Upload
centralohioissa
View
642
Download
1
Embed Size (px)
Citation preview
Navigating the FDA Recommendations on Medical Device Security - and how they will shape the future of all IoTJake WilliamsRendition InfoSecrsec.us@MalwareJake
• Passionate about security• More than a decade of InfoSec
experience• Some things about me:– Forensic Analyst– Incident Responder– Vulnerability Researcher– SANS Instructor/Course Author– Conference Addict
# whoami
(C) 2016 Rendition InfoSec - Jake Williams
• I don’t build/use/implement medical devices – does this even matter to me? (YES)
• What are the FDA’s Recommendations?
• How do these apply to IoT devices?• Whoa – I never thought about that• Actions you can take• Recommended recommendations
Agenda
(C) 2016 Rendition InfoSec - Jake Williams
• Yes• Jaa• Yen• Yama• Baleh• Yes• Ioe• Si
(C) 2016 Rendition InfoSec - Jake Williams
Does this matter to me?
• Yes, Yes, Yes!
(C) 2016 Rendition InfoSec - Jake Williams
Even if I don’t care AT ALL about medical devices?
• “FDA recognizes that medical device security is a shared responsibility between stakeholders, including health care facilities, patients, providers, and manufacturers of medical devices.”
• Why do patients have responsibility here?– Not really happy with this implication
• Have you tried to get a copy of your medical device firmware?
(C) 2016 Rendition InfoSec - Jake Williams
Medical device security: who has the conn?
• Modeled on NIST CyberSecurity Framework (CSF)
• NIST CSF Categories
(C) 2016 Rendition InfoSec - Jake Williams
The FDA’s Recommendations
Identify Protect Detect Respond Recover
• Lightest section• This really deals with risk
assessments– Concerned that categories look a little
fuzzy?
(C) 2016 Rendition InfoSec - Jake Williams
NIST CSF - Identify
• Who gets to define the Severity Impact to Health in this risk assessment?– The vendor, seriously?!
(C) 2016 Rendition InfoSec - Jake Williams
NIST CSF – Identify (2)
• Scary to think about your vendor determining the impact (and controls)
• How many devices do you know that support multi-factor authentication?– Come on man…
(C) 2016 Rendition InfoSec - Jake Williams
NIST CSF - Protect
• I’m sorry, we’re just “avoiding” hardcoded passwords in medical devices?
• Only authenticated users can perform firmware updates – mediocrity++
(C) 2016 Rendition InfoSec - Jake Williams
NIST CSF – Protect (2)
• Code signature verification and … ?– I’m all for this being a requirement but
this is just a non-binding recommendation
• When would encryption not be appropriate?
(C) 2016 Rendition InfoSec - Jake Williams
NIST CSF – Protect (3)
• These three are so unimportant that they are grouped together– Apparently the FDA knows better than
NIST (?)• Protecting devices is important• But detecting intrusions is AT LEAST
as important as securing the devices
(C) 2016 Rendition InfoSec - Jake Williams
NIST CSF – Detect, Respond, Recover
• #1 enables detection of compromises– But how?
• #4 enables device forensics – hope this is implemented quickly!
• #2 – many end users can’t spell cybersecurity compromise
(C) 2016 Rendition InfoSec - Jake Williams
NIST CSF – Detect, Respond, Recover (2)
• #2 – many end users can’t spell “cybersecurity compromise”
• #3 – how precisely will vendors protect functionality even after compromise?– You don’t quite understand how this
works… (C) 2016 Rendition InfoSec - Jake Williams
NIST CSF – Detect, Respond, Recover (3)
• To be fair, Microsoft has tried valiantly to protect functionality even after a compromise (preventing rootkits)– And failed miserably– Because attackers are REALLY smart
• I’m pretty sure this can be the last of your device security concerns
(C) 2016 Rendition InfoSec - Jake Williams
NIST CSF – Detect, Respond, Recover (5)
• The FTC is already involved in consumer device security
(C) 2016 Rendition InfoSec - Jake Williams
How does FDA apply to generic IoT?
• The FTC has some IoT security recommendations of their own– But FDA has some of the shiniest devices
to protect – you and me • Once the FDA implements a standard
for medical devices, FTC is likely to adopt– If you build, sell, or implement IoT
devices you have to care about medical device standards
(C) 2016 Rendition InfoSec - Jake Williams
How does FDA apply to generic IoT? (2)
• Consider that the FDA recommendations are currently non-binding– You – as a security professional – can help
determine the future shape of these• Again, even if you don’t do medical
devices, this will still impact you!
(C) 2016 Rendition InfoSec - Jake Williams
Whoa – I never thought of that…
• Wifi your coffee, because, well what could go wrong…
(C) 2016 Rendition InfoSec - Jake Williams
IoT Horror Show
• Control your slow cooker – from your phone
(C) 2016 Rendition InfoSec - Jake Williams
IoT Horror Show (2)
• Solving problems you never knew you had
(C) 2016 Rendition InfoSec - Jake Williams
IoT Horror Show (3)
• I’m giving these away to people I REALLY don’t like this year
(C) 2016 Rendition InfoSec - Jake Williams
IoT Horror Show (4)
• Keep extending your dryer cycle until (??)
(C) 2016 Rendition InfoSec - Jake Williams
IoT Horror Show (6)
• Anyone see Mythbusters and their water heater experiments?
• Change water temp?
(C) 2016 Rendition InfoSec - Jake Williams
IoT Horror Show (7)
• You too can control your gas fireplace remotely from your phone
(C) 2016 Rendition InfoSec - Jake Williams
IoT Horror Show (8)
• I’d like to request my defibrillator NEVER be connected to 802.11
(C) 2016 Rendition InfoSec - Jake Williams
IoT Horror Show (8)
• Talk to your legislators about medical and IoT device security– FDA and FTC have regulatory authority
• But they have to work within legislative frameworks provided by Congress
• Let them know you care– Because almost nobody does…
• Do this while FDA recommendations are still in DRAFT form!
(C) 2016 Rendition InfoSec - Jake Williams
Actions you can take
• Medical device and IoT security today is a complete clown show
(C) 2016 Rendition InfoSec - Jake Williams
Actions you can take (2)
• Without your help, the clown show will continue
• Don’t just highlight problems– Offer solutions!
• What solutions can you offer to device manufacturers and integrators?– I’m so glad you asked!
(C) 2016 Rendition InfoSec - Jake Williams
Actions you can take (3)
• Wifi – sure you need it, but do you EVER need open WiFi? – Only for testing and then critical
functionality should be disabled• What about WEP?– Never.– Not even an option.– But what if… I SAID NO! Nein, Nein,
Nein!
(C) 2016 Rendition InfoSec - Jake Williams
Recommended… um… recommendations
• Firmware updates must be digitally signed
• No hardcoded passwords–We must do more than just “avoid” them
• Remove HTTP entirely– Only HTTPS support
• Same thing for telnet vs. SSH• Device certificates must not be static
(C) 2016 Rendition InfoSec - Jake Williams
Recommended… um… recommendations (2)
• No, it doesn’t need unauthenticated USB– Or unauthenticated serial, or…
• And if you put a silly custom port on your device that allows unauthenticated physical access…
(C) 2016 Rendition InfoSec - Jake Williams
Recommended… um… recommendations (3)
• Thanks for your attention
• Open the floor to questions
• Hit me up at:–@malwarejake– [email protected]– rsec.us
(C) 2016 Rendition InfoSec - Jake Williams
Obligatory Questions Slide