The Hacker Mind Podcast: Hacking Healthcare
After breaches like SolarWinds, companies pledge to improve their digital hygiene. What if they don’t? And what parallels might infosec learn from COVID-19?
In this episode, Mike Ahmadi draws on his years of experience in infosec, his years hacking medical devices. Mike notes how some basic rules of physical hygiene that can slow the spread of COVID-19 can also map into the digital world.
Listen to EP 12: Hacking Healthcare
Vamosi: True story. Back in the early two thousands, I remember a friend telling me that she and her husband where getting an ultrasound. There it was on this black and white monitor, the first grainy images of their baby. Then nothing. The machine crashed, and the lab tech had to reboot. I suppose such things happen, but what I remember was her telling her surprise when the system booted up and the Windows 95 splash screen came up … wait, what? Here we were in the 21st century, and the lab was using an operating system that was no longer supported by Microsoft.
Unfortunately, in the world of medical devices, such stories aren’t uncommon.
For example, in March of 2016, two researchers, Mike Ahmadi and Billy Rios independently reported an astounding fourteen hundred vulnerabilities to CareFusion's Pyxis SupplyStation, an automated, networked, supply cabinet used to store and dispense supplies.
Here’s Mike Ahmadi to explain.
Ahmadi: Billy provided me the images from various pieces of medical device software and in them we found literally over 1000 known vulnerabilities. I remember speaking to DHS about this. And they said that they really had no idea how to deal with and classify, you know, a package with over, 1000 pieces of or 1000 vulnerabilities. It was a sort of like a new horizon for them.
Vamosi: This research resulted in the US Computer Emergency Response Team or US CERT issuing one of the first ICS Advisories for a medical device. CareFusion’s parent company Becton Dickinson responded, saying that all 14 hundred and 18 of the identified vulnerabilities were within third-party software applications including Windows XP and Symantec pcAnywhere, and others. There are’s a lot to unpack here.
First, this is a supply chain issue. Using older software within your own software always carries risk. Microsoft, for example, stopped patching Windows XP for security vulnerabilities in 2014.
Second, these are all known vulnerabilities, meaning they’ve been identified and assigned a Common vulnerabilities Enumeration number or CVEs. A vendor should already be scanning for known vulnerabilities.
Third, It’s one thing to talk about network servers having exploitable vulnerabilities -- and Mike is an expert on ICS and automotive software as well -- but it’s quite another when the software involves life critical services. I mean, what happens if, in the middle of a global pandemic, someone decides to go after medical devices or even hospitals themselves? Are we prepared for a digital pandemic as well?
Welcome to the Hacker Mind, an original podcast from ForAllSecure. It’s about challenging our expectations about people who hack for a living. I’m Robert Vamosi and this episode about best practices in information security, and how critical life services, in particular, remain at risk today -- in the middle of a global pandemic.
If you’ve been in the infosec world as long as I have, you have probably encountered Mike Amadhi. He’s well known. He’s well respected. Especially in the world of security standards. Mike is a legend.
I’m really not kidding about the ubiquity of Mike in infosec. I remember starting a new job, and for my first day, the company flew me to Auburn Hills, Michigan to meet with representatives of several automotive companies. This was a few months after the Jeep Cherokee hack and that event had the entire industry’s attention. You name it, all the major automotive manufacturers in the world were represented in the room, but arriving the night before, blurry eyed from travel, I stumbled into this Marriot down the street from Fiat Chrysler headquarters and there’s Mike Amadhi standing at the registration desk.
So it’s not surprising that this recording coincided with another major security event. A network monitoring company for the federal government and other large companies, Solar Winds, had been breached.
Ahmadi: Solar Winds is a company that makes you know, networking, monitoring tools for. And then the tools are used by government entities and accruals are used by big industries and it's one of the more popular and robust packages out there. Remember using early versions of it. When I was working for a retail company I thought it was fantastic. And what's really interesting about solar IDs is it. It runs in a very highly trusted at a very high highly trusted level within an organization. So, it has access really unfettered access to everything on the network. Because it's network monitoring tools. So you don't want to block it from getting to something because obviously you need it to have free access to everything. So, you know, a or a group of enterprising hackers thought huh. If I could figure out a way to get some mauler into that package I could get access to everything on the network. And sure enough, that's what happened.
