What Ails Our Healthcare Systems?

Similar documents
What someone said about junk hacking

W e b A p p l i c a t i o n S e c u r i t y : T h e D e v i l i s i n t h e D e t a i l s

THE NEW LANDSCAPE OF AIRBORNE CYBERATTACKS

OWASP Broken Web Application Project. When Bad Web Apps are Good

IRL: Live Hacking Demos!

Patient Information Security

CSWAE Certified Secure Web Application Engineer

MOBILE THREAT LANDSCAPE. February 2018

Frequently Asked Questions WPA2 Vulnerability (KRACK)

hidden vulnerabilities

Connected Medical Devices

Mitigating Security Breaches in Retail Applications WHITE PAPER

SECURITY OF VEHICLE TELEMATICS SYSTEMS. Daniel Xiapu Luo Department of Computing The Hong Kong Polytechnic University

Addressing the elephant in the operating room: a look at medical device security programs

Mobile Malfeasance. Exploring Dangerous Mobile Code. Jason Haddix, Director of Penetration Testing

HP 2012 Cyber Security Risk Report Overview

C1: Define Security Requirements

ANATOMY OF AN ATTACK!

Wireless LAN Security (RM12/2002)

Why bother? Causes of data breaches OWASP. Top ten attacks. Now what? Do it yourself Questions?

When Hardware Attacks. Marc Witteman

SECURITY TESTING. Towards a safer web world

Security in NFC Readers

Executive Insights. Protecting data, securing systems

Network Access Control and VoIP. Ben Hostetler Senior Information Security Advisor

Hacking challenge: steal a car!

OWASP TOP Release. Andy Willingham June 12, 2018 OWASP Cincinnati

Professional Services Overview

EXPLOITING CLOUD SYNCHRONIZATION TO HACK IOTS

Cyber Attacks & Breaches It s not if, it s When

INNOV-09 How to Keep Hackers Out of your Web Application

THE POWER AND RISK OF MOBILE. White paper

Ch 1: The Mobile Risk Ecosystem. CNIT 128: Hacking Mobile Devices. Updated

Penetration testing a building automation system

White Paper. Why IDS Can t Adequately Protect Your IoT Devices

Dissecting Data Breaches. What Keeps Going Wrong?

Certified Secure Web Application Engineer

Medical Device Safety in a Connected World

Business White Paper. Healthcare IT In The Cloud: Predicting Threats, Protecting Patient Data

Bank Infrastructure - Video - 1

IoT The gift that keeps on giving

Copyright

DEEP ARMOR. Hands-on Exploitation & Hardening of Wearable and IoT Platforms. Sumanth Naropanth & Sunil Kumar

ME?

MOBILE SECURITY OVERVIEW. Tim LeMaster

IOT SECURITY TOP 20 R E Q U I R E M E N T S

NRENs and IoT Security: Challenges and Opportunities. Karen O Donoghue TICAL 2018 Cartagena 4 September 2018

SECURING DEVICES IN THE INTERNET OF THINGS

The Android security jungle: pitfalls, threats and survival tips. Scott

3/3/2017. Medical device security The transition from patient privacy to patient safety. Scott Erven. Who i am. What we ll be covering today

SECURING DEVICES IN THE INTERNET OF THINGS

The Attacker s POV Hacking Mobile Apps. in Your Enterprise to Reveal Real Vulns and Protect the Business. Tony Ramirez

OWASP Thailand. Proxy Caches and Web Application Security. OWASP AppSec Asia October 21, Using the Recent Google Docs 0-Day as an Example

Addressing Credential Compromise & Account Takeovers: Bearersensitive. Girish Chiruvolu, Ph.D., CISSP, CISM, MBA ISACA NTX April 19

Data Security and Privacy : Compliance to Stewardship. Jignesh Patel Solution Consultant,Oracle

Embedded/Connected Device Secure Coding. 4-Day Course Syllabus

UART Thou Mad? An Introduction to the UART Hardware Interface. Mickey Shkatov. Toby Kohlenberg

