Stories
Slash Boxes
Comments

SoylentNews is people

posted by martyb on Thursday February 20 2020, @01:24AM   Printer-friendly
from the security++ dept.

https://arstechnica.com/information-technology/2020/02/medical-device-vulnerability-highlights-problem-of-third-party-code-in-iot-devices/

When your family opened up that brand-new computer when you were a kid, you didn't think of all of the third-party work that made typing in that first BASIC program possible. There once was a time when we didn't have to worry about which companies produced all the bits of licensed software or hardware that underpinned our computing experience. But recent malware attacks and other security events have shown just how much we need to care about the supply chain behind the technology we use every day.

The URGENT/11 vulnerability, the subject of a Cybersecurity and Infrastructure Security Agency advisory issued last July, is one of those events. It forces us to care because it affects multiple medical devices.

[...] medical device vendors don't always have the flexibility to upgrade their underlying platforms because of the way they license components. Since third-party components are usually licensed for a prebuilt function, the license may only allow for the device's use with a certain version of an operating system or kernel.

[...] addressing the risks means understanding and addressing the value chain for how a device evolves from concept to disposition. We need to also evolve how devices are designed and updated to match the level of support that Samsung and Apple provide. This means there needs to be dedication by manufacturers to use platforms for a longer time and a commitment to keeping the build chains current to be able to consistently deliver patches and updates to customers.

[...] Outside of the major manufacturers, many of the companies that manufacture these devices are smaller businesses, and they have to be able to afford to develop new devices and support what they have at the same time—which is often difficult even for large companies.

We need to partner with our medical device vendors to solve issues like Urgent/11 through better processes. We need to understand how the devices work, and we need to understand that it takes a lot of work to get a patch out for devices that are more complex than a standard PC. Deploying patches to these devices also carries different risks.

The S in Medical IoT stands for Security.


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1)
  • (Score: 5, Insightful) by Runaway1956 on Thursday February 20 2020, @01:39AM

    by Runaway1956 (2926) Subscriber Badge on Thursday February 20 2020, @01:39AM (#960118) Homepage Journal

    The S in Medical IoT stands for Security.

    You're on a roll there, martyb!!

    --
    Make an actual interesting, germane, and relevant point and you may get away with Flamebait - 'Zumi
  • (Score: 5, Insightful) by c0lo on Thursday February 20 2020, @01:42AM (3 children)

    by c0lo (156) Subscriber Badge on Thursday February 20 2020, @01:42AM (#960120) Journal

    medical device vendors don't always have the flexibility to upgrade their underlying platforms because of the way they license components. Since third-party components are usually licensed for a prebuilt function, the license may only allow for the device's use with a certain version of an operating system or kernel.

    When copyright is more important than human lives.

    --
    https://www.youtube.com/watch?v=aoFiw2jMy-0
    • (Score: 4, Interesting) by JoeMerchant on Thursday February 20 2020, @02:58AM

      by JoeMerchant (3937) on Thursday February 20 2020, @02:58AM (#960152)

      Restrictively licensed specialty software components are rarely the problem. It's the mass market components (starting with Windoze, and all the lovely support libraries) that are so highly vulnerable, and they're usually begging to be upgraded faster than they can be tested. Unfortunately, when marketing gets together for their brainstorming sessions, they mostly play with their cellphones and other consumer electronic gadgets and then ask Med Device R&D: "why can't our product do this, too?" pointing at some cool thing on some cool device that has dubious value to the patient or their caregivers. Then they get all pouty and whine: "but competitor X ALREADY has cool device Y's cool feature Z on their product, and if we don't get it too, plus somethings even cooler, we'll never be able to make our targets next quarter!!!" Unfortunately, corporate leadership is mostly about handling your sales staff as lucratively as possible, and that frequently involves giving them whatever they ask for so they're happy and confident and thereby sell more bling.

      --
      My karma ran over your dogma.
    • (Score: 3, Interesting) by bzipitidoo on Thursday February 20 2020, @03:21AM

      by bzipitidoo (4388) Subscriber Badge on Thursday February 20 2020, @03:21AM (#960165) Journal

      Indeed. Hollywood evidently wishes so:

      https://www.youtube.com/watch?v=LZ6-q59bL9M [youtube.com]

      And this isn't just any genre, it's Science Fiction. Ahh, SF that has faster than light interstellar travel, instant teleportation, and a society that has moved beyond money (except in poker games), but intellectual property law hasn't advanced or even changed an iota from the 20th century.