Vamosi: If someone gets inside a network monitoring service that has visibility across the entire network, they inherit the access of the service, they can see what’s what, remotely.
Ahmadi: Now what's very interesting is that it is a supply chain problem. Clearly a supply chain problem. The company creating the software is going to be as cautious as they can be to create a safe and secure software package, and let's just say for example that SolarWinds did indeed create that. However, if somewhere along the supply chain, a bad actor has access to the package and can inject their malware into the system, then some huge problems can can occur.
Vamosi: This is bad. Supply chain compromises have been talked about for a few years now. In 2011, researcher Ang Cui showed how updates to common laser printers were not signed or otherwise authenticated, meaning that you might think you’re doing the right thing by applying an update when in reality you might be unintentionally installing malware. Something similar happened with SolarWinds updates for its Orion system.
Ahmadi: I think that really illustrates a couple of things that are happening and we've been predicting for a while. One is that the attacks are getting a lot more sophisticated. This isn't really script kiddie work these are people that are really thinking things through. And in an environment today, and you know everybody always says, you know everybody does everything, either for. well ... there's three reasons why people hack: one is for just notoriety, that's what script kiddies do. Another is to cause damage and harm, cyber war if you will. And, of course the military in particular is always concerned with that and, you know, good friends of mine like Billy rails for example who most people you're probably have heard of, spend a lot of their time in classified environments, trying to figure out how to fix those issues for the government. And then the third one, and the one is actually probably seeing the most growth and the one that's been predicted for a long time, is figure out ways to make money.
Vamosi: Actually SolarWinds is a good opening for what we’re going to talk about: our preparedness for a digital pandemic.
Continuous Testing at the Speed of Development.
Find out how ForAllSecure can bring advanced fuzz testing into your development pipelines.
Ahmadi: Now, what's very interesting about today, in the age of the biological pandemic that has occurred because of COVID-19, is we are now seeing more conductivity. remote connectivity than we have ever seen before in our lives. Everybody is connecting to somewhere for work, communications, whatever you want to call it remotely now. And of course they've had to deal with issues that have arisen through that. And what's even more interesting right now, is the fact that there's a lot of issues that are at play right now that makes attacks particularly egregious. One is that there's a huge amount of connectivity going on right now.. Number two is that you don't really have people that are physically present in many cases. They have to basically all connect remotely. And so you they have to sort of count on the fact that they're going to be able to actually connect to what they need to.
Vamosi: What we’re talking about is that the attack surface today is much larger than it was in March 2020 simply because nearly everything has been shifted online -- from schools, to businesses, even our government. And that’s what makes the disclosure of the SolarWinds attack so scary.
Ahmadi: If I were to attack, one thing I would probably do, going into the hacker mind for a minute, is I would try to figure out, not only how to attack the system. But how do I actually attack the systems that the organization is going to use to monitor those systems for attacks. Because the likelihood that they're going to physically go there is a slimmer than it has ever been before. It's a lot more complicated today.
Vamosi: And it’s important to remember that attacks come in different flavors and varieties, with different goals in mind.
Ahmadi: There is also an enormous opportunity now for things like ransomware because now this is the only way, network connectivity is the only way for ecommerce sites and general businesses. Period. So, you don't really have time and especially if you look at companies like Amazon right now, for example. They're doing an enormous amount of business. I mean, everybody is shopping for Christmas presents on Amazon. Right now, because, you know, at least in California, there's really no shopping malls, I can go to. There's very few places I can go to and physically shop. So, of course, it's causing an enormous amount of stress on many systems. Many are network systems that the Postal Service and the logistics systems that are used to track packages, all of us at this point I can guarantee you have run into some problem with that in the last month or so. So, site going down. Right now has the most negative impact on an organization, that it has ever had. Period.
