Attackers have IoT medical technology devices in their sights: botnets capable of hacking insulin pumps and similar items are ready and waiting. Numerous security loopholes make it possible.
They are known as Mirai, Reaper or Hajime – botnets that have made IoT devices their speciality. It started in October 2016 with Mirai: huge DDOS (Distributed Denial of Service) attacks were launched from hacked consumer devices like IP cameras, recorders and DSL routers, which had a massive impact on the Internet at the time. Although Reaper and Hajime are based on Mirai, they are much more dangerous. Whereas Mirai mainly broke into IoT devices that were protected only with the common standard passwords with which they were delivered, Reaper makes use of security loopholes that have been detected and not yet patched, as described in a WIRED article. This expands the target area significantly, since it makes many more components available from all kinds of applications. According to the security specialists quoted by WIRED, several million devices have already been infected and are just waiting for the signal to attack. The experts have published a list of affected systems.
The approach adopted by Hajime is even more refined: it is no longer based on the traditional botnet structure of command-and-control servers that initiate and direct attacks. Instead, it makes use of a decentralised Peer-to-Peer network, which makes the botnet hard to recognise and much less vulnerable. It also has a modular structure, enabling its functions to be expanded. It has also mastered the art of concealment, to be able to hide processes that are running on the IoT devices. This particular botnet, however, does not appear to have been used for harmful purposes yet.
Patients can only consider themselves lucky: according to a study by the Ponemon Institute, for the most part, the medical device industry is not set up to deal with security problems. The study reports that 67 percent of suppliers assume attacks on their devices are very probable, but only 17 percent are making a serious effort to secure their components.
A particularly stark example came to light recently, after researchers identified a security loophole in pacemakers and insulin pumps. The manufacturer was advised about the bugs 18 months ago, but does not consider it necessary to supply updates.
These security problems could have fatal consequences: one of the loopholes makes it possible to install malware on systems that control the implanted pacemakers. That could even make it possible to switch off the electrical pulses from the pacemaker, which is something the affected patients probably would not survive. Security specialist Billy Rios therefore began his presentation by saying, “We’ll show you how it’s possible to take control of this device by remote and load a virus onto a pacemaker”. He observed that he could even completely switch off the patient’s pacemaker – in other words, he could kill someone. Rios is convinced that physicians would not even notice the device had been tampered with.
See this article for more details of the extent and repercussions of this problem.
You will also find news about all aspects of it-sa and the IT security environment in the it-sa Security Newsletter.