      One state of affairs where no one has gone before, or ever will go!

    • (Score: 2) by RS3 on Thursday February 20 2020, @04:16PM

      by RS3 (6367) on Thursday February 20 2020, @04:16PM (#960327)

      When copyright is more important than human lives.

      When money is involved, money is always top priority.

      That said, checking into software (API?) licensing should be a top priority when choosing OSes and software for a product.

  • (Score: 1, Informative) by Anonymous Coward on Thursday February 20 2020, @01:45AM (8 children)

    by Anonymous Coward on Thursday February 20 2020, @01:45AM (#960121)

    If your medical device is approved with NiftyJavaToy v1.12, you aren't allowed to update NiftyJavaToy to v1.13 without putting the device through another 6 month certification process.

    • (Score: 4, Insightful) by Anonymous Coward on Thursday February 20 2020, @01:49AM (6 children)

      by Anonymous Coward on Thursday February 20 2020, @01:49AM (#960125)

      But if you relax the FDA's power, the meat packers are going to start mixing rat carcasses into the hamburger again.

      • (Score: 0) by Anonymous Coward on Thursday February 20 2020, @02:14AM (4 children)

        by Anonymous Coward on Thursday February 20 2020, @02:14AM (#960138)

        Cows fart Evil Methane, rats don't. Rats are Green Technology!

        • (Score: 0) by Anonymous Coward on Thursday February 20 2020, @02:48AM

          by Anonymous Coward on Thursday February 20 2020, @02:48AM (#960149)

          Simpson's did it!

        • (Score: 2) by c0lo on Thursday February 20 2020, @05:01AM

          by c0lo (156) Subscriber Badge on Thursday February 20 2020, @05:01AM (#960202) Journal

          The good news: we found the markedroid among us guys.
          The bad news: he's AC.

          --
          https://www.youtube.com/watch?v=aoFiw2jMy-0
        • (Score: 2) by DeathMonkey on Thursday February 20 2020, @06:39PM (1 child)

          by DeathMonkey (1380) on Thursday February 20 2020, @06:39PM (#960395) Journal

          Cows don't fart.

      • (Score: 2) by krishnoid on Thursday February 20 2020, @07:54PM

        by krishnoid (1156) on Thursday February 20 2020, @07:54PM (#960420)

        Hey, you can't fight the future [youtube.com]. Just make sure you use the right seasonings.

    • (Score: 0) by Anonymous Coward on Thursday February 20 2020, @10:45PM

      by Anonymous Coward on Thursday February 20 2020, @10:45PM (#960470)

      Having been around several of these systems.

      Blaming the FDA is about the last thing to start with. Usually lowest bidder quality here...

      "stop asking questions about that server or else...". Unsecured, middle of the room, no password, access to ALL of the devices, only one guy knows how it works. Sure no problem! But at least they moved it to an unlocked office after I pointed it out.

  • (Score: 3, Insightful) by Snotnose on Thursday February 20 2020, @01:52AM (7 children)

    by Snotnose (1623) on Thursday February 20 2020, @01:52AM (#960129)

    90% of the issues are default logins/passwords. We're not talking about 1337 skript kiddies running Kali Linux whilst visiting dad on his deathbed hoping for a bug in the Bluetooth implementation. No, we're talking about, I dunno what to call them, skript daddies? Whatever, these guys run scans all day long testing default logins hoping for a hit.

    See also: your typical IoT device.

    --
    The 3 symptoms of laziness: 1) think of something tomorrow 2)
    • (Score: 2) by JoeMerchant on Thursday February 20 2020, @03:05AM (5 children)

      by JoeMerchant (3937) on Thursday February 20 2020, @03:05AM (#960156)

      90% of the issues are default logins/passwords.

      Depends on which sandbox you are playing in, but, yeah, that's a big one. Another HUGE problem is development processes which simply don't care and are willing to "ship it" to make deadline rather than wait for secure by design architecture to trundle on through development, penetration testing, rework, retest, etc.

      As one very simple example, our latest device can be upgraded via USB (internet delivery coming soon!!!), but... to make it secure, the system has been stripped and configured to lock the USB, disallowing any unsigned software installation. This means: all the standard (familiar, easy) software install methods from USB don't work, which means that every single USB delivered upgrade has to pass through our secure packaging and signing process - which, as you might imagine, is quite a bit more labor intense than running install.bat from D:\.