Vamosi: Think about that. Back in February 2000, a Canadian kid known publicly as MafiaBoy criminally hacked AMAZON, Yahoo, eBay and other sites including ZDNet where I worked. He managed to take down these sites with a syn flood denial-of-service attack, meaning no one could access the sites while they were under attack. He was ultimately sentenced to 8 months in prison. Those were different times. At the time, taking down Amazon was bold and it was certainly newsy. It didn’t, however, have the significance as taking AMAZON offline would have today.
Ahmadi: So that's one thing now looking at things in terms of a worst case scenario. A few years ago we all remember WannaCry happening in Europe right where there was vulnerabilities that that allowed people to actually essentially take down hospital networks and it caused serious problems.
Vamosi: In May of 2017, the WannaCry ransomware attacked more than 99 countries world wide, but in the United Kingdom in particularly, WannaCry attacked the Windows 7 machines at the National Health Services, and this caused hospitals to go back to pen and paper, to reschedule elective surgeries and relocate those patients who needed additional care. From the BBC, former Home Secretary Amber Rudd.
Rudd: We're working very hard to make sure that we help the NHS put their systems back in order. And so far we've had reassurance from them that no patient data has been compromised. The National Cybersecurity Center is working with them to end the disruption to contain it. And to make sure that we learn lessons from it.
Vamosi: We’ve seen this before, where just after a major digital event, we pledge to learn from it and go forward. The question is, have we? And if so, what, in particular, have we learned? The point is, now would be a particularly dangerous time to find out that we didn’t learn anything, and that once again we’ve fallen short.
Ahmadi: Imagine today, horrible horror upon the horror, our worst case scenario. Hospitals are are hitting maximum capacity because of COVID now. And they rely on their network systems for everything. And in fact, it's a much bigger problem than it ever has been. Because they physically don't have enough people to even monitor and manage the network systems that are working in those hospitals.
Vamosi: One thing that’s always blown me away is that hospitals are not like typical corporate networks. They segmented, but more importantly, they are a series of fiefdoms. There’s the labs network, which is wholly separate from the surgical theater which is wholly separate from the hospital rooms which is wholly separate from the commissary which is wholly separate from the gift shop. Yeah, maybe the gift shop should not be on the same local network as the surgical theater. But this creates inevitable headaches for the IT departments.
Ahmadi: Okay, let alone if they go down, and they have to physically go everywhere to monitor everybody. So again, what I've been saying to people for years. And you know, I hear it's like what kind of doom and gloom talk but it was the same thing that happened when we talked about the biological pandemic right. Like, we know it's doom and gloom talk, but that doesn't mean it can't happen.
Vamosi: Mike has made a career for himself by walking into a business, like that automotive meeting in Auburn Hills, and then scaring the crap out of executives who have no idea. In security if you are doing your job well, then you can avoid major cataclysmic failures.
Ahmadi: So, I keep saying that the digital pandemic. The big one, if you will, hasn't really hit yet. But the opportunity now is probably at its peak and knock on wood, pray to God, however you want to look at it. Let's hope we can get through this. But I think the big question we have to ask ourselves, in light of the fact that we are now scrambling to deal with the biological pandemic is how prepared, are we for the worst case scenario. So, we probably thought we were well prepared for a biological pandemic.
Vamosi: Here’s a good example. Epidemiologists have warned humanity that every one hundred years society endures a major pandemic of some kind. It could be some sort of biological trigger, or it could be some sort of collective memory failure in human beings. As much as we did prepare, we apparently didn’t prepare enough for COVID-19.
Ahmadi: As it turns out, we weren't really as prepared as we thought we were. Globally, I know people have tried to, you know, shoot daggers at people for various political reasons but the truth is, on a global level all throughout the world, we just weren't ready for the magnitude of this. However, we did learn were a couple of very interesting things. One is using some basic rules of hygiene that have been around for probably on to a few 100 years will do quite a bit to slow down the spread of the pandemic.
Vamosi: He’s right. From a 1953 health class film, here are some basic tips to avoid spreading the measles.
Narrator: Many diseases are spread by personal contact with someone who has that disease, or by touching a thermometer or other object to which the germs may have spread. And so when you have the measles, or some other disease which is spread in this way, your mother provides a place for you to dispose of your paper handkerchiefs so that no one else will touch them. She will wash your dishes and your towels and bedding to separately from those used by the well members of the family. She will sterilize the things you have used kill the germs with boiling water, or at a septic solutions, until such things are no longer dangerous for others to use.
