Connected medical devices spark debate at RSA Conference session
An RSA Conference session on a new attack on connected medical devices led to a spirited debate on vulnerability disclosure and manufacturer responsibility.
SAN FRANCISCO -- An RSA Conference session featuring new research on the MEDJACK attack sparked a spirited debate on connected medical devices and their security vulnerabilities.
Cybersecurity vendor TrapX Security, based in San Mateo, Calif., presented a preview of forthcoming research on a new version of the MEDJACK cyberattack on connected medical devices, dubbed MEDJACK.3. TrapX researchers discovered the original MEDJACK attack in 2015 and followed up with additional research into a new incarnation of the attack, MEDJACK.2, last year.
"What we found was attackers had started to focus on medical equipment, and they started to look for ways to penetrate the infrastructure [through medical device hijacking]," said Anthony James, vice president of marketing at TrapX.
On Thursday, TrapX previewed research into the latest version of MEDJACK, which James said further compounds the risks around connected medical devices. The company described how MEDJACK.3 had modified its approach to search for connected medical devices, such as MRI and CT scanners, deployed on older, out-of-date operating systems, such as Windows XP and Windows Server 2008. Meanwhile, the attack code was designed to be ignored by more modern operating systems.
In addition, the MEDJACK.3 malware was also discovered to be using more sophisticated evasion and obfuscation techniques, including antisandbox functionality. TrapX showed one example where MEDJACK malware had infected an X-ray viewing system and used the device as a command-and-control platform to move laterally through the targeted healthcare organization.
"We've got this hardware and this equipment that's doing its function that the healthcare environment decided they needed, and they're treating patients," James said. "But there is no magic bullet to figure out how to secure this software that's underlying the main function on this hardware that's highly specialized. So, it's a big challenge."
Moshe Ben-Simon, co-founder and vice president of services at TrapX Labs, said because so many connected medical devices feature legacy software and run on outdated operating systems, they are easy targets for MEDJACK.3.
"If somebody discovers their medical devices are controlled by malware, even if the malware is causing people to die, you're in big trouble," Ben-Simon said. "What happened with MEDJACK is, and it's unfortunate to say, it's in 95% of hospitals we see."
Ben-Simon said the attack affects "everything" that's connected to the internet in a hospital, from simple oxygen machines to more complex oncology systems. During the question and answer portion of the session, however, audience member Michael McNeil, senior director of product security at Philips Healthcare, took issue with the presentation.
"I would suggest that TrapX gets aligned on, at least in the United States, the latest guidelines and regulations that are in place," McNeil said, adding that the U.S. Food and Drug Administration has issued security guidance on connected medical devices and disclosing vulnerabilities.
Moshe Ben-Simonco-founder and vice president of services at TrapX Labs
McNeil also questioned whether TrapX directly notified any of the affected device manufacturers prior to RSA Conference.
"The answer is yes," Ben-Simon said. "And not all of them answered."
McNeil said no one had contacted his office about the MEDJACK.3 attack or vulnerabilities in Philips' medical devices. He also argued that hospitals and healthcare organizations push the lifecycle of many of these devices far past the recommendations.
"So, when you say the manufacturer is responsible for trying to make sure the devices are secure, if they go to a customer and state, 'Please remove it,'" McNeil said, "we can't pull our devices [from customers]."
Ben-Simon disagreed and argued that manufacturers still have a responsibility to inform healthcare organizations about the risks of using connected medical devices that were designed for Windows XP and give those customers a path to more modern, secure alternatives.
McNeil said TrapX is assuming those conversations with customers aren't already taking place. "It's a bad assumption if you haven't done the research," he said.
Ben-Simon responded by saying TrapX has done the research, and customers are still using outdated operating systems and vulnerable medical devices, so the manufacturers' approach to the problem isn't working.