Ransomware Is Coming to Medical Devices
The only question is when—and what we are going to do about it.
Chest pains send you into convulsions, then stop abruptly. Is something wrong with your pacemaker? As you pant for breath, a message pops up on your phone. "Want to keep living? Pay us a ransom now, or you die."
This is not cyberpunk dystopia, but a probable near future, according to a report released last week by Forrester Research. The number one cybersecurity prediction for 2016: "We'll see ransomware for a medical device or wearable."
Ransomware takes control of a computer and holds it hostage until the victim pays, usually in the digital currency Bitcoin. To date ransomware has hit Windows users hardest, although Android and MacOS users are now facing similar extortion.
"That's a bold specific prediction," Joshua Corman, founder of I Am the Cavalry, a global grassroots organization focused on issues where computer security intersects public safety and human life, told Motherboard in a telephone call. "I hope it doesn't happen as they say it will, because that would shatter our confidence in these lifesaving medical devices."
The technical hurdles to create such ransomware are not high. "It's definitely feasible from a technical standpoint," medical device security researcher Billy Rios wrote in an email. "Given the urgency associated with these devices, I could see it as something that could happen next year. All that would be required from an attacker standpoint is small modifications to the malware to make it work."
Medical device ransomware would be a modern form of highway robbery with lives at stake. "People who say 'oh but no one would ever do that' fail to understand that on the internet, every sociopath is your next door neighbor," Corman said. "I am increasingly uncomfortable relying on the kindness of strangers everywhere on the planet."
"Assuming that no one would do this is naive," he added, "and assuming that organizations are capable of stopping it is unmerited trust."
The cybersecurity of most medical devices is poor. A 2013 DHS advisory, based on research by Rios and colleague Terry McCorkle, warned that 300 medical devices made by 40 different manufacturers use hard-coded passwords—passwords that are set at the factory and cannot be changed by end users—easily discoverable by downloading the manual from the manufacturer.
This is year zero for the health care industry and cyberattacks
In June, the FDA warned health care providers to stop using a drug pump due to a rudimentary cybersecurity flaw. And in September, researchers reported that honeypots pretending to be medical devices attracted more than 50,000 successful logins and nearly 300 malware payloads.
"While we've been doing this for 15-25 years in cyber, this is year zero or one for them [the healthcare industry]," Corman said. "We can't give them 15-25 years to catch up, although it's not reasonable to get there overnight….We're trying to approach this with teamwork and ambassador skill, not a pointing finger, but a helping hand."
Ransomware today is big business. The FBI in June of this year reported almost a thousand complaints related to the ransomware CryptoWall in the 14 months prior, "with victims reporting losses totaling over $18 million." That's just in the US. The Cyber Threat Alliance estimates that CryptoWall alone has resulted in "over US $325 million in damages worldwide."
Intel's McAfee Labs also noted a huge spike in ransomware in early 2015, and worries about ransomware in the IoT space—including medical devices. And Kaspersky predicts the "nightmare of ransomware" to continue and "spread to new frontiers" in 2016.
"With PCs people have valuable information that they want back, but with IoT people have personal devices that can sometimes be very expensive and very valuable." Sandra Proske, F-Secure's Head of Global Communications & Brand, wrote in an email. "If someone takes over your 1,500€ connected fridge, you're definitely motivated to get it back up and running. Or if someone takes over your car and you're rushing to the office, of course you will pay."
But it's not profit-driven crime that concerns Corman most. "I like to remind people that there are as many motivations to hacking as there are in the human condition," he said. "I'm far less concerned about financial gain hacking than all the other motivations in the human condition."
Corman emphasized that we must not allow the extraordinary novelty and power of this threat to paralyze us into inaction. Concrete solutions to this problem exist, and it's time to start building them.
"All systems fail," he said. "It's how we respond to that failure that matters."
I Am The Cavalry has published a five star Cyber Safety Framework to mitigate this threat in cars, and it's planning to publish a similar report using medical device-specific language soon.
The framework urges manufacturers to make device safety an integral part of the design process, not bolted on after the fact, as is currently often the case.
Manufacturers should also publish a coordinated disclosure policy inviting the assistance of third-party security researchers acting in good faith, I Am The Cavalry argues. It also says that medical devices should have "black boxes," like airplanes, to allow investigators to forensically examine the events leading up to a device failure.
Further, medical devices should receive security updates in a timely fashion, like an iPhone. Finally, I Am The Cavalry recommends that, just as hacking a car stereo should not give an attacker access to the brakes, medical devices should segment critical systems from non-critical systems, including air gapping, or disconnecting from the internet, the most sensitive devices.
"Eventually this will get figured out," Corman said, "but the question is, how quickly?"
Networked medical devices save lives. Despite the hacking risk, Corman remains positive about the future. "The trade-offs are there, but it's an informed trade-off… Do you really want someone who needs that pacemaker to be afraid to trust it? Because that too will lead to loss of life."
Information security on the internet is a well-understood field, he pointed out. Attack is cheap, and defense is difficult, and all of the threats that we've seen over the past decades are on the brink of leaping into the real world—the Internet of Things.
"One could argue that most of the breaches you could name"—the OPM breach, Ashley Madison dump, the Sony hack—"didn't really do any harm," Corman said. "We've had an era of low-consequence failure, and that era is now over. The consequences now are life and limb and flesh and blood, and I'm not sure we're ready for that."