Best Practices for VoIP Security

MBFuzzer - MITM Fuzzing for Mobile Applications

About The Presentation 11/3/2017. Hacker HiJinx-Human Ways to Steal Data. Who We Are? Ethical Hackers & Security Consultants

Governance Ideas Exchange

CompTIA Security+ Malware. Threats and Vulnerabilities Vulnerability Management

What are PCI DSS? PCI DSS = Payment Card Industry Data Security Standards

SECURITY ON PUBLIC WI-FI New Zealand. A guide to help you stay safe online while using public Wi-Fi

Omar Alrawi. Security Evaluation of Home-based IoT Deployments

Topics. Ensuring Security on Mobile Devices

CYBERSECURITY. Recent OCR Actions & Cyber Awareness Newsletters. Claire C. Rosston

Medical device security The transition from patient privacy to patient safety

Don t blink or how to create secure software. Bozhidar Bozhanov, LogSentinel

Stop sweating the password and learn to love public key cryptography. Chris Streeks Solutions Engineer, Yubico

Protect Your Organization from Cyber Attacks

Securing Devices in the Internet of Things

Building Trust in the Internet of Things

NIST Cybersecurity Framework Protect / Maintenance and Protective Technology

SHA-1 to SHA-2. Migration Guide

How Secure is Your Border? An Attack and Penetration Audit Houston IIA Annual Conference

Towards Trustworthy Internet of Things for Mission-Critical Applications. Arjmand Samuel, Ph.D. Microsoft Azure - Internet of Things

Solutions Business Manager Web Application Security Assessment

Zimperium Global Threat Data

This ethical hacking course puts you in the driver's seat of a hands-on environment with a systematic process.

UPDATE: HEALTHCARE CYBERSECURITY & INCIDENT RESPONSE Lindsay M. Johnson, Esq. Partner, Freund, Freeze & Arnold, LPA

The modern car has 100 million lines of code and over half of new vehicles will be connected by 2020.

18-642: Security Pitfalls

Delivering High-mix, High-volume Secure Manufacturing in the Distribution Channel

Security Evaluation of the Implantable Cardiac Device Ecosystem Architecture and Implementation Interdependencies

6 Vulnerabilities of the Retail Payment Ecosystem

IOActive Labs: Breaking Embedded Devices

RESEARCH INSIGHTS. How we are breaking in: Mobile Security. Author: Thomas Cannon

Computer Information Systems (CIS) CIS 105 Current Operating Systems/Security CIS 101 Introduction to Computers

How Big Data Enables building Risk Profiles. Kayvan Alikhani. RSA, Senior Director of Technology

Secure Firmware Update Lab Session

Securing Your Web Application against security vulnerabilities. Alvin Wong, Brand Manager IBM Rational Software

Secure Access & SWIFT Customer Security Controls Framework

Measuring and Evaluating Cyber Risk in ICS Components, Products and Systems

Cyber Risk and Networked Medical Devices

Spoofing iclass and iclass SE

Q WEB APPLICATION ATTACK STATISTICS

Changing face of endpoint security

The 3 Pillars of SharePoint Security

Strategy is Key: How to Successfully Defend and Protect. Session # CS1, February 19, 2017 Karl West, CISO, Intermountain Healthcare

Transcription:

SESSION ID: FLE-F04 What Ails Our Healthcare Systems? Minatee Mishra Sr. Group Leader Product Security, Philips HealthTech @minatee_mishra Jiggyasu Sharma Technical Specialist Product Security, Philips HealthTech @jiggyasu_sharma

Digital revolution in Healthcare Courtesy: futureforall.org 2

The new medical devices ecosystem North America IoT in Healthcare Market, in (USD Billion) Courtesy: www.grandviewresearch.com 3

Hacker s favorite target Courtesy: www.cyberwarzone.com 4

Reasons for the topping the charts 5

Healthcare Hacks Courtesy: www.feedmaza.com, media.graytvinc.com, ilookbothways.com 6

Case Studies Case Study 1: Hacking IoT. Goal : Get sensitive information.

