Stories
Slash Boxes
Comments

SoylentNews is people

Why Fixing Security Vulnerabilities in Medical Devices, IoT is So Hard

posted by Fnord666 on Tuesday February 25 2020, @09:02AM   Printer-friendly
from the don't-add-them-to-begin-with dept.

upstart writes in with an IRC submission for SoyCow4275_:

Why fixing security vulnerabilities in medical devices, IoT is so hard:

When your family opened up that brand-new computer when you were a kid, you didn't think of all of the third-party work that made typing in that first BASIC program possible. There once was a time when we didn't have to worry about which companies produced all the bits of licensed software or hardware that underpinned our computing experience. But recent malware attacks and other security events have shown just how much we need to care about the supply chain behind the technology we use every day.

The URGENT/11 vulnerability, the subject of a Cybersecurity and Infrastructure Security Agency advisory issued last July, is one of those events. It forces us to care because it affects multiple medical devices. And it serves as a demonstration of how the software component supply chain and availability of support can affect the ability of organizations to update devices to fix security bugs—especially in the embedded computing space.

URGENT/11 is a vulnerability in the Interpeak Networks TCP/IP stack (IPNet), which was licensed out to multiple vendors of embedded operating systems. IPNet also became the main networking stack in Wind River VxWorks, until Wind River acquired Interpeak in 2006 and stopped supporting IPNet. (Wind River itself was acquired by Intel in 2009 and spun off in 2018.) But the end of support didn't stop several other manufacturers from continuing to use IPNet. When critical bugs were discovered in IPNet, it set off a scare among the numerous medical device manufacturers that run it as part of their product build.

The average medical or Internet of Things (IoT) device relies on multiple free software or open source utilities. These pieces of software are maintained by any number of third parties—often by just one or two people. In the case of Network Time Protocol (ntp)—software that is in billions of devices—its code is maintained by a single person. And when the OpenSSL Heartbleed vulnerability came out in 2014, the OpenSSL project had two developers working on it. While there are many more developers working on it now, the Heartbleed crisis is emblematic of what happens when we use free software in our devices—the software gets adapted, not really patched, and not really maintained on the device, and little benefit goes back to the project.

The S in IoT stands for Security

Original Submission

 
This discussion has been archived. No new comments can be posted.
Why Fixing Security Vulnerabilities in Medical Devices, IoT is So Hard | Log In/Create an Account | Top | 38 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 0) by Anonymous Coward on Tuesday February 25 2020, @04:23PM

    by Anonymous Coward on Tuesday February 25 2020, @04:23PM (#962417)

    I'd love to know how you think the AMA does that. (Hint: they don't.... Second hint: state licensing boards issue medical licenses Third hint: the number of residency slots is what limits new physician production, and that isn't controlled by the AMA Fourth hint: I'm not saying the AMA doesn't like to try and influence the number, just that it's not as simple as you're putting out.) But as I said, it has absolutely nothing to do with that: In the US it is Medicare and the Insurance Industry that is the tail which wags the dog of US healthcare, and has for over 20 years now. You think a greater supply would lower physician reimbursements and therefore more physicians would be available to see you face to face. The reality is that lower physician reimbursements will cause all physicians to figure out how to do more with less even harder, and you'd probably never physically see the Doctor at all. It would accelerate that which you're trying to stop. This is where telemedicine is taking us. But anyway...

    And it's more than devices inside of you. Awhile back I felt like my CPAP machine needed to be able to deliver more pressure to me. A call to my Doc, who got the data from the DME provider, and an automated pressure level reset later and I'm sleeping better. Didn't have to unplug my machine from the wall. Didn't even get charged a consult visit, which I appreciated.

    But let's play along and say the Doc is right there next to you. (I agree this is preferable - there's few things worse than telemedicine for intrinsically sucking the humanity out of medical care). Still... how's the Doc going to connect to your device? Are you going to want them to wire a USB port to your body? Or an DB-9 to use RS-232? There are devices that do have leads coming outside the body like LVADs do for their power supply. But any orifice (natural or surgeon-made) is an infection risk. And how much more are you willing to pay for your device such that it uses something other than off-the-shelf protocols?