jake williams - navigating the fda recommendations on medical device security - and how they will...

Navigating the FDA Recommendations on Medical Device Security - and how they will shape the future of all IoTJake WilliamsRendition InfoSecrsec.us@MalwareJake

http://www.rsec.us/

• Passionate about security• More than a decade of InfoSec

experience• Some things about me:– Forensic Analyst– Incident Responder– Vulnerability Researcher– SANS Instructor/Course Author– Conference Addict

# whoami

(C) 2016 Rendition InfoSec - Jake Williams

• I don’t build/use/implement medical devices – does this even matter to me? (YES)

• What are the FDA’s Recommendations?

• How do these apply to IoT devices?• Whoa – I never thought about that• Actions you can take• Recommended recommendations

Agenda


• Yes• Jaa• Yen• Yama• Baleh• Yes• Ioe• Si


Does this matter to me?

• Yes, Yes, Yes!


Even if I don’t care AT ALL about medical devices?

• “FDA recognizes that medical device security is a shared responsibility between stakeholders, including health care facilities, patients, providers, and manufacturers of medical devices.”

• Why do patients have responsibility here?– Not really happy with this implication

• Have you tried to get a copy of your medical device firmware?


Medical device security: who has the conn?

• Modeled on NIST CyberSecurity Framework (CSF)

• NIST CSF Categories


The FDA’s Recommendations

Identify Protect Detect Respond Recover

• Lightest section• This really deals with risk

assessments– Concerned that categories look a little

fuzzy?


NIST CSF - Identify

• Who gets to define the Severity Impact to Health in this risk assessment?– The vendor, seriously?!


NIST CSF – Identify (2)

• Scary to think about your vendor determining the impact (and controls)

Can I buy a vowel?

• How many devices do you know that support multi-factor authentication?– Come on man…


NIST CSF - Protect

• I’m sorry, we’re just “avoiding” hardcoded passwords in medical devices?

• Only authenticated users can perform firmware updates – mediocrity++


NIST CSF – Protect (2)

• Code signature verification and … ?– I’m all for this being a requirement but

this is just a non-binding recommendation

• When would encryption not be appropriate?


NIST CSF – Protect (3)

• These three are so unimportant that they are grouped together– Apparently the FDA knows better than

NIST (?)• Protecting devices is important• But detecting intrusions is AT LEAST

as important as securing the devices


NIST CSF – Detect, Respond, Recover

• #1 enables detection of compromises– But how?

• #4 enables device forensics – hope this is implemented quickly!

• #2 – many end users can’t spell cybersecurity compromise


NIST CSF – Detect, Respond, Recover (2)

• #2 – many end users can’t spell “cybersecurity compromise”

• #3 – how precisely will vendors protect functionality even after compromise?– You don’t quite understand how this

works… (C) 2016 Rendition InfoSec - Jake Williams


• To be fair, Microsoft has tried valiantly to protect functionality even after a compromise (preventing rootkits)– And failed miserably– Because attackers are REALLY smart

• I’m pretty sure this can be the last of your device security concerns



• The FTC is already involved in consumer device security


How does FDA apply to generic IoT?

• The FTC has some IoT security recommendations of their own– But FDA has some of the shiniest devices

to protect – you and me • Once the FDA implements a standard

for medical devices, FTC is likely to adopt– If you build, sell, or implement IoT

devices you have to care about medical device standards


How does FDA apply to generic IoT? (2)

• Consider that the FDA recommendations are currently non-binding– You – as a security professional – can help

determine the future shape of these• Again, even if you don’t do medical

devices, this will still impact you!


Whoa – I never thought of that…

• Wifi your coffee, because, well what could go wrong…


IoT Horror Show

• Control your slow cooker – from your phone


IoT Horror Show (2)

• Solving problems you never knew you had


IoT Horror Show (3)

• I’m giving these away to people I REALLY don’t like this year


IoT Horror Show (4)

• Preheat to… “burn the house down”


IoT Horror Show (5)

• Keep extending your dryer cycle until (??)


IoT Horror Show (6)

• Anyone see Mythbusters and their water heater experiments?

• Change water temp?


IoT Horror Show (7)

• You too can control your gas fireplace remotely from your phone


IoT Horror Show (8)

• I’d like to request my defibrillator NEVER be connected to 802.11


IoT Horror Show (8)

• Talk to your legislators about medical and IoT device security– FDA and FTC have regulatory authority

• But they have to work within legislative frameworks provided by Congress

• Let them know you care– Because almost nobody does…

• Do this while FDA recommendations are still in DRAFT form!


Actions you can take

• Medical device and IoT security today is a complete clown show


Actions you can take (2)

• Without your help, the clown show will continue

• Don’t just highlight problems– Offer solutions!

• What solutions can you offer to device manufacturers and integrators?– I’m so glad you asked!


Actions you can take (3)

• Wifi – sure you need it, but do you EVER need open WiFi? – Only for testing and then critical

functionality should be disabled• What about WEP?– Never.– Not even an option.– But what if… I SAID NO! Nein, Nein,

Nein!


Recommended… um… recommendations

• Firmware updates must be digitally signed

• No hardcoded passwords–We must do more than just “avoid” them

• Remove HTTP entirely– Only HTTPS support

• Same thing for telnet vs. SSH• Device certificates must not be static


Recommended… um… recommendations (2)

• No, it doesn’t need unauthenticated USB– Or unauthenticated serial, or…

• And if you put a silly custom port on your device that allows unauthenticated physical access…


Recommended… um… recommendations (3)

• Thanks for your attention

• Open the floor to questions

• Hit me up at:–@malwarejake– [email protected]– rsec.us


Obligatory Questions Slide

jake williams - navigating the fda recommendations on medical device security - and how they will...

Technology