Vamosi: It seems like since we knew in the 1950s how to contain the measles but as the threat abated, we collectively stopped practicing good hygiene. We let our guard down.
Ahmadi: Wash your hands. You know, try not to touch your face before you wash your hands, cover your mouth when you cough wear a mask. If you're ill, don't go to work if you're sick. How many of us have actually dealt with the fact that we and others have gone to work when they're sick, you know, no one full well they shouldn't do it. And in many cases, employers would expect you to go to work even if you were sick certainly in, even in places like retail. And using those basic rules, we realized that we can actually go a long way towards preventing the spread of the, of the pathogen. And the reality of it is, if we had applied at least some of those basic rules of hygiene and I'm saying maybe at a minimum, don't go to work when you're sick. Don't go out where you're sick, wear a mask if you're sick, wash your hands. You know, we may have been able to actually prevent this level of spread that we're seeing right now. Don't pack people together on a plane. Give them a little space in between each other right, keep a safe distance from other people don't crowd in too many places. And a lot of this obviously runs contrary to capitalism where it's about volume and getting as many people in one place at once. Well that's all changed.
Vamosi: The observed links between biological and digital worlds is not new. In the early 2000s, researcher Jose Nazario, who was trained in medicine, made important contributions to the early days of computer virus research. The biological parallels --at least in modeling the behavior of viruses and worms attacking computer systems -- have since been instructive, if only to better understand what’s happening in our devices.
Ahmadi: Oh, there's another basic rule of hygiene right now that we're learning about COVID, get tested. If you suspect you've been a problem, or you know what, in some cases, high risk organizations just mandate that people get tested. So fast forward to the idea of a digital pandemic and what can we do? What's some basic hygiene that we can apply to networks. Well, you know, for one thing. Get tested. See if there's anything out there that shouldn't be there and clean up any messes within your organization. Put some shields up.
Vamosi: This is a great idea. Shields can be firewalls from the outside world, but I’d also like to add that too many organizations still do not adequately segment their network-- do not isolate critical data internally. They calso be segmentation of the network, not allowing the gift shop system to interact with the surgical theater. Think of this like putting plexiglass between the cashier and you at the local grocery store. Really, this is hygiene stuff that can map to the network world quite easily.
Ahmadi: Do this as proactively as you possibly can. Because when something big hits you, you're gonna want to be able to do something about it. Now, our government .... one of the things that I've been saying for years is that our government has fallen far short of what I believe they need to be in terms of fixing issues. And, as it turns out, they are now in a situation where they're having to scramble to deal with this.
Vamosi: So let’s take stock of some of the stuff we’re doing now to keep ourselves physically healthy, and start to apply it to our computer systems.
Ahmadi: So, again, not to speak so much doom and gloom but what are some of the things that we think that we can do to actually help prevent the worst case scenario in the event of a digital pandemic. And I believe that there's a lot we can do. Test your systems. Look for those bugs. And if you find them. You got to fix them. Um, we cannot allow the disease to continue on in the organization.
Vamosi: At Black Hat USA 2011, hacker Jay Radcliffe demonstrated before a live audience how he could hack his own personal insulin pump. The consequences were that someone in the room with him could wirelessly either increase or decrease his dosages, both of which could have life consequences. An attacker could also disable the device, which result in death. Presenting this, Radcliffe was careful not to disclose a particular vendor. This was less to mitigate legal action than to claim that other insulin pumps were susceptible to the same attack.
Ahmadi: We were brought in to a medical device company to look at a medical device that had been famously hacked and a Black Hat event. And this was the first time that our organization ever actually been given a device that was a medical device. Most of our business prior to that was dealing with industrial control systems. So I remember when they brought in this device, and they started attacking it. I remember talking to the founder of the company and I said, what you find? He goes, Holy crap, Mike, the emperor has no clothes. What do you mean? He's like, there is nothing protecting anything on this device. nothing. It's just basically wide open. anybody that has any idea of how the protocol works and that's not that difficult to figure out, can just do whatever they want. Right. We had to actually move the device into a Faraday cage
Vamosi: A Faraday cage is a device which blocks outside radio frequency signals. It’s commonly used for testing mobile phone and other devices which depend on radio frequencies. The idea is that signals inside can’t escape and signals from outside can’t get in.