      --
      My karma ran over your dogma.
      • (Score: 3, Interesting) by Anonymous Coward on Thursday February 20 2020, @03:58AM (1 child)

        by Anonymous Coward on Thursday February 20 2020, @03:58AM (#960191)

        You're doing it completely wrong. If you're installing signed software then the existing firmware should be the one doing it. You plug in a USB drive. The existing framework looks for a specific file on that drive and checks its signature. If the signature is good then the firmware loads it. If not then it doesn't. This doesn't require any special processing for the USB drive itself, you just stick the signed file on any USB capable storage device formatted with the correct file system format. Signing your built software should just be a flag you pass into your build system.

        If you can't get this right, your internet solution is going to be terrible. Remember, soylentnews.org doesn't always point to this website on every network. Don't make the incorrect assumption that your update site can be trusted because it has a specific name or IP address.

        • (Score: 2) by JoeMerchant on Thursday February 20 2020, @01:39PM

          by JoeMerchant (3937) on Thursday February 20 2020, @01:39PM (#960271)

          If you're installing signed software then the existing firmware should be the one doing it. You plug in a USB drive.

          You're reading it wrong, that's exactly what we do.

          --
          My karma ran over your dogma.
      • (Score: 2) by c0lo on Thursday February 20 2020, @05:07AM (2 children)

        by c0lo (156) Subscriber Badge on Thursday February 20 2020, @05:07AM (#960203) Journal

        simply don't care and are willing to "ship it" to make deadline

        That "deadline" in the context would be a good pun material if doing it wasn't even more cynical that I'm able to be now.

        --
        https://www.youtube.com/watch?v=aoFiw2jMy-0
        • (Score: 2) by Runaway1956 on Thursday February 20 2020, @10:10AM (1 child)

          by Runaway1956 (2926) Subscriber Badge on Thursday February 20 2020, @10:10AM (#960241) Homepage Journal

          I am that cynical. Why do hospitals work so hard, to keep a heart beating, when all hope of "quality of life" has passed away? Because, as soon as the heart stops beating, money is no longer made, from insurance, from medicare, medicaid, or any other source. But, when the money dries up, THEN the poor soul involved is permitted to pass along with that quality of life.

          --
          Make an actual interesting, germane, and relevant point and you may get away with Flamebait - 'Zumi
          • (Score: 4, Insightful) by JoeMerchant on Thursday February 20 2020, @01:42PM

            by JoeMerchant (3937) on Thursday February 20 2020, @01:42PM (#960273)

            I've known more than one elderly person who, more or less unable to afford their meds anymore, just quit taking them and more or less quit seeing the doctor - and went on to live another 10+ years with better quality of life than they had while they were drugged up.

            Some meds are necessary, some meds improve quality of life, same for devices and procedures. Unfortunately, I feel like - in practice, that "some" is far below 50%.

            --
            My karma ran over your dogma.
    • (Score: 0) by Anonymous Coward on Thursday February 27 2020, @09:31AM

      by Anonymous Coward on Thursday February 27 2020, @09:31AM (#963384)

      Change those default logins and passwords and then the next problem becomes shared logins and passwords ;).

      Think of all the docs, nurses etc who might want to use dozens or more stuff that might not have a centralized user account system.

      Anyway if you really want to kill someone in a hospital or make their condition even worse, it isn't that difficult.

      So while changing the default passwords might improve security (so attackers have to look under the keyboard or similar) I'm not yet convinced that it will actually improve security that much in practice given that it's not too difficult for people to walk in and out of lots of hospitals without getting stopped. For bonus points change to/fro "surgeon with surgical mask" mode at suitable points.

      The ransomware stuff can be a pain so yeah do stuff about that, and make & test backups regularly.

  • (Score: 2, Informative) by The Mighty Buzzard on Thursday February 20 2020, @03:29AM (4 children)

    Because it costs money and takes effort. Oh and because you're cheap, lazy fuckers.

    --
    My rights don't end where your fear begins.
    • (Score: 2) by c0lo on Thursday February 20 2020, @05:28AM (1 child)

      by c0lo (156) Subscriber Badge on Thursday February 20 2020, @05:28AM (#960206) Journal

      Oh and because you're cheap, lazy fuckers...

      Ambiguity detected. Who are "cheap, lazy fuckers" - the Mighty Executives or the engineering level peons?

