A new zero-day IoT vulnerability reveals the serious risks that the healthcare sector is exposed to by adopting the latest IoT devices in hospitals without a proper AI-based network forensic. David Callisch, VP of Marketing, Nyansa, Inc. explains these risks and offers some solutions to combat them.
The rapidly growing use of IoT devices in healthcare poses serious risks to patient care and has the potential of causing major harm to people. While not unique to healthcare, hospitals have quickly embraced single-function IoT devices to improve mobility, speed up the patient care process and increase clinical productivity. Network connected glucose meters, bedside heart monitors, EKG machines, infusion pumps and environmental monitors are now littering the healthcare access networks in a move to increase mobility and flexibility to speed up the delivery of critical care services.
But if compromised, IoT devices can be used as launchpads to infiltrate hospital networks, control the impact of hospital operations or even be monitored to steal private patient data. This is simply not an isolated problem with a few devices. If you take a look at environmental sensors, the market for environmental sensors alone is projected to top USD $2.3 billion by 2023.Opens a new window These network-connected sensors are used to monitor everything from temperature and humidity to air and water quality. Within hospitals, environmental sensors are used for a number of essential purposes.
From vaccines and other medications to blood and lab diagnostic samples, maintaining proper temperature conditions is key to reducing their contamination or degradation. In addition to hospital temperature monitoring, pressure and humidity are also key factors that need to be monitored and constantly maintained. Temperature monitoring of refrigerators, freezers, and warmers is vital to ensure patient safety as well as to remain compliant with medication management standards and reduce potentially costly product loss.
Environmental sensors and other new IoT devices have been developed to give biomed clinicians and healthcare facilities the essential information about maintaining and monitoring a sterile environment critical for patient health and necessary treatment. But the benefits of these devices also come with some big risks. A recent discovery of a new zero-day vulnerability illustrates this point.
The severity of IoT security
When analyzing real-time traffic running across several different hospital networks, data science engineers discovered a zero-day exposure with wireless environmental monitors behaving abnormally. So, we dug deeper. What we found was alarming, to say the least.
A zero-day vulnerabilityOpens a new window is a flaw in software, hardware or firmware that is unknown to the party or parties responsible for patching or otherwise fixing the flaw. Until the vulnerability is mitigated, hackers can effectively exploit it to adversely affect computer programs, data, additional computers or a network.
Here’s what they found:
The screen above shows the malicious hosts that the environmental sensors were contacting as well as the type of traffic, specific IP of the destination, and the reputation of the destination. In this case, the destination was a malicious DNS server in China. This was an actual zero-day exploit with just one hospital, anonymized for their protection.
After identifying some abnormal IoT device behavior being seen across several hospitals, engineers used AI-based machine learning algorithms to baseline the ‘normal’ behavior of these environmental sensors. To do this, a vendor-agnostic AI-Ops system at the network edge was used to ingest and analyze a myriad of data sources to quantify the real-time behavior of network-connected devices. Engineers also began observing small subsets of devices at multiple healthcare customer environments behaving differently from the broader group.
With a SaaS-based analytics construct, IoT traffic behavior and patterns for every device on every network can be uniquely aggregated and anonymously compared across hundreds or thousands of customer environments to surface indicators of compromise. It’s effectively finding the proverbial needle in the haystack manifesting in small subsets of devices, thus making their detection evasive.
Surprisingly, a number of environmental sensors from a specific manufacturer were being automatically redirected to illegitimate servers outside the U.S. deemed to be potentially malicious. Further inspection of the external sites were deemed as ‘uncategorized’ by a reputable threat intelligence service, thus eluding the traditional security parameters that every hospital has in place.
A DNS exploit
Like most devices on a network, IoT devices use a common network process, called DNS (domain name server) to obtain the IP address of a remote server to make a connection. But unlike traditional client devices, such as, laptops or smart phones, IoT systems are often designed to connect to the specific manufacturer’s servers to check in or obtain software upgrades.
The DNS process is used to translate a server name into an IP address to which they can connect. The DNS servers that client devices are supposed to use for this purpose is typically mandated by the network administrator for any given company via static configuration or using a DHCP service. In this case, a number of environmental sensors were simply ignoring their configured DNS and redirecting the devices to illegitimate DNS servers.
While the DHCP service was indeed handing out the corporate DNS servers, the environmental sensors still reached out to non-sanctioned DNS servers. We quickly verified that every healthcare customer with these specific environmental monitors had a subset of these devices exhibiting this indicator of compromise.
In other words, the IoT devices were receiving bogus data that caused them to connect to very suspicious service in the cloud that they were not supposed to. This is a major security and protocol breach. Any time an outside system can connect to an internal device, as is the potential in this case, the network can be seriously compromised in a variety of ways.
For this type of exploit, the most common threat is hijacking web traffic to deliver ransomware. Because the sensors have internal network addresses but tunnel the hijacked web traffic masked as normal behavior, the activity often goes completely unnoticed.
Even if the malware is detected, the source of the infection is often completely unknown. These advanced attacks are designed to exploit the IoT loop hole that gets created by these misunderstood and hard-to-monitor devices.
Potential breaches
Once a device within the corporate network is able to establish a connection with an unauthorized device elsewhere, a range of bad things can take place.
Sophisticated finger-printing can be used to determine what operating system the devices are running on or what software services are available for them. Worse yet, this breach potentially allows software to be placed in the IoT device to enable a variety of nefarious attacks or unencrypted data from the devices that can be collected. This is the worst-case scenario for healthcare organizations.
Unfortunately, to save costs, when IoT systems are manufactured, they make use of weak or poorly designed third-party network stacks that help IoT devices connect and navigate computer networks. This software is part of the supply chain process when building IoT devices. These third-party network stacks are typically installed as part of the supply chain manufacturing process.
Consequently, IoT device manufacturers, not being network experts, might not know that this software is potentially dangerous until after hundreds or thousands of devices have been installed. By that time, it might be too late.
Combating with AI-based technology
As IoT technology evolves and is rapidly deployed, these kinds of security problems will only continue to increase. The key is to understand how to deal with it as proactively as possible without impacting existing network performance or performing disruptive upgrades that impact the business. Fortunately, sophisticated AI-based technology is now reaching the market to combat these and other IoT security threats.
These new systems are designed to apply constant network traffic analysis to identify abnormalities that signal potential problems. Machine learning algorithms are used to quickly establish baselines, analyze behavior or correlate all the different dimensions of the network to determine what is normal and what isn’t. Some of these solutions also enable additional data correlation across different environments.
These platforms don’t just look at how a device or a group of devices are communicating on the network. They constantly ingest and analyze massive amounts of network and infrastructure data, correlating all the data to gain insight on device performance and security abnormalities. Now, this is something that humans just can’t do!
Moreover, through direct integration with third-party security tools, such as, network access control (NAC), firewalls and other systems, these systems let IT staff take immediate action, including enacting security policies that automatically segment, micro-segment or even turn off select IoT devices so they can’t do any further damage, until the problem is resolved.
In this case of the problematic environmental sensors, big data network analytics and AI were combined to pinpoint exactly what IoT devices were potential threats and identify the precise behaviors that lead to the root cause.
Without such technology in place, enterprises, and healthcare organizations in particular, run the risk of such compromises going undetected and resulting in sensitive data loss, lawsuits, financial damage, or worse yet, loss of life.