{"id":266,"date":"2017-06-02T14:19:49","date_gmt":"2017-06-02T14:19:49","guid":{"rendered":"http:\/\/securitycurve.com\/?p=266"},"modified":"2017-06-02T14:19:49","modified_gmt":"2017-06-02T14:19:49","slug":"told-you-so-but-pacemakers-maybe-not-the-worst-of-it","status":"publish","type":"post","link":"https:\/\/securitycurve.com\/?p=266","title":{"rendered":"Told you so.  But pacemakers maybe not the worst of it"},"content":{"rendered":"<p><a href=\"https:\/\/securitycurve.com\/wp-content\/uploads\/2017\/06\/big_bang_informed_you_black_shirt_pop.jpg\"><img decoding=\"async\" class=\"alignright size-medium wp-image-267 lazyload\" data-src=\"https:\/\/securitycurve.com\/wp-content\/uploads\/2017\/06\/big_bang_informed_you_black_shirt_pop-300x300.jpg\" alt=\"\" width=\"300\" height=\"300\" src=\"data:image\/svg+xml;base64,PHN2ZyB3aWR0aD0iMSIgaGVpZ2h0PSIxIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPjwvc3ZnPg==\" style=\"--smush-placeholder-width: 300px; --smush-placeholder-aspect-ratio: 300\/300;\" \/><\/a>In the continuing saga of why the lack of security in biomed will eventually start killing people, we have yesterday the results of <a href=\"https:\/\/drive.google.com\/file\/d\/0B_GspGER4QQTYkJfaVlBeGVCSW8\/view\">a security\u00a0analysis<\/a>\u00a0of a pacemaker where they <a href=\"http:\/\/www.healthcareitnews.com\/news\/pacemaker-device-security-audit-finds-8600-flaws-some-potentially-deadly\">found apparently 8600 flaws<\/a>\u00a0&#8212; of which some are potentially deadly. \u00a0It&#8217;s an interesting report. \u00a0I urge you to read it.<\/p>\n<p>Now,\u00a0WhiteScope is of course in the business of doing firmware research and assessments &#8212; so it&#8217;s arguably good for them from a marketing standpoint if the results are panic-inducing\u00a0&#8212; but if you read it for yourself, I think you&#8217;ll conclude it&#8217;s fair and unbiased. \u00a0Yes, there are some specific points that are debatable &#8212; for example, they call out lack of encryption in the home monitoring device as an issue, which is absolutely fair. \u00a0But that&#8217;s nuanced because architecturally it&#8217;d be hard to enable that (for telemetry at least) without also having the implantable device do it too, which in turn makes it complicated from a power (and therefore battery utilization) standpoint.<\/p>\n<p>TLDR? \u00a0Pacemakers could be attacked, and ultimately kill somebody under the right circumstances. \u00a0Read the report.<\/p>\n<p>I&#8217;ve been saying this\u00a0for years. \u00a0I&#8217;m not going to say I told you so (because I&#8217;m too mature for that) so instead, I&#8217;ll let Sheldon Cooper do it for me:<br \/>\n<iframe data-src=\"https:\/\/www.youtube.com\/embed\/GHBB3WWhxr4\" width=\"560\" height=\"315\" frameborder=\"0\" allowfullscreen=\"allowfullscreen\" src=\"data:image\/svg+xml;base64,PHN2ZyB3aWR0aD0iMSIgaGVpZ2h0PSIxIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPjwvc3ZnPg==\" class=\"lazyload\" data-load-mode=\"1\"><\/iframe><\/p>\n<p>Here&#8217;s the scary part though. \u00a0Biomed&#8217;s a big space. \u00a0Everybody wants to do research on <strong>implantable<\/strong> biomed &#8211; because: it&#8217;s super scary, it&#8217;s really hard to get right (mostly because of power considerations which one wonders why you don&#8217;t see the zero power defenses proposed in section V of <a href=\"https:\/\/spqr.eecs.umich.edu\/papers\/icd-study.pdf\">You-Dub paper<\/a>\u00a0more often), and it makes for a compelling &#8220;story.&#8221; \u00a0Anyway, whatever, implantable&#8217;s sexy. \u00a0But there are more accessible biomed systems that are just as potentially life threatening that nobody seems to care about: radiosurgery, pharma systems, even some imaging systems.<\/p>\n<p>If you don&#8217;t believe me that potential errors here are every bit as life threatening as an issue with an implantable device, allow me to call your attention to the <a href=\"https:\/\/www.fda.gov\/downloads\/MedicalDevices\/DeviceRegulationandGuidance\/GuidanceDocuments\/UCM356190.pdf\">FDA guidance on the topic<\/a>\u00a0which, according to the <a href=\"https:\/\/www.fda.gov\/downloads\/MedicalDevices\/DigitalHealth\/UCM544684.pdf\">fact sheet<\/a>, should be the document that outlines the premarket\u00a0&#8220;nonbinding recommendations&#8221; for security. \u00a0It actually says that by the way: the header of every page after 2 is &#8220;Contains Nonbinding Recommendations&#8221; &#8211; sort of like a\u00a0warning label lest anybody feel the burning need to look to FDA for specific guidance here. \u00a0Anyway, they recommend &#8211; in sort of a lackadaisical, languid, and of course &#8220;non-binding&#8221; sort of way &#8211; that IP-connected medical devices adhere to certain practices: authentication of users, refrain from hardcoded passwords, heck have passwords at all, etc. \u00a0The point being (before I get too fired up about that) that it&#8217;s really up to the manufacturer <del>if<\/del> how will enforce a security model for the device&#8230; usually on a COTS OS&#8230; usually IP-connected&#8230; usually on the same network where employee and patient traffic lives&#8230;<\/p>\n<p>So by all means, let&#8217;s work on implantable. \u00a0But let&#8217;s also (for the love of all that&#8217;s holy) work on the rest of it too.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>In the continuing saga of why the lack of security in biomed will eventually start killing people, we have yesterday the results of a security\u00a0analysis\u00a0of a pacemaker where they found apparently 8600 flaws\u00a0&#8212; of which some are potentially deadly. \u00a0It&#8217;s an interesting report. \u00a0I urge you to read it. Now,\u00a0WhiteScope is of course in the [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_et_pb_use_builder":"","_et_pb_old_content":"","_et_gb_content_width":"","footnotes":""},"categories":[4],"tags":[15,55],"class_list":["post-266","post","type-post","status-publish","format-standard","hentry","category-security","tag-biomed","tag-fda"],"_links":{"self":[{"href":"https:\/\/securitycurve.com\/index.php?rest_route=\/wp\/v2\/posts\/266","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/securitycurve.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/securitycurve.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/securitycurve.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/securitycurve.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=266"}],"version-history":[{"count":0,"href":"https:\/\/securitycurve.com\/index.php?rest_route=\/wp\/v2\/posts\/266\/revisions"}],"wp:attachment":[{"href":"https:\/\/securitycurve.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=266"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/securitycurve.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=266"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/securitycurve.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=266"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}