monitored 15 premature ventricular contractions in the last 5 minutes.

      Yes, there are Holter monitors. They are beginning to be considered old-school, in part because they are limited to recording the length of their onboard memory. There are also telemetry monitors, which likewise are talking to a base station that is relaying your data to a central monitoring point. Telemeters are also used extensively in hospitals... While it may still be called a "Holter" by staff, almost all in-hospital cardiac monitoring is done by telemetry where a staff member may be monitoring 12-30 patients simultaneously.

      But the last main thing... yes, many systems do indeed use the cellular network. More to the point, then use cellular data services. Which are connected to.............. oh... Hopefully they're VPNing in - they certainly should be. But TCP/IP is the delivery method of choice.

      • (Score: 2) by RS3 on Tuesday February 25 2020, @05:34PM (2 children)

        by RS3 (6367) on Tuesday February 25 2020, @05:34PM (#962450)

        I don't know if you're a doctor, but you're certainly knowledgable. I do know all that, but not everyone does, so thanks for writing it up.

        Not sure if they're VPNing into the pacemaker monitor. I forget the brand, but I'll write it down when I visit her next. I'm hoping the base station sits quietly offline, and turns on cell data when it wants to upload, check in, etc., rather than always be on and exposed.

        BTW, the in hospital monitor systems use software to detect cardiac rhythm anomolies, so the whole system is not limited by 1 human watching so many patients.

        My friend's mom has "heart block", so I'm guessing the pacemaker is always pulsing. But that said, I wonder how these new pacemakers know when to speed up or slow down... Maybe you know?

        • (Score: 1, Informative) by Anonymous Coward on Wednesday February 26 2020, @04:27PM (1 child)

          by Anonymous Coward on Wednesday February 26 2020, @04:27PM (#962940)

          Good point - they initiate contact and that is indeed the way it needs to be. I wonder what would happen if a full DDOS attack were launched at the IP where the data is coming from (I doubt that the devices carry static IP's, but I don't know which would be worse - having a static range to be assaulted, or a dynamic range which rotates such that the receiving end can't lock out incorrect IP ranges). I also wonder how/if the system manufacturer hardens against such a possibility. Hopefully the cell towers themselves would serve as a stronger firewall buffer as well.

          Anyway, not a doctor but I have more than layperson's knowledge. And using the cloak of AC so that nobody treats any of this as medical advice. (I'm not being paid for it anyway, but still don't want it directly attributed to me). I know there are devices (not implanted) which can be remotely accessed, though, without the end user needing to initiate it. That should change (something like a WiFi configuration button to let the device know it is OK to accept an unsolicited inbound connection in addition to all the other security). And pacemaker bases can initiate the connection on their own when they have significant data to report. Most implanted defibrillators require the end user to initiate the data upload.

          The monitoring software does indeed detect rhythm anomalies and reports them. For externally worn monitors (pads on skin) they are accurate maybe 50% of the time at best, and for the 50% of the time they are accurate maybe 10% are of actual clinical significance. (Premature ventricular contraction, for example, when the second part of the beat sequence decides to fire early. 2 in a row are not uncommon in some kind of periodic rolling sequence, and so long as it is "stably unstable" it's not to worry about. 3 or 4 in a row are of some concern. More than that and you wonder what's going wrong. Internally fixed ones (like pacemakers) are much more accurate and do not suffer nearly as much from anomalies like breathing motion or other movement fuzzing up the picture. But the point is that it still takes a human monitoring and the point of the monitor room is that there is a human who makes the judgment whether or not to call the nurse about a given issue.

          Heart block.... you can Google a lot on it but I can speak a little bit about it.

          Forgive me if you already know this (we're a smarter than average bunch, so maybe many of us already know the first bits of cardiac circulation). But the electrical contraction wave starts at the top right of the heart ("right" from the patient's right side... the sinoatrial node), passes to nearly the center of the mass (septum between the atria and the ventricles, atrioventricular or AV node), then into the bundle and down two separate paths (Bundle of His and Left and Right bundles) to the bottom center of the apex where it wraps back around upwards and outside on the ventricles (purkinje fibers). It's better to see it, and here's a great animation even if the narration could be more interesting: https://www.youtube.com/watch?v=RYZ4daFwMa8 [youtube.com]

          So a heart block occurs below the AV node. The conduction pathway gets lost somewhere after the AV node. So the top part (atrial contraction) fires regularly and on time. But the part below (ventricles) don't fall in the correct rhythm. A fun thing about the heart is that it has conductivity (the depolarizing and repolarizing should occur in smooth waves giving you a regular ECG picture) but it also has automaticity - those lower parts of the heart will try and fire on their own if they don't receive a signal from above....... but it does so more slowly. This can cause a rhythm problem where the part of the heart (and it can be both top/bottom and side-side) starts firing out of rhythm to the system, which if you think about it as a two-phase pump can be a problem.

          Anyhoo, now to what you were asking.... What your friend most likely has is a ventricular demand pacemaker. It is sensing the the atrial depolarization wave (first bump) and then monitoring for the ventricular wave (the big spike). It counts from when it determines the peak of the atrial wave has occured and if it does not sense a timely ventricular spike (about 160 milliseconds from top of P wave to initiation of Q wave) it will fire. The heart is pacing itself but the pacemaker is sending the second wave that isn't getting to the ventricle), hence it is supplied "on demand."