Ahmadi: And, essentially, we start attacking it at a bus level without the wireless connectivity because we discovered that if we actually attacked it at the wireless level nothing is authenticated. We could kill people in the next office over if they had one of these devices. And I said, Are you serious? He said yeah. I said, that's really bad. The good news is that the company saw the light and was open to it. Of course many medical device companies have now actively addressed many of these issues. Not as many and to as much of a level as we believe they should, but but it has happened.
Vamosi: Mike has an example where a large hospital system managed to put pressure on the medical device manufacturers themselves.
Ahmadi: Another one that was interesting is being called into a hospital network to test some devices with a team of people. I remember Billy Rios was there. And we were testing a bunch of devices, I believe it was about 50 different devices. And, essentially, everything failed. Initially the organization was going to use this as an opportunity to point out what companies were doing a better job than others but as it turned out, nobody was doing anything even close to a good job.
Vamosi: Woa. Let’s think about that a moment. Out of 50 medical devices tested at this hospital, nobody was doing a good job with security? Ouch.
Ahmadi: I remember initially the lawyers said, you can't go work forward with this report because it's potentially going to bring some liability to us as an organization, because everything we're using in our hospital network is vulnerable to attack and we're knowingly using it. The hospital, of course, at that point, really took this seriously and they still do to this very day. And they really put an enormous amount of pressure on the medical device manufacturers they were working with, as well as the FDA. And I remember one of the things that they said to the FDA. Was that you're just not doing enough, and they got very angry when the FDA would reply with ‘well it's just complicated.”
Vamosi: I remember there was a time when it was ambiguous to the healthcare organization whether performing something basic as updating your Windows OS with the latest patches would invalidate the FDA certification of that device. Seriously, any changes made to the software, including the background OS was, at one time, considered an overall change to the functionality of that device and therefore would require recertification. Which often took months. Seriously. These were the dark ages of digital security. So it took researchers like Mike and healthcare organizations to push back.
Ahmadi: I remember they would reply no it's not complicated with you're making it complicated, we're trusting you to do, to deal with this. And you're not doing as much as you can possibly be doing.
Vamosi: So in this case a hospital pushed back. Mike and I have had this discussion many times before -- do we need more standards, or do you think organizations will step up on their own.
Ahmadi: You know standards are always good. As long as there is a legal mandate to implement the standard. It's a standard that is not accompanied by a legal mandate that is just a bunch of really good words on a piece of paper. We've had hygiene standards for years but it wasn't until somebody came down and said, Thou shalt do this right, that it happened. It's very interesting that in light of the biological pandemic many organizations have stepped up on their own. They've said you know we don't, we're not going to wait for a law to require everybody to wear a mask. If I go to any grocery store now it says you are required to wear a mask in our, in our order in the grocery store. A lot of people get annoyed by it, you know, but the fact is at the grocery store saying is like we just don't want to take any chances. We don't want to be the Typhoid Mary right environment for the typhoid Mary, if you will. So, we are pretty good sometimes in a reactive manner. But we're not always as good as we are. And people will say, Well, if something happens. People will change, I say, hmm. It really depends on how big, what happens is.
Vamosi: SolarWinds, NotPetya, WannaCry, The Target Data breach. We’ve had big events. But, to Amber Rudd’s point, what have we learned? How big of an event do we need before we start changing our digital hygiene to reflect what going on. Again, maybe infosec can learn from the biological pandemic.
Ahmadi: So, we've all known that people will get sick if they cough. And we've all known that people get sick when people go to work and we've been dealing with it for years. And in fact, many people have died or caught the flu and died because of that. It wasn't until it was a really really really really big deal and overwhelmed our entire systems that everybody started taking it seriously. And look, we all now do things on a hydronic level that we have just never normally done before. Everybody knows the germaphobe and the person that constantly washes their hands. They've even grown up with. But the reality of it is everybody I know carries around sanitizer now. Anything I touch when I'm out I pull out my sanitizer. I sanitize my hands, I put on a mask when I go somewhere, you know, I'm very conscious of the fact where my hands are touching my face. And I've never really, really been before. I physically keep away from people. And it's become a norm. I don't really feel like I'm just being like, you know, inconvenienced by these new hygienic behaviors because just doing this little bit is going to help me out.
