DISCOVERING AND DISCLOSING VULNERABILITIES IN MEDICAL DEVICES

Curtis Simpson, CISODor Zusman, Security Researcher

Agenda

The vulnerability researcher mind set

Disclosure study cases: URGENT/11, CDPwn

What is vulnerability disclosure? Why do we even do it?

The threat landscape

Takeaways & Questions

Medical & Clinical Devices

Patient SafetyMedical Device Behavior

DisruptionRansomware

Data BreachPersonal Health Info

InventoryLocating Medical Devices

UtilizationMaximizing Efficiency

Exposure“The other side of the house.”

The New (Insecure) Endpoint• Designed to Connect

• No Security or Agents

• Hard to Update

• Multiple Manufacturers

• Billions of Devices

• Vulnerable

Source: Armis research and various market analysts

The Traditional Endpoint Security Challenge

Trad

ition

al

Ente

rpris

e

Switches

Printers

VOIP

Point of Sale

Medical Devices

Manufacturing

Web, PCs and Servers

Unm

anag

ed &

IoTAccess Points

Bluetooth

Security Cameras

Smart TVs

Smart HVAC

Smart Lighting25+

Billio

n C

onne

cted

Dev

ices

BYO

D

(PC

& M

obile

)Smartphones

Laptops

Tablets

90% of Devices Will Be “Un-agentable”

of security professionals believe IoT devices are more vulnerable than computers.

of enterprises have experienced an IoT security incident.

of security professionals say their security is inadequate for IoT devices.

Source: “State of Enterprise IoT Security in North America: Unmanaged and Unsecured,”A commissioned study conducted by Forrester Consulting on behalf of Armis, July 2019

©2019 Armis Inc. All Rights Reserved.

IoT Devices: Unmanaged & Unsecured

84% 67% 74%

Unmanaged and IoT Devices are Targets

Just last month!

“The attacks have prompted stark warnings to hospitals from the Department of Homeland Security and from Interpol, which warned of a “significant increase” in cyberattacks targeting hospitals around the globe.”

The Cybersecurity 202: Hospitals face a surge of cyberattacks during the novel coronavirus pandemic

Openness benefits defenders more than it benefits attackers

Attackers target the weakest link in the chain

Good defense requires a detailed knowledge of offense

Challenging industry norms leads to improved security

Potential threats/anomalies discovered in the wild

Research un-manageable devices (Medical/OT/IoT etc..)

Research attacks that will directly impact our clients

Disclose and mitigate the issue correctly in a timely manner

If we could find it - a bad actor will/has too

Why did we do Urgent/11 or CDPwn?

0

5

10

15

20

25

30

1 2 3 4 5

Bluetooth vulnerabilities found in Android since BlueBorneSeries1 Series2 Series3

What is it and why should I care?

Been around for 32 years, runs on over 2 Billion devices

Only 13 CVE’s listed on MITRE

Real-time Operating System owned by WindRiver

VxWorks is everywhere

Healthcare

Auto

Manufacturing

Aerospace

Infrastructure/Network

Defense

Security

High Tech

VxWorks is used by everybody

6 Remote Code Execution (RCEs)5 Information Leaks, Denial of Service, Logical Flaws

11 Critical Zero Day Vulnerabilities in VxWork’s TCP/IP Stack – IPnet

Affects VxWorks versions for the last 13 years (v6.5 and up)

Affects hundreds of millions of devices

URGENT/11 Timeline

03/13/19First contact with WindRiver PSIRT

03/24/19Armis started

tracking IPNet based devices

04/03/19WindRiver contactis leaving WindRiver

04/09/19Managed to get a response

from the PSIRT

04/11/19Armis grants WindRiver an

extension on the 90-day period

04/18/19WindRiver receives

POC’s

05/10/19Armis receives patches for

approval

05/19/19Armis approves the patches

06/04/19WindRiver & Armis

sends an advisory to affected clients

07/01/19Armis suspect more OS’s

might be affected and contacts ICS-CERT/CISA

(DHS)

07/29/19Public disclosure &

Whitepaper

Original 90-days responsible disclosure period

Total 138 days

URGENT/11 Timeline

07/01/19Armis suspect more OS’s

might be affected and contacts ICS-CERT/CISA

(DHS)Started tracking down other effected vendors

Government agencies don’t talk to each other (just like on TV)

Contacted by the FDA

Potential vendors that are affected might still be out there..

