White Paper: Outdated Vendor Firmware as a Driver for Adopting Zero Trust Security in Healthcare
This blog series focuses on the three main drivers in healthcare for adopting a Zero Trust security architecture. In the last installment, we focused on ransomware. This blog will focus on outdated firmware, and the next will focus on unmanaged services.
Outdated Vendor Firmware & Associated Threats
Devices running outdated vendor firmware may represent an even bigger threat to connected medical and IoT devices than outdated operating systems (OS). Firmware is often built into proprietary, embedded OS and is extremely vulnerable for various reasons:
- Software code in firmware is typically not written with security in mind and has not gone through any security review
- Authentication is extremely weak or doesn't exist at all; in many cases, credentials are hardcoded and can't be changed
- Data transfer in firmware is often based on unsecured, unencrypted, and difficult-to-monitor proprietary communications protocols
- Firmware updates are hardly ever issued by vendors, often because vendors aren't aware their devices include specific firmware
- Sparse security research on firmware means vulnerabilities are not understood; because of this, discovering vulnerabilities often takes much longer than in consumer OS
Firmware Vulnerabilities: Real-Life Use Cases
Various families of vulnerabilities affecting firmware in millions of connected healthcare IoT devices around the world were discovered over the last three years: URGENT/11, Ripple20, and NAME:WRECK, to name a few.
For example, Cynerio research discovered that about 96% of infusion pumps in healthcare facilities across our deployments are vulnerable to URGENT/11 or Ripple20. In this blog, we'll focus on these two vulnerabilities, how they affect medical and IoT devices, and how the risks can be mitigated with a Zero Trust security architecture.
Ripple20 & Healthcare IoT Devices
Ripple20 is a series of 19 critical vulnerabilities in the Treck TCP/IP stack, a software library built into various medical and IoT devices and embedded in third-party components of operating systems. Treck is a low-level component, and in many cases, administrators may not be aware it is used on the device. Recently, four more Ripple20 vulnerabilities were discovered and added to the initial group.
Ripple20 Treck Flaws
Ripple20 vulnerabilities are embedded in the Treck TCP/IP internet protocol suite library. The library is built into the source code of myriad medical and nonmedical devices. The flaws in Treck enable remote code execution, enabling attackers to compromise targeted medical and IoT devices.
Treck Vulnerability Severity & Consequences
Ripple20 vulnerabilities in medical and IoT devices can result in:
- The exposure and theft of electronic protected health information (ePHI)
- Denial of Service (DoS) attacks and the shutdown of entire clinical networks
- Compromised device functionality that interferes with medical treatment
Ripple20 is especially concerning because it affects critical care equipment, which means that attackers can physically harm patients, for example by administering excessive dosages of medication. Ripple20 vulnerabilities affect devices including:
- Baxter, Sigma series and B. Braun infusion pumps
- CareStream Radiology devices
- Schneider APC/UPS devices
- Digi capsule connectivity engines
- HP and Ricoh printers
URGENT/11 & Healthcare IoT Devices
URGENT/11 is another family of TCP/IP stack vulnerabilities and was discovered in October 2019. The vulnerabilities were found in IPnet, a network communications component that is no longer supported by the original developer. Nevertheless, IPnet continues to be built into software applications, equipment, and systems used by a plethora of healthcare IoT and industrial devices.
URGENT/11 Severity & Consequences
Devices affected by URGENT/11 are at risk of enabling attackers to:
- Take remote control of medical and IoT devices, disrupting clinical workflow
- Tamper with medical devices' functionality
- Use a device to initiate denial of service (DoS) attacks
- Exfiltrate sensitive data (ePHI) from the infected device or connected systems
Affected Operating Systems
The IPnet component affected by URGENT/11 is built into many operating systems used by medical and IoT devices, but not all version include the vulnerable IPnet component:
- Wind River VxWorks
- ENEA Operating System Embedded (OSE)
- Green Hills INTEGRITY
- Microsoft ThreadX
- IP Infusion ZebOS
URGENT/11 was discovered in medical devices manufactured by GE Healthcare, Philips, Schneider Electric, Siemens and others, in the following categories:
- Patient monitors
- MRI machines
- VoIP phones
Cynerio research discovered that nearly 33% of infusion pumps across our deployments, including the prominent Alaris model, are vulnerable to URGENT/11.
Why Zero Trust Is the Solution to Outdated Firmware
Firmware is often outdated, unpatchable, and unsecure, making devices containing them extremely susceptible to vulnerabilities like Ripple20 and URGENT/11.
Successful exploits of these vulnerabilities can allow attackers to embed malware on devices. Meanwhile, IT and security teams have limited ability to detect and remediate infections. Devices often don't support antivirus or other security controls, and can't be scanned with traditional security tools.
Only a Zero Trust architecture can ensure that:
- Malware can't communicate with command and control (C2), preventing remote control of devices
- Infections can't spread laterally across the network
- Attackers can't perform DoS using vulnerable devices
- Attackers can't exfiltrate data from vulnerable devices using malware
Learn more about firmware vulnerabilities and how to mitigate the threat with a clinically-intelligent and operationally-safe Zero Trust architecture.