Stories
Slash Boxes
Comments

SoylentNews is people

posted by martyb on Thursday February 20 2020, @01:24AM   Printer-friendly
from the security++ dept.

https://arstechnica.com/information-technology/2020/02/medical-device-vulnerability-highlights-problem-of-third-party-code-in-iot-devices/

When your family opened up that brand-new computer when you were a kid, you didn't think of all of the third-party work that made typing in that first BASIC program possible. There once was a time when we didn't have to worry about which companies produced all the bits of licensed software or hardware that underpinned our computing experience. But recent malware attacks and other security events have shown just how much we need to care about the supply chain behind the technology we use every day.

The URGENT/11 vulnerability, the subject of a Cybersecurity and Infrastructure Security Agency advisory issued last July, is one of those events. It forces us to care because it affects multiple medical devices.

[...] medical device vendors don't always have the flexibility to upgrade their underlying platforms because of the way they license components. Since third-party components are usually licensed for a prebuilt function, the license may only allow for the device's use with a certain version of an operating system or kernel.

[...] addressing the risks means understanding and addressing the value chain for how a device evolves from concept to disposition. We need to also evolve how devices are designed and updated to match the level of support that Samsung and Apple provide. This means there needs to be dedication by manufacturers to use platforms for a longer time and a commitment to keeping the build chains current to be able to consistently deliver patches and updates to customers.

[...] Outside of the major manufacturers, many of the companies that manufacture these devices are smaller businesses, and they have to be able to afford to develop new devices and support what they have at the same time—which is often difficult even for large companies.

We need to partner with our medical device vendors to solve issues like Urgent/11 through better processes. We need to understand how the devices work, and we need to understand that it takes a lot of work to get a patch out for devices that are more complex than a standard PC. Deploying patches to these devices also carries different risks.

The S in Medical IoT stands for Security.


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2) by JoeMerchant on Thursday February 20 2020, @03:05AM (5 children)

    by JoeMerchant (3937) on Thursday February 20 2020, @03:05AM (#960156)

    90% of the issues are default logins/passwords.

    Depends on which sandbox you are playing in, but, yeah, that's a big one. Another HUGE problem is development processes which simply don't care and are willing to "ship it" to make deadline rather than wait for secure by design architecture to trundle on through development, penetration testing, rework, retest, etc.

    As one very simple example, our latest device can be upgraded via USB (internet delivery coming soon!!!), but... to make it secure, the system has been stripped and configured to lock the USB, disallowing any unsigned software installation. This means: all the standard (familiar, easy) software install methods from USB don't work, which means that every single USB delivered upgrade has to pass through our secure packaging and signing process - which, as you might imagine, is quite a bit more labor intense than running install.bat from D:\.

    --
    My karma ran over your dogma.
    Starting Score:    1  point
    Karma-Bonus Modifier   +1  

    Total Score:   2  
  • (Score: 3, Interesting) by Anonymous Coward on Thursday February 20 2020, @03:58AM (1 child)

    by Anonymous Coward on Thursday February 20 2020, @03:58AM (#960191)

    You're doing it completely wrong. If you're installing signed software then the existing firmware should be the one doing it. You plug in a USB drive. The existing framework looks for a specific file on that drive and checks its signature. If the signature is good then the firmware loads it. If not then it doesn't. This doesn't require any special processing for the USB drive itself, you just stick the signed file on any USB capable storage device formatted with the correct file system format. Signing your built software should just be a flag you pass into your build system.

    If you can't get this right, your internet solution is going to be terrible. Remember, soylentnews.org doesn't always point to this website on every network. Don't make the incorrect assumption that your update site can be trusted because it has a specific name or IP address.

    • (Score: 2) by JoeMerchant on Thursday February 20 2020, @01:39PM

      by JoeMerchant (3937) on Thursday February 20 2020, @01:39PM (#960271)

      If you're installing signed software then the existing firmware should be the one doing it. You plug in a USB drive.

      You're reading it wrong, that's exactly what we do.

      --
      My karma ran over your dogma.
  • (Score: 2) by c0lo on Thursday February 20 2020, @05:07AM (2 children)

    by c0lo (156) Subscriber Badge on Thursday February 20 2020, @05:07AM (#960203) Journal

    simply don't care and are willing to "ship it" to make deadline

    That "deadline" in the context would be a good pun material if doing it wasn't even more cynical that I'm able to be now.

    --
    https://www.youtube.com/watch?v=aoFiw2jMy-0
    • (Score: 2) by Runaway1956 on Thursday February 20 2020, @10:10AM (1 child)

      by Runaway1956 (2926) Subscriber Badge on Thursday February 20 2020, @10:10AM (#960241) Homepage Journal

      I am that cynical. Why do hospitals work so hard, to keep a heart beating, when all hope of "quality of life" has passed away? Because, as soon as the heart stops beating, money is no longer made, from insurance, from medicare, medicaid, or any other source. But, when the money dries up, THEN the poor soul involved is permitted to pass along with that quality of life.

      --
      "Trust the science" -- Tony Fauci and his army of psycophants
      • (Score: 4, Insightful) by JoeMerchant on Thursday February 20 2020, @01:42PM

        by JoeMerchant (3937) on Thursday February 20 2020, @01:42PM (#960273)

        I've known more than one elderly person who, more or less unable to afford their meds anymore, just quit taking them and more or less quit seeing the doctor - and went on to live another 10+ years with better quality of life than they had while they were drugged up.

        Some meds are necessary, some meds improve quality of life, same for devices and procedures. Unfortunately, I feel like - in practice, that "some" is far below 50%.

        --
        My karma ran over your dogma.