IBM has discovered a cybersecurity vulnerability that could potentially allow hackers to remotely take control of insulin pumps and alter medication dosages to patients, as well as "manipulate" readings from medical device monitors "to cover up concerning vital signs or create false panic."
X-Force Red, IBM's hacking team, last week for the first time publicly reported a problem with modules from French aerospace company Thales used in millions of internet-connected devices in the auto, energy, and healthcare industries. Using a flaw in the module, or mini circuit board that enables mobile communication, criminals could cause an insulin pump to overdose a patient. Neither IBM nor Thales have disclosed which manufacturers' pumps are vulnerable.
IBM said it first identified the vulnerability in September 2019 and both companies worked on a patch available to device manufacturers since February. Still, IBM warned that the patching process is considerably slower for highly-regulated industries like medtech.
The disclosure follows another major announcement earlier this year regarding cybersecurity loopholes potentially impacting millions of IoT devices across a range of industries. In June, Israeli research laboratory JSOF discovered multiple vulnerabilities, dubbed Ripple20, enabling hackers to potentially change the "behavior" of infusion pumps remotely, according to an example given by the lab.
At the time, the U.S. Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) issued an advisory that listed medtechs Baxter and B. Braun as being "affected" by the Ripple20 vulnerabilities.
An IBM spokesperson said it isn't aware of "any exploits" of the vulnerability at this time and "cannot speak to specific devices using the impacted module" but did confirm that Thales’ portfolio of Internet of Things modules are used across various industries. MedTech Dive reached out to Thales but did not receive a response.
Last week, in response to the separate IoT device flaw publicly reported by IBM, CISA's Health Sector Cybersecurity Coordination Center put out an analyst note but could not say what specific medical devices or companies have been impacted by the Thales modules.
"While this vulnerability potentially affects millions of IoT devices, it is unknown exactly how many devices are impacted in the [healthcare and public health] sector. Despite this, it is likely that internet-connected medical devices have a Thales module for network communication given its widespread use," the warning said. The note cited a June CISA advisory regarding Baxter Sigma Spectrum Infusion Pumps and noted that such medical devices are "already vulnerable to similar attack."
MedTech Dive reached out to Baxter to find out if its pumps are potentially impacted by the Thales module vulnerability but did not hear back from the company.
In addition to pumps, patient health monitors that provide remote monitoring as well as continuous glucose monitors are also potentially impacted, according to Mike Rushanan, director of medical security at consultancy Harbor Labs. "This presents a potential patient safety issue as an attacker may spoof a valid medical device and, thereby, falsify all data," Rushanan said.
However, Chris Gates, principal security architect at medical device engineering firm Velentium, said he views the Thales modules as a "much lower level of concern" than Ripple20, which has several vulnerabilities that allow for remote code execution.
"This Thales attack requires physical access to the module via USB or via an over the air update," Gates said. "It is also highly dependent upon what the manufacturer of the device is storing in this memory, if anything."
Nonetheless, IBM warned last week that Thales’ Cinterion EHS8 M2M module and others within the same product line store and run Java code often containing confidential information like passwords, encryption keys and certificates. Adam Laurie, associate partner and hardware hacking expert for IBM’s X-Force Red, said that using the data stolen from the modules, cybercriminals could potentially control a device or gain access to the central control network to launch attacks.
Ripple20 and the Thales modules are the latest examples of third-party components widely used in medical devices that are potentially making patients vulnerable to cybersecurity threats. To address the problem, the Department of Commerce’s National Telecommunications and Information Administration in 2018 launched a multi-stakeholder initiative to improve component transparency across several industries, including medtech, by standardizing the process for sharing the data so users can better understand what exactly is running on their networks.
Allan Friedman, NTIA’s director of cybersecurity initiatives, said a software bill of materials (SBOM), an electronically readable format meant to provide an inventory of third-party components in devices, would help in situations like Ripple20 and the Thales module vulnerabilities.
"Once a vulnerability is discovered, the lack of an SBOM makes it hard for defenders to know if they are affected. Moreover, mitigating vulnerabilities like this, and determining who isn't affected, is particularly difficult when neither security researchers nor key partners have visibility into who is using the affected component across the ecosystem," Friedman said in an emailed statement.