          This isn't your friend's condition, but if the opposite is happening and the atrial wave isn't happening on time the pulse rate will be somewhere between 20 and 59(ish) beats per minute. The midline or the ventricles will send out their waves even without input, but slower, see? (Strong atheletes can get a pulse in the 50s naturally which is fine). So instead the pacemaker looks at the QRS complex (the spike) and then counts a specified interval, and if no wave happens it will stimulate the atria. The stimulation may be a few milliseconds late, but that's OK. As long as the heart had time to repolarize, the next beat will then progress naturally. The pacemaker sends the first wave (that isn't going to the atria), hence it is Atrial Demand.'

          If neither the atria nor the ventricles are supplying waves with good timing then usually an automatic pacemaker is called for. This can either be just an atrial spike, or if the patient also has a block in addition to the loss of the sinoatrial conduction, it can supply both atrial and ventricular pulses (which is interesting to see on an EKG, two very rapid double spikes about 40 milliseconds apart and then one sees the rest of the wave).

          Anyway, sorry for going on about it. The cardiac system is really awesome and fun to study even if you have no interest in medicine. :)

          • (Score: 2) by RS3 on Thursday February 27 2020, @04:07PM

            by RS3 (6367) on Thursday February 27 2020, @04:07PM (#963554)

            > "Anyway, sorry for going on about it."

            Sorry? Are you kidding? This is awesome; I can not thank you enough!

            Being somewhat medically savvy, and just trying to pay attention and help where I can, over recent months I occasionally checked friend's mom's pulse at wrist. It was always quite irregular. I also have a finger clip "pulse ox" that has an LED that blinks for each detected heartbeat. It was quite erratic too.

            Not knowing what that meant, I didn't think to do anything. She did have regular doctor checkups. I assume he was checking her heart. She just had a checkup in December. Maybe "heart block" happened since then?

            I'll have to do some research on what can cause "heart block".

            Another area of curiosity- "cardioversion". I know some people who've had that done. I pretty much know what it is and what the procedure is. My question is: if there's a problem with rhythm, how can one "zap" fix the problem? I'll do some research...

            Thank you again so much.

  • (Score: 2) by Immerman on Tuesday February 25 2020, @04:29PM (2 children)

    by Immerman (3985) on Tuesday February 25 2020, @04:29PM (#962419)

    >For a device that requires either periodic log monitoring or needs to be reprogrammed, using the Internet is going to be nearly inevitable simply on cost/benefit grounds.

    Fine, but again, why is the device connected to the internet?

    Use a second, external device as an intermediary that connects to the internet, and communicates with the medical device via a simple, easily auditable wired or short-range single channel serial communication protocol with the absolute minimum of functionality necessary. Any software or setting updates must be cryptographically signed, with the signature checked immediately after the data has been transferred to the device, before the data is even looked at.

    You're talking medical devices with multi-thousand dollar price tags. Even a full-fledged Raspberry Pi based intermediary is barely going to nudge the price tag.

    • (Score: 1, Informative) by Anonymous Coward on Tuesday February 25 2020, @05:01PM (1 child)

      by Anonymous Coward on Tuesday February 25 2020, @05:01PM (#962440)

      Why? Because using the internet as the transport via VPN is much more economical than requiring modems and land lines. It means not having to re-invent the wheel to figure out how the data gets from A to B. It might be nice to develop a separate network but not necessary to.

      OK. So the device is separated from the reporting mechanism. Most intra-body devices have to be anyway. But having any intermediary then adds the risk of all the potential compromises that the intermediary may encounter as well. While "only" having your device data compromised is a lot less destructive than allowing an attack on the actual therapeutic modality, it's still an unacceptable risk as well.

      And yes, "minimum functionality necessary," sure. But what are the minimum functions? Do they include changing parameters on the device? If not, fine, but very few medical devices are created without the need to change settings. And not requiring the person to take the device somewhere is part of the risk-benefit analysis in terms of healthcare cost as well. (Not to mention the times when it may be determined that a device firmware does contain a flaw. Being able to reflash a device without having to cut it out of the person is certainly more preferable from an infection control standpoint).

      • (Score: 3, Interesting) by Immerman on Tuesday February 25 2020, @08:33PM

        by Immerman (3985) on Tuesday February 25 2020, @08:33PM (#962534)

        I won't address the first part, since my previous post already accepted that the internet will be involved at some level.

        > But what are the minimum functions?
        Primarily, receive a file and verify that the digital signature is valid.

        Once you've done that, then you can do whatever you want with the contents of that file - Is it a settings file? Apply the settings. An update? Apply the update. (Though really, updating the software on a medical device should be done in a medical setting where correct functioning can be confirmed, and the patient can get emergency care in case of any malfunctions)

        So long as the patient don't have to adjust the settings themselves (as is generally the case for medical devices), you've just made sure that the *only* way to compromise the device, is to compromise the digital signature. It's not perfect, but nothing is, and it dramatically reduces the attack surface. A simple serial interface is several orders of magnitude easier to audit to ensure there are no exploitable I/O flaws than an internal TCP/IP stack, hardware drivers, etc.

  • (Score: 0) by Anonymous Coward on Tuesday February 25 2020, @07:10PM

    by Anonymous Coward on Tuesday February 25 2020, @07:10PM (#962493)

    That's the stupidest fucking thing ever. The doctors shouldn't be the ones that are applying patches, that's a stupid waste of their time and energy. It should be either somebody else in the office or somebody that works for the manufacturer of the device. Depending upon what the device does, there can be potentially life threatening consequences if somebody gets in there and changes the programming so as to affect the operation of the device.

    Also, there's no inherent reason why the software update couldn't come to the patient via the sneakernet. Device updates for these things should be few, far between and not needed to avoid life threatening complications.