Case Study: 1 Hacking into Medical device hardware Architecture: Medical Device Mobile Application Back End Server 8

IoT possible entry points: Reconnaissance Communication Channel Communication Protocols CUSTOM Application Interfaces Hardware Interfaces 9

Attack surfaces (for IoT Hardware) Hardware interfaces JTAG pins (Identified) MCU (Identified) Firmware Possibly unencrypted file system EEPROM (Identified) Information (Patient data, Server ID & Device ID) Credentials (Hardcoded Credentials and Keys) JTAG Pins EEPROM MCU 10

Attack Scenario Tapping through ports (JTAG) Getting a Shell/ Connect to port through (JTAG) Reading the Firmware/Assembly Failed: Due to read out protection Dumping the file system Failed: Due to read out protection Exporting information from file system Failed: Due to read out protection Updating the Firmware/file system Failed: Due to read out protection Reading the EEPROM chip Read through programmers Success 11

Attack Impact Significant findings: Sensitive information leaked (patient information) Hardcoded Keys found on the device 12

Demo 13

Mitigations Encrypt sensitive information Never hardcode credentials/keys 14

Case Studies Case Study 2: Rogue Bluetooth. Goal: Manipulate data from the device.

Rogue Bluetooth device Architecture: IoT Device Mobile Application Back End Server 16

Attack surfaces ( for Bluetooth) Pairing mechanism MitM attack Exposed services 17

Attack Scenario Discover the Bluetooth device to attack Tap into GATT interface of device Connect to device and read characteristics Modify the characteristics value 18

Attack Impact DoS the Bluetooth device Sniff the information through Characteristics Connect, control and command the Bluetooth device 19

Demo 20

Mitigations Secure configuration 21

Case Studies Case Study 3: Mobile App and Backend Server hacking. Goal : Backend server takeover.

Case Study: 3 Compromising Server through Mobile App Architecture: Medical Device Mobile Application Back End Server 23

Attack surfaces (for Mobile Application & Backend Server) Mobile Application Insecure data storage Broken Cryptography Hardcoded secrets (credentials/keys/ip ).. Server ports and services Weak authentication Injection attacks Vulnerable services.. 24

Attack Scenario Reverse engineering the mobile application Find the server related information Find the services to communicate to server Exploit the vulnerable services on server Server take over Game Over!! 25

Attack Impact Server take over by the attacker Possibilities are plenty Family of Devices can be compromised over the internet Risk to the whole network Backdoors can be installed Malware/Ransomware can be planted Access to the whole database of sensitive information... 26

Demo 27

Mitigations Encrypt sensitive information Never hardcode credentials/keys Patch systems 28

What Device Manufacturer should do?

What Device Manufacturer should do? Development The 3 deadly sins: Default or hardcoded credentials/keys. None/improper patch strategy No encryption at rest and transit. The Virtue: No system can be perfect BUT remember to make the update strategy fool proof. During update ensure to support Secure update. Digitally sign the upgrade package. 30

What Device Manufacturer should do? Process Security Governance and Management Risk Management Framework Training and Awareness Vendor Management Secure Development Incident Management Post Market Surveillance Responsible Disclosure 31

Takeaways Healthcare ecosystem is getting connected and pervasive. Healthcare is a top target of hackers. Secure the ecosystem: secure the entire chain from the IoT to the backend server. Remember the 3 deadly sins and a virtue. Security Governance and management 32

Food for thought? Hacking in Progress Courtesy: www.maximintegrated.com 33

Special Thanks Android apps: Kartik Lalan, Philips. Bluetooth Device: P.N. Aravinda, Philips. Security Center of Excellence, Philips HealthTech. 34

Questions THANK YOU 35

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback