by Bharat Mistry
Many of us probably don’t know it yet, but already the Internet of Things is creeping into every corner of our lives. From connected cars to on-board sensors inside aircraft, wearable fitness bands to smart cities – the possibilities are almost limitless for this new computing paradigm. Healthcare is one industry which has taken to the IoT with gusto, especially in the States where investment in new technologies tends to be ahead of the UK. Yes, networked devices can dramatically improve healthcare outcomes and patient wellbeing. But the problem is that manufacturers just aren’t putting enough thought into security and privacy at the design phase.
The result? Products are rushed to market with major security vulnerabilities, as one new piece of research has just found. Presenting at DerbyCon last weekend, two researchers claimed to have found 68,000 exposed IoT devices at just one unnamed healthcare organization.
They found these devices with a simple search of Shodan – a search engine which returns results for internet-connected machines on the public internet. They claimed that thousands of healthcare organizations were running exposed devices. Common security issues included:
- Devices not getting updates/patches – many of them still running legacy OSes like XP
- Weak default or hard-coded admin credentials which are easy to crack
- Unencrypted data transmission to/from devices – allowing hackers to snoop on private patient info
- Devices and admin computers expose details which could allow hackers to craft convincing phishing attacks or even “wreak havoc” inside hospitals
With critical devices like MRI scanners, pacemakers, drug infusion pumps and more increasingly becoming internet connected, the potential is there not only for privacy infringement but serious harm to patient safety. And it doesn’t have to come from external hackers. In Austria, two patients managed to find the hard-coded passwords for their drug infusion pumps to increase their dosage of morphine to dangerously high levels.
These exposed systems are already being targeted, a honeypot set-up to mimic medical IoT devices revealed – although fortunately it appears the hackers don’t know what they’re attacking. But this won’t last forever. As soon as it’s proven there’s money to be made from such attacks, we’re likely to see vulnerabilities exploited in earnest.
This makes it vital that the industry moves now to engineer security and privacy features into IoT kit from the very start. Given that the development lifecycle for some products can be anything from 3-5 years, it must happen now. This will require the co-operation of developers, major customers, regulators, standards bodies and governments. IoT development is accelerating at such a speed that if we don’t act now, these sensors and devices will be too deeply ingrained into our IT infrastructure to modify.
In the meantime, here are some things we can do to reduce the risks posed by IoT devices in the enterprise.
- For manufacturers, testers and developers read OWASP IoT Top Ten to understand where key vulnerabilities lie
- Scan devices for default/hard-coded passwords and change to complex credentials, or report the issue to your manufacturer
- Implement transport encryption to stop prying eyes viewing data
- Reduce number of staff with admin privileges, according to “least privilege” principle
- Conduct survey of who’s bringing wearables to work
- Conduct assessment of those wearables and only allow those which meet security requirements to connect to network