      --
      https://www.youtube.com/watch?v=aoFiw2jMy-0
    • (Score: 2) by maxwell demon on Thursday February 20 2020, @01:15PM (1 child)

      by maxwell demon (1608) on Thursday February 20 2020, @01:15PM (#960265) Journal

      Don't medical devices already have to go through expensive certification processes? I guess adding a few basic security tests to that process would be barely noticeable in the cost of certification, unless the vendor neglected security and has to re-do the whole process again for this reason (giving the vendor a huge incentive to get it right the first time).

      --
      The Tao of math: The numbers you can count are not the real numbers.
      • (Score: 2) by The Mighty Buzzard on Friday February 21 2020, @12:57PM

        Sounds good in theory, don't it? Unfortunately putting a slow to change, clueless, and not giving a fuck to begin with bureaucracy in charge of something that changes as quickly as computer security is much, much worse than doing nothing at all.

        --
        My rights don't end where your fear begins.
  • (Score: 2) by aristarchus on Thursday February 20 2020, @04:30AM (4 children)

    by aristarchus (2645) on Thursday February 20 2020, @04:30AM (#960197) Journal

    When your family opened up that brand-new computer when you were a kid, you didn't think of all of the third-party work that made typing in that first BASIC program possible.

    BASIC? Are you joking? The Antikythera did not run BASIC! Nor did my first computer with typing involved, that was a SPARC workstation, running Unix! What kind of amateur Homebrew Computer game-boys are you, anyway?

    --
    "Believe it or not, your opinion on this topic is really not necessary,"
    • (Score: 0) by Anonymous Coward on Thursday February 20 2020, @11:47AM (2 children)

      by Anonymous Coward on Thursday February 20 2020, @11:47AM (#960255)

      The Antikythera ran Windows v0.0000000001 beta. Unfortunately it R(ust)SOD'd.

      • (Score: 2) by maxwell demon on Thursday February 20 2020, @01:19PM (1 child)

        by maxwell demon (1608) on Thursday February 20 2020, @01:19PM (#960267) Journal

        So you are saying that it failed due to Rust? I guess they should have used good old C instead. ;-)

        --
        The Tao of math: The numbers you can count are not the real numbers.
        • (Score: 0) by Anonymous Coward on Thursday February 27 2020, @09:33AM

          by Anonymous Coward on Thursday February 27 2020, @09:33AM (#963386)
          Sea was part of the problem/solution.
    • (Score: 3, Funny) by maxwell demon on Thursday February 20 2020, @01:17PM

      by maxwell demon (1608) on Thursday February 20 2020, @01:17PM (#960266) Journal

      The Antikythera did not run BASIC!

      It surely did. It's just that the BASIC interpreter part bitrotted away. :-)

      --
      The Tao of math: The numbers you can count are not the real numbers.
  • (Score: 3, Informative) by Rich on Thursday February 20 2020, @05:38PM

    by Rich (945) on Thursday February 20 2020, @05:38PM (#960361) Journal

    I've been working on medical devices software (and also a bit hardware) as a contractor for the better part of my life and can give you an idea of how the processes work.

    While the software development as such isn't much different from that in unregulated markets, the verification and validation that has to go into the products is massive. At the moment I'm helping a customer with an obsolescence issue that takes me about a man-year to work out - but I would estimate that on the customer's side at least 10 man-years are being sunk for a group of testers, project leads, documentation maintainers, localization and local regulation liasions, and finally service technicians supervising installations. Maintaining high standard lab sites with a good number of devices to be tested adds to that.

    If there is the slightest change, the local regulators (EU, FDA, China, Korea, ...) all want their proof of suitability done. I'm not saying "paperwork" here, because in many cases they really want to understand what's going on and suitable testing has to be successfully done and documented. One might pull an upstream fix and do a rebuild in under an hour - but after that at least five people are occupied for two months with getting that version going in the different regulated markets. And then, add about a technician's day of work for each of about, say, 2000 deployed machines.

    The machines I work on are still air-gapped, so the upgrade has to be seen after, but they are about to be internet-ized. While that may make some things easier, it adds the effort of implementing security measures onto a legacy system. The correct approach to security is of course to design it in. But that would need a new system and sink two-to-three figures of Euro/Dollar millions for the whole process, which is infeasible in many of the niches the different vendors compete for. It might not even be a market big enough to justify an investment needed for today's standards at all. (I and colleagues at my customer just recently talked about Boeing, who produced the 737 continuously on a 1960s permit, because they couldn't really afford to design something similar to today's regulations. We could very well understand how that happened, and only remind each other to be watchful to steer well clear of such situations).

(1)