Armis tagged Alaris PCU as vulnerable

Armis <==> Client <==>Alaris

Meanwhile at Defcon 27

Meanwhile at Defcon 27

IPnet IP Stack was developed by Interpeak in the early 2000’s

Interpeak was acquired by WindRiver in 2007 and its an integral part of VxWorks since

Apparently, Interpeak did sell software before being acquired

Device VendorsOperating System

YOU

Device VendorsOperating System

YOU

So is it solved?

Patient Monitor

Patient Monitor

Patient Monitor

If you could do anything on a device..

If you could do anything on a device..

If you could do anything on a device..

©2020 Armis – Confidential & Proprietary, Under Embargo until 8 AM PST Feb. 5, 2020 37

5 critical zero-day vulnerabilities in the Cisco Discovery Protocol (CDP)

Impacts tens of millions of devices

95% of F500 uses Cisco Communication Solutions

Cisco IP Phone 8800 SeriesCisco IOS XR Routers

Cisco NX-OS Switches

Cisco NX-OS Switches

Cisco Firepower Firewalls Cisco NCS Systems Cisco IP Phone 7800 Series

38

39

XYZ NETWORKVLAN 1

IoT NETWORKVLAN 3

INTERNET

CORE SWITCH

CORPORATE NETWORKVLAN 2

Cisco are a security aware company, security disclosures happen all the time.

Cisco has an experienced PSIRT (they even have a 24/7 hotline)

CDPwn Timeline

08/29/19First contact with

Cisco PSIRT

10/10/19Armis receives patches for

approval10/16/19

Armis approves the patches

11/03/19Armis identifies additional vulnerabilities and grants

Cisco another 90-day period

11/04/19Armis started

tracking CDPwn vulnerable devices

01/07/20Cisco issues CVE’s

02/05/20Public disclosure &

Whitepaper

Original 90-days responsible disclosure period

Total 160 days

Second 90-days responsible disclosure period

So what did we learn from our experiences?

Working with the vendor on patch’s is just the tip of the iceberg

Contacting the relevant parties was hard

Extended responsible disclosure period

Making sure patches are deployed is next to impossible

Even vendors are not aware of the supply chain, so, how can you?

Discloser was a breeze

Original responsible disclosure period

Cisco patched it == its dead

Some patches are even pushed automatically or semi-automatically

Cisco wrote the code and is maintaining it constantly

How the pro’s do it

How the pro’s do it

Back to Basics: 3 Critical Questions

46

What Do I Have?• Full asset inventory• Identify & classify• Managed, unmanaged, IoT

Why Do I Care?• Track Behavior & traffic• Provide threat assessment

What Action?• Quarantine devices• Suspicious or malicious

What We Have Found

MRI machine (and others) communicating with Command & Control in Russia.

Many WannaCry infected medical devices spreading across a flat open network.

Infusion pump compromised by malware while connected to patient.

X-Ray machines and others sending patient information and diagnosis unencrypted over the internet.

Medical crash carts being used to access Facebook, have accessed phishing websites.

Our MISSIONEnable enterprises to adopt new types of connected devices without fear of

compromise by cyber attack.

UNAUTHORIZED NETWORK BRIDGEPrinter Allowed Anyone To Connect A printer connected to the wired network had an open hotspot, allowing unauthenticated access to anyone.

How Armis Works

©2019 Armis Inc. All Rights Reserved. 50

Managed DevicesBYOD Devices Unmanaged and IoT Devices Off-Network Devices

FIREWALL NAC SIEM

WLC Switch Virtual App

EN

DP

OI

NT

SI

NF

RA

ST

RU

CT

UR

ES

ER

VI

CE

S

Armis Device Knowledgebase

Armis threat detection engine

Armis device knowledge base

• Crowd-sourced• Cloud-Based• 110M+ devices tracked• 10M unique device profiles

©2020 Armis Inc. All Rights Reserved.