On October 21, hackers took control of connected devices to bring down major websites, such as Amazon, Twitter, Netflix, and PayPal. Experts say this is the first time such an attack has originated from the so-called Internet of Things (IoT), and it exposes the vulnerability of our digital infrastructure, according to an AAMI report. For once in recent months, however, hackers seemed to have left the health care industry unscathed.
“Health care providers really dodged the bullet on this one,” says medical device cybersecurity expert Kevin Fu, who is the director of the Archimedes Center for Medical Device Security at the Ann Arbor-based University of Michigan. Fu and other health care cybersecurity experts say health care facilities remain vulnerable to cyberattacks, adding that they must be more aggressive and proactive in establishing policies and procedures that safeguard individual devices and computer networks.
Starting around 7 a.m. ET on October 21, hackers began using infected devices, such as DVRs and surveillance system cameras, to bombard Dyn, a company whose servers route traffic on the web. Dyn has confirmed the Mirai botnet as “the primary source of malicious attack traffic,” although it “will not speculate or comment regarding the motivation or the identity of the attackers.”
The hacker who created the Mirai malware released the source code at the end of September, “effectively letting anyone build their own attack army,” cybersecurity blogger Brian Krebs explained in a post. In all, more than 60 username and password pairs are included in the botnet source code. Based on a list compiled by Krebs, none of these pairs seems to correspond to medical devices, but that doesn’t mean these devices are safe.
“The current dictionary does not appear to contain combinations found in medical devices, but with the source code published, it is possible for another attacker to deploy a variation that searches for known vulnerable medical devices,” says Ken Hoyme, distinguished scientist at Adventium Labs and co-chair of the AAMI Device Security Working Group. “It depends on whether a hacker decides that there are enough vulnerable medical devices to harvest to invest the time to augment the search dictionary with known medical device default usernames/passwords.”
Based on reports from the last few years, finding these username-passwords pairs for medical devices wouldn’t be very difficult. In June 2013, the Industrial Control Systems Cyber Emergency Response Team issued an alert after researchers Billy Rios and Terry McCorkle reported that approximately 300 medical devices made by about 40 different vendors had “hard-coded passwords that [could] be used to permit privileged access to devices.”
Axel Wirth, distinguished technical architect for Cambridge, Mass.-based Symantec Corp., said the Mirai botnet and other similar malware underscores the risks of “hardcoded passwords and similar poor security practices” for medical devices.
“I am aware of one case where an ultrasound system was actually hijacked and became part of a botnet?to distribute spam email in this case, not be part of a distributed denial-of-service attack,” says Wirth who writes a cybersecurity column for AAMI’s peer-reviewed journal BI&T. “The most likely scenario would be that medical devices or hospital networks get caught up in this as somebody is stringing together a botnet just because they share the same vulnerability, not because they are targeted as medical devices. Nevertheless, the implications could be the same.”
Fu emphasizes that this latest attack should serve as a warning. “I would consider this a shot across the bow for health care,” Fu says. He—and other experts—stress that it is vital to design medical devices with security in mind.
Visit www.aami.org for more information.