LAS VEGAS — McAfee’s Lead Scientist and Senior Principal Engineer Christiaan Beek was in the hospital with his expectant wife when he inadvertently learned about a troubling IoT cybersecurity vulnerability. When the ultrasound technician measured the size of their youngest child, Beek glanced at the screen and saw the message “saving data to image” flash across the screen. “You would expect the data to be written to a file,” Beek said in an interview at Black Hat USA. “That’s what sparked my interest.”
Beek then dove into medical imaging security and found significant vulnerabilities involving poorly implemented open-source PACS software. The use of Apache Tomcat Version 7.0.13, an outdated web server tool with dozens of known vulnerabilities. “We found so many vulnerabilities. It was unbelievable,” Beek said. “I was shocked by it.”
In their research, the McAfee team found strings of clinics whose medical images directly connected to the internet. Beek shuddered to think that a cybercriminal could have seen an image of his youngest child before the baby was born. “Especially as a researcher, a discovery like that freaks me out,” he said.
Beek’s central goal doing research involving connected medical devices, vehicles, airplanes and industrial control systems is not to scare, but to start a dialogue with the industry. “It can be great to live in this interconnected world, but it’s easy to increase our attack surface — in our homes, cities as well as our nations — without knowing it,” he said.To address the IoT cybersecurity problem as an industry requires a holistic strategy and taking a long-term view. “You know how we go and get a flu vaccine each year? Wouldn’t it be great if we had a super-vaccine that will protect us for life against the flu?” Beek asked. “Translated into the world of malware, would it be possible to develop the equivalent of a vaccine for certain threats?”
In a keynote at Black Hat, Project Zero Manager and Director of Engineering at Google Parisa Tabriz, shared similar conclusions. Many cybersecurity defense strategies have a narrow focus or fail to learn from that past. “It’s incredibly frustrating when I see a report of a security vulnerability that I know is previously fixed or is some trivial variant of a bug we know about,” she said. “As things get more and more connected, we have to stop playing [cybersecurity] Whac-a-Mole.”
Part of the reason for this seemingly eternal recurrence in cybersecurity lies with many manufacturers failure to follow basic cybersecurity lessons. “With all due respect, it is easy to ship an IoT device without default passwords or leaving telnet enabled,” Beek said.
Returning to the medical field, vendors have long prioritized ensuring that critical medical devices are rugged and capable of working without interruption. “If the battery on a medical device runs out, it can be exchanged very quickly,” Beek said. “But using encryption on the disk of a machine holding medical data,” for instance, is likely not a high priority. “Sometimes the attitude of [medical device companies] is: ‘Cybersecurity is too difficult. It’s too much of a hassle to fix.’”
As the world hurtles toward a future with tens of billions of IoT devices, where, as Tabriz said, “computer security is becoming security of the world,” it becomes vital to approach computer security and IoT cybersecurity as a community endeavor with high standards. “We have to identify and tackle the root cause of the problems we uncover and not just be satisfied with isolated fixes,” Tabriz said. “We have to build a coalition of champions and supporters outside of security, so that [our long-term cybersecurity] efforts are successful.”