What started out as a standard Red Team test designed to check the security capabilities of several Australian hospitals, led to a chain of events that eventually uncovered serious security flaws in remote-capable insulin pumps that, if abused could have had disastrous consequences.
The hospitals, all of which are part of a connected healthcare system, had contracted with Trustwave to conduct the Red Team tests against several of their facilities.
The Red Team exercises themselves turned up several significant security findings that had to be immediately addressed, but perhaps more importantly, the results led the healthcare organization to expand its contract with Trustwave to include an assessment of a medical Internet of Things (IoT) device that was shortly to be deployed to their patients.
Red Team 1 – Hospital Security 0
The Red Team exercise was quite broad in scope, encompassing several hospitals. The basic results included several issues around poor network segmentation, poor security controls, quite a few physical access issues, and problems identifying and responding to social engineering attacks.
The end result of our testing stunned the hospital administrators, and rightly so since we exhibited that patient healthcare data would have been compromised if these had been real-world attacks and the lack of detective controls ensured that our Red Team escaped without notice, nor was there any real ability or tools in place for the hospital’s unit to catch an attacker.
What this wake-up call did, in addition to pointing out some very serious security flaws, was to open the organization's eyes to other areas that might be problematic, and that led to a hardware-level penetration test of one of their medical devices.
Pumping Up the Volume of Threats
The device in question was an insulin smart pump that patients can take home and connect to their home network, allowing them to receive proper care and supervision even if they don't live near a medical facility.
The pump is connected to the patient's home router, enabling it to transmit the details of the insulin treatment to medical personnel, allowing them to track the treatment and make changes, say if the dosage needs to be adjusted, etc.
Our team attempted a number of different attacks. We tried to intercept and manipulate data being transmitted over the wireless network, interfere with the dosage volume and frequency, interrupt the device's general processes, seeing if we could leverage access to the insulin pump to gain access into the patient's home environment, and if we could take that a step further and obtain entry into the hospital IT environment.
The answer was yes.
Failing on the Basics
In the end, we found several issues and weaknesses. Many were problems that are consistent with those found in other IoT devices, such as unnecessary services enabled, which increase a device's attack surface.
The client was pretty startled at our findings. This level of surprise was likely due to organizations incorrectly assuming a level of security comes baked into these types of devices, particularly when dealing with medical-grade devices and the serious nature of their use.
But the reality is that is very rarely the case.
Some of what we found included poor network-level controls around segmentation and segregation, which means if there is a vulnerability in the device or in the network, then essentially everything within that network segment is potentially at risk.
Next, the wireless network configuration was poor, making it vulnerable to many well-known attacks. Additionally, the inbuilt access point didn't prevent client isolation, creating situations where other devices on the network would be able to directly interact with the insulin pump.
As a comparison, most standard home Wi-Fi routers have this feature disabled by default in order to reduce the attack surface of devices within the wifi network.
Finally, we saw other common IoT issues like weak passwords or admin credentials still in use. For example, the passcode was a basic four-digit number, and we will let you guess what it was.
Figuring out the passcode was within the grasp of even a the most rudimentary threat actor, which would have given access to the pump's maintenance mode, allowing them to then modify any setting.
All of these items were discovered in one device, some in a matter of minutes
Mitigation and Risk Awareness
In the case of the remote insulin pump, mitigation can be difficult. The pumps are not directly under the hospital's control but are in the patient's hands. In most cases, the manufacturer preconfigured the device and deployed it by the hospital.
The hospital can take the time to harden the device pre-deployment, thus fixing issues that are not secure out of the box. However, the organization must be willing to invest the time and effort to do so.
Perhaps more importantly, what our investigation gave the hospital was risk awareness. The testing ensured that the staff understood the level of risk accepted when deploying these devices to patients.
In reality, this is not dissimilar to any pharmaceutical guidance given to a patient when given a new medicine. The patient is informed of the benefits and any risks associated with treatment and provides an informed consent. In a similar manner, there is a responsibility on the medical facility to let the patient know there is a risk that goes along with the device.
Other basic steps a hospital, or really any organization that handles IoT devices, should perform is reset the admin passcodes, ensure the security that is included with the device is used to its maximum, keep up with software patches, and try to procure equipment from reputable manufacturers that prioritize security.
In the end, the security problems we found in the insulin pump were not as technically severe as what the Red Team had identified. Still, the fact the pumps are literally directly connected to patients made the consequences of their flaws potentially much more dangerous.
The consequences of giving someone a miscalculated insulin dose, particularly for someone that is in a remote area, are pretty catastrophic.
The good news is none of the issues with this brand and model of pump are being exploited and the manufacturer agreed to implement our recommended fixes. But that is not the case with all medical equipment. There are multiple devices that threat actors are actively attacking, but more importantly, any Internet-facing piece of equipment is exposed to danger.