Vamosi: So what are the things we should all know and do, yet probably we’re not in practice.
Ahmadi: Now, let's go to the digital world. So, you know, what are some of the things we can do. Number one test. Find out where the frickin' bugs are. Now you know. Number two, put up some shields, some guards, whether it be a firewall and so on and so forth. And make sure your firewall is actually effective, just like the sanitizer people have found sanitizers that they are ineffective, or in many cases cause other problems, we'll find out which ones are actually useful. You know, that's another you know basic type of hygiene. If you're bringing something into the environment before introducing into your environment, test the damn thing to make sure it's not going to bring a bug into your environment. Just like you don't invite anyone in your house for a gathering if they haven't been tested for COVID. I have people that live here that went out of town, they're coming back, and we see them regularly. You know they're their neighbors. And, you know, we're still sticking to our small family gatherings, but we told them, I said, Look, unless you all get tested upon your return. You're not coming to our house. We are not introducing you into our network. If we think you have any bugs. So we always tell people, in many cases, bringing one device into a network can introduce a bug. So be very cautious of that. Be very cautious of who is in your network. And by the way, what is another thing that we all learn from the biological pandemic that's, that's, you know, some people question the effectiveness but I certainly can see how it works. contact tracing.
Vamosi: Oh, right. There’s this thing called Contact Tracing. It requires someone to work backward and one) identify who you may have been exposed to that had the virus, and two) provide a roadmap to contact those you’ve been in contact with since. The same is good for computer systems.
Ahmadi: You know, so not only knowing who it is, but where you have been, you know, being able to retrace the steps to determine how that happened. And the same holds true for any network. How do you retrace all that.
Vamosi: And another thing we’ve learned from COVID-19-- don’t just test once, and assume you’re okay. Periodically retest if you’ve got random devices coming and going on your network.
Ahmadi: You don't just test once you test again and you test again. And you test again. Everybody was tested. You know here recently you know a few months ago and we all passed and then recently, you know, my, my daughter got the sniffles they made her go get tested again. She's fine. thank God. Then they made, you know, the other daughter get tested and they can even go back to school until then. They're all fine schools in particular, where I live. Everybody has to wear a mask, nobody's allowed to touch and on holiday they're keeping classes small, and they're able to get together. And what's really interesting is like, in our community and I live in a small community. We only had less than 200 cases of COVID, and only four deaths in our entire county, which is not bad you know but we're only a 20,000 person county so you know from a percentage perspective it's, you know, not great. However, what's very interesting is we haven't had a community transmission occurred within the school systems. And, as I understand within the school systems nationally. It's something like less than 1.7% error, where the transmission happens. And why is that because they are really serious about their hygiene. And where are people not? Where are people getting it well it's from family gatherings, where nobody wears a mask and everybody hugs. So they're not following the basic rules of hygiene and the same holds true in the digital world. If you're really careful about how you lock down your environment, whether or not you actually force, testing, and follow all the basic rules of hygiene, the chances that your your organization is going to run into problems is actually much smaller than organizations that are kind of like freewheeling about the way they allow people to interact within their organizations, right. So, again, basic rules of hygiene that we've all been talking about.
Vamosi: I’d really like to thank Mike Amadhi for sharing his insights from a career in infosec. It’s important to note that we have made great progress in healthcare digital security since the early 2000s. Many of the gloom and doom war stories we discussed in this podcast were from the early 2000s. And I have to say in the 2020s there is much more knowledge and accountability around medical devices. So should we expect a digital pandemic that will cause us to again use some common sense with our network security? Hopefully not. But, as Benjamin Franklin said, by failing to prepare, you are preparing to fail.
For the Hacker Mind, I remain with my hand sanitizer at the ready Robert Vamosi