Securing Medical Devices Using Adaptive Testing Methodologies

Transcription

1 SESSION ID: ASD-R10 Securing Medical Devices Using Adaptive Testing Methodologies Daniel Miessler Director of Advisory Services IOActive,

2 SESSION ID: ASD-R10 Securing Medical Devices Using Adaptive Testing Methodologies Daniel Miessler Director of Advisory Services IOActive,

3 About 18 years in information security Technical testing background (net/web/mobile/iot) Director of Advisory Services at IOActive Previously a founding member and principal at HPE Fortify on Demand Work on a number of OWASP projects: IoT Security, and OWASP Game Security Framework Project Read, write, podcast, table tennis 3

4 Agenda Why we care? The problem Adaptive Testing Methodology Practical takeaways 4

5 Why do we care?

6 Recent Issues: Johnson & Johnson - J&J insulin pump (Animus OneTouch Ping) - Jay Radcliffe, diabetic and researcher - Unencrypted command traffic - Could send unauthorized insulin injections Image: REUTERS / Weigmann 6

7 Recent Issues: St. Jude - St. Jude pacemaker - Many vulnerabilities found - PR + Shorting of stock - Vulns included wireless god key - MedSec found the vulns - Muddy Waters shorted stock 7

8 Hospitals being ransomed: US Hospitals Hollywood Presbyterian Hospital Tried to get help from authorities, ended up paying $17,000 Methodist Hospital Refused to pay, had to shut down part of the hospital Many, many more 8

9 Hospitals being ransomed: NHS One NHS area had to transfer patients because they were shut down 34% of Health Trusts in the U.K. hit with ransomware within the last 18 months 60% of Scottish trusts Other countries affected as well, including Germany 9

10 Bitcoin Readiness (a depressing state) When ransomware happens the payment is usually in bitcoin Companies getting hacked often don t know anything about bitcoin The time it takes to learn about and acquire bitcoin often costs companies massive amounts of money Many are hiring law firms to acquire and hold bitcoin for them in case they get hacked I like the preparation piece, but it s still quite depressing 10

11 A Dangerous Combination - Home users - Schools - Governments - Small businesses 11

12 A Dangerous Combination - The medical space is extremely vulnerable to these issues. 12

13 The problem

14 Recent Issues - Lots of vulnerabilities found 14

15 A Disconnect Current Attack Surface Future Attack Surface Testing Maturity The attack surface for medical devices is simply larger than the maturity of standardized procedures to test those surface areas. 15

16 The Attack Surface - Hardware physical interfaces Physical networking ports Debug / admin ports WiFi / RF Data transfer and storage Cryptographic implementations HL7 implementations Hardware sensors Input parsing / validation Command / data authentication 16

17 Attack Surface vs. Testers - How many devices are there already? How many have been tested? How many devices will there be? How many testers will be required to look at them? 17

18 Problem: Tester Desensitization - Comprehensive testing methodologies are usually massive - Testers can usually only read them once or twice - They can t use them over time - You only get a couple of strikes regarding irrelevant content 18

19 The Adaptive Testing Methodology approach

20 Adaptive Testing Methodology Contextual testing based on attributes of the target or situation 20

21 Adaptive Testing Methodology Contextual testing based on attributes of the target or situation Can apply to web apps, hosts, IoT, medical devices, etc. 21

22 Adaptive Testing Methodology Contextual testing based on attributes of the target or situation Can apply to web apps, hosts, IoT, medical devices, etc. Attribute types (potential) Target attack surfaces Time available Tools available Skill level available 22

23 23

24 OWASP IoT: Medical Device Testing 24

25 25

26 Real-world Usage Third-party testing requirements Trying to avoid tester fatigue from vendors Profile a piece of hardware using Adaptive Testing See which surface areas are in play Create a customized testing methodology for that device/ecosystem Reduce the size of a testing methodology by % Every section is relevant 26

27 Lessons learned over the years Visibility is king in security You can t defend what you can t see and don t understand Medical devices have many unseen attack surfaces Because it s an ecosystem, flaws in one can lead to overall weakness With vulnerabilities, often equals 7 27

28 Takeaways Visibility is problem #1 28

29 Takeaways Monolithic testing methodologies can lead to tester fatigue 29

30 Takeaways Simple methodology is consumable, and consumable methodology gets used 30

31 Takeaways Simple methodology is consumable, and consumable methodology gets used 31

32 Takeaways Friends don t let friends ship things without understanding the attack surface 32

33 Takeaways Friends don t let friends buy things without understanding the attack surface 33

34 Takeaways Friends don t let friends install / implement things without understanding the attack surface 34

35 Takeaways Place stress on approachable simplicity for understanding attack surfaces 35

36 Takeaways Modularize and streamline your testing methodologies to avoid them being disregarded. 36

37 Takeaways Focus on breadth before depth when covering attack surfaces. 37

38 Resources OWASP Internet of Things ect I Am The Cavalry 38

39 Future work: Medical Security Scenarios Project Medical Security Scenarios Project 39

40 Future work: Medical Security Scenarios Project Medical Security Scenarios Project Attack surface Vulnerability type Skill-level required Life-threatening or not 40

41 Thanks Podcast: Unsupervised Learning danielmiessler.com/ul Reach out any time! Participate. We re always hiring at IOActive! 41