Medical, consumer device makers are trying, at least, to improve IoT security: consultant

Manufacturers of medical devices and other Internet of Things (IoT) tools are increasingly seeking help to review and secure their source code, according to an Australian security consultancy that will soon hold a formal ‘hack day’ in which its researchers will each try to compromise a different IoT device.

“A lot of people are rushing these devices to market with little regard to implementing any security as part of them,” Jason Edelstein, chief technology officer with Sense of Security, told CSO Australia. “There seems to be demand for consumers to connect almost any device to the Internet, even where it doesn’t make any sense. Hackers are using these as easy targets.”

Risks from consumer devices are one thing but poorly designed medical devices – which are coming under fire as they are increasingly connected into what some call the Internet of Medical Things (IoMT) – can “cause loss of confidential patient information and even put lives at risk,” warned Hugo Hutchinson, Wavelink’s national business development manager for Fortinet, in a statement.

“Hospitals and other healthcare facilities are a major threat vector at the moment, and are ripe targets for ransomware, DDoS attacks, and IoMT breaches.”

Cisco’s recently released Midyear Cybersecurity Report joined the chorus of voices warning about the growing risk of healthcare compromise from IoT devices, noting that 37 percent of surveyed healthcare organisations saw targeted attacks as high-security risks to their organisations.

“Targeted cyber attacks have also become more worrisome than breaches involving lost or stolen hardware,” the report’s authors warned, “demanding a more precise approach to detecting and mitigating threats.”

That precision is hard to obtain given that 40 percent of healthcare organisations said they encounter thousands of security alerts per day, according to Cisco figures, with only half of those investigated. This shortfall is likely being exacerbated by deficient funding, with recent findings suggesting that Australian decision-makers were lagging global benchmarks for increasing IT-security budgets.

High reliance on potentially-compromised IoMT devices will push healthcare organisations to boost their investment in remediation. Industry groups are also throwing their hats into the ring: earlier this year, for example, the Open Web Application Security Project (OWASP) released a series of best practices for securing medical devices, broadening earlier guidance from the US Food and Drug Administration.

Yet even with such guidelines in place, many organisations are finding it hard to break their developers of bad security habits that have resulted in chronically insecure software both on IoT devices and off of them. A recent Veracode report found that 61 percent of all internally developed applications failed basis compliance tests when measured against the OWASP Top 10 list. Even more concerning: commercially-developed software was even less secure, failing compliance checks 75 percent of the time.

The use of hard-coded passwords – which last month kicked X-ray maker Philips into action as it was revealed the technique could allow attackers to access patient records in its DoseWise Portal – has been a particular problem. Fully 35 percent of applications that Veracode tested were written using hard-coded passwords, which developers often include to ensure smooth operation during testing and forget to disable or remove.

Hard-coded passwords have been also blamed for vulnerabilities in RaySharp DVRs, Foscam C1 cameras, and other devices that have proved to be susceptible to exploitation in massive distributed denial of service (DDoS) and other attacks.

“Many of these organisations are producing products that are designed for mass deployments,” says Sense of Security’s Edelstein, whose firm has had “a number of assignments” specifically designed to improve IoMT security.

“There’s a lot more risk to these things than when they were traditionally disconnected,” he warned. “Any insecurities in those mass-market products could turn those things into zombie networks like the Mirai botnet. The manufacturers we have dealt with are taking note of that, and are trying to build security into the design of the new products they are bringing to market.”

The growing number of engagements with device makers is at least an encouraging sign that the device community is starting to take IoT security seriously. Yet as well-equipped security specialists probe devices for weaknesses – an often-prolific pastime that has driven many a conference session at hacking conferences – Edelstein is confident that the firm’s October hack day will be yet another reminder of how far the industry still has to come.

“We’re going to have the researchers each choose one IoT device and do some research to hack it,” he said. “This will allow us to provide feedback to vendors and put advisories into the market. By workshopping our findings with device manufacturers, we’re helping them make good design decisions.”