St. Jude Pacemaker Recall, Instagram and Time Warner Cable Hacked, and more!

25 views
Skip to first unread message

Infosec News

unread,
Sep 5, 2017, 3:25:42 PM9/5/17
to Infosec News

INFORMATION SECURITY NEWS

For The Week of 8/29-9/5 2017

The Information Security News Service is a project of LARS (Laboratory for Advanced Research in Systems) in the CS Department at the University of Minnesota Duluth. We send out top stories in information security every Tuesday (except during some academic breaks). If you have stories you’d like to see featured, please email them to infosec...@d.umn.edu.

CURRENT NEWS


465,000 St. Jude Pacemakers Recalled, Need Firmware Update

Since late last year, when a report outlining vulnerabilities in their pacemakers was released, St. Jude Medical has been struggling to improve the security of their pacemakers. This firmware update is supposed to fix many of the known vulnerabilities. Patients with these devices are urged to go to their healthcare providers to receive the update. The word “recall” in this sense only means that the devices need a firmware update - they do not have to be removed from patients.

See the Additional Reading section below for a writeup on the initial report, including a list of all the vulnerabilities that were uncovered.

http://money.cnn.com/2017/08/30/technology/business/pacemakers-security-update-fda-hack-st-jude/index.html

https://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm573669.htm


Instagram Hacked, Six Million Users’ Emails and Phone Numbers Exposed

Hackers were able to exploit a bug in Instagram’s password reset feature to gain access to the emails and phone numbers associated with accounts. Since this included some celebrity accounts, a site called doxogram was created where people could pay 10 dollars to view the information of around a thousand celebrities. The site has since been taken down. The hackers claim to have the information for six million more users.

http://www.telegraph.co.uk/technology/2017/09/04/six-million-instagram-accounts-hacked-protect/

http://gizmodo.com/instagram-done-got-hacked-1798732634

https://www.theverge.com/2017/9/1/16244304/instagram-hack-api-bug-doxagram-selena-gomez

Thousands of Security Contractors’ Resumes Leaked by Private Security Company

Resumes for thousands of applicants to US-based private security firm TigerSwan were exposed by a third party recruiting firm. Many of the resumes included claims of top-secret clearances, as well as detailing sensitive roles applicants had previously held. Some of the resumes also belong to Afghan and Iraqi nationals who worked with US forces. This disclosure of their cooperation could put them at risk. The resumes were exposed when the third party recruiter used an Amazon bucket site to transfer the files to TigerSwan’s server, but didn’t remove the files afterwards.

http://www.zdnet.com/article/thousands-of-sensitive-mercenary-resumes-exposed-after-server-security-lapse/


Millions of Time Warner Cable Subscribers Records Leaked

600GB of data on Time Warner Cable Subscribers were discovered on two unsecured Amazon S3 Buckets. The records contained usernames and passwords, as well as device information, such as serial numbers and MAC addresses. Billing addresses, phone numbers, and other contact info were leaked for at least a hundred thousand customers.Credentials for both internal and external systems were also leaked. A third party company, BroadSoft, is believed to be the owner of the S3 Buckets and is believed to be where the hack originated. The data dumps also included CCTV footage of BroadSoft employees in India.

https://gizmodo.com/millions-of-time-warner-customer-records-exposed-in-thi-1798701579



ADDITIONAL READING


St. Jude Cardiac Devices Vulnerabilities

In late 2016, short selling firm Muddy Waters released statements claiming that St. Jude Medical's cardiac devices were vulnerable to cyberattack. This was probably done in an effort to drive down St. Jude stock price. In response, St. Jude sued Muddy Waters for defamation. Muddy Waters hired an independent security firm, Bishop Fox, to verify their findings. Bishop Fox's report on the state of security of the devices provides an excellent case study for why security is important and what can go wrong when it's ignored.

St. Jude's infrastructure consists of three main parts. First, there are the actual cardiac devices themselves (ICDs and pacemakers). There are also PCS Programmers, which are devices used to configure the cardiac devices using an inductive wand at close range (1-2 inches). The programmers are intended to be used by doctors only. There are also Merlin@Home devices, which are designed to sit near the bed of the patient and extract medical data and event history from the cardiac devices, and upload it to St. Jude servers. Merlin@Home units communicate with the devices using an RF protocol.

There were a whole host of attacks that were uncovered. These include:

  • Merlin@home devices could be used to issue Programmer commands to pacemakers and ICDs.

  • Modified Merlin@Home devices used with a laptop could make an ICD deliver a T-Wave Shock.

  • Merlin@Home could be used to switch off all therapy on an ICD.

  • Merlin@Home range could be easily extended using commercially available antennae from 10ft to 45ft.

  • Merlin@Home could be used to drain ICD battery by 3% ever 24 hours.

  • ICD therapy could be disabled before delivering a shock to the patient, possibly resulting in cardiac arrest.

  • Researchers were able to gain root access to both a Programmer and Merlin@Home device, enabling them to perform the attacks much more easily.

These attacks were possible because St. Jude failed to follow some basic security practices. Some overlooked security factors were:

  • Weak Encryption in RF Protocol: While they were using the industry standard RSA algorithm, only three bytes of it were used (24 bits). There are only 16,777,216 possible values in a 24 bit key space. The industry standard is 2048 or 4096 bit RSA encryption.

  • Backdoor in RF Protocol: The RF protocol would cryptographically verify the three bytes to ensure it was being issued a legitimate command. However, there was one three byte value that would always be considered legitimate (the backdoor). This backdoor would be easy to uncover in a couple of ways. Because the key space was so small, the backdoor value could be brute forced relatively easily. Even if the encryption was stronger, anyone with physical access to a Programmer could have retrieved the value for the backdoor directly from the device. Hard coding cryptographic keys like this means that once the key is discovered, an attacker could have issued a command to any cardiac device, greatly expanding the scope of a potential attack.

  • Exposed JTAG and UART connections: Exposed JTAG and UART connections in the Merlin@home were used to configure the embedded Linux system to present a root shell, giving the researchers complete administrative control of the device. Having root access allowed them to reverse engineer the command protocol, find the value of the backdoor, and make a Merlin@Home device issue Programmer commands.

  • Programmer Hard Drive: The programmer's hard drive could be extracted and plugged into a computer, allowing the researchers to edit files on it. By changing firewall rules and some startup scripts, they were able to gain root access to the Programmer via this method.

Link to the original report: https://medsec.com/stj_expert_witness_report.pdf. Scroll to page 27 for the interesting parts.



Reply all
Reply to author
Forward
0 new messages