Recently, incidents involving the internet of things (IoT) have had no shortage of media coverage. In fact, I would suggest that the IoT has become one of the top buzzwords in IT right now. Large, more mature organizations have started to realize the growing attack surface that IoT is creating for the enterprise they manage, but whether large or small organizations are feeling the pressure to allow IoT on their networks even though in many cases they are not equipped to deal with it effectively. In healthcare, this is particularly troubling as IoT attacks generally cause some form of disruption which can affect both operations and patient safety.
Risks in Abundance
The risks that these devices bring to any network are not minimal and should be taken seriously by anyone that allows IoT devices on their enterprise network. The most prominent are best described by a standard security term: attack surface. When more network-connected devices are added, the number of systems to attack increases, thus increasing the attack surface.
As the size of enterprise LANs has grown exponentially for a decade, we have added many laptops, desktops, servers, virtual servers, network devices, security devices and other types of devices. These devices are managed by IT and generally can be configured to be secure and are supported by secure administration. While they added to the growing attack surface challenge, they were still considered manageable. The challenge now is that we are adding security anemic network connected devices by the hundreds or thousands, designed with only functionality in mind. This is not only expanding the attack surface but increasing its overall insecurity.
Botnet and Beyond
We have seen in the last couple of years a growing awareness of the issues that IoT brings to the table. There are countless studies and whitepapers written on the subject and vendors with “solutions” have started popping up like mushrooms. One of the most eye-opening incidents in recent memory has been the use of these devices by attackers to create surprisingly powerful botnets that are capable of causing massive disruption in services.
A botnet is a network of malware-infected systems that are all owned or controlled by the same person or group. These systems then work in tandem as one large supercomputer at the direction of whoever is controlling them. These botnets can be used for various purposes and can even be rented by the hour in darknet marketplaces. The most devastating use is for distributed denial of service attacks (DDoS) that target infrastructure affecting countless victims.
A directed denial of service (DDoS) attack occurs when an attacker causes a system to be unavailable to legitimate users by any means. In the case of a massive botnet, these systems can all be “pointed” at a particular target or set of objectives, and the entity in control can send an overwhelming number of packets to that system, overloading its capabilities. This action will cause the targeted systems to overload and fail.
In the case of the Marai botnet, the person or group that controlled a set of millions of IoT devices (including IP-connected cameras, printers, PLC devices, VoIP Phones, and just about anything else connected to the internet) sent the full force of its collective traffic at the domain name servers (DNS) run by DYN. They are the DNS provider for a significant portion of the internet, and this event caused serious service issues for multiple major internet companies. If you need a refresher on the DYN DDoS check out this article.
The Aftermath of Marai
Shortly after the DYN incident, the group that created the Marai botnet released the full source code of the malware to the public. Since then hundreds of blackhat hackers and criminals around the world have modified the code to their specifications and began taking over IoT devices. It has even turned into a real turf war where rival factions are fighting for control over millions of devices up for grabs.
Two of the more interesting variants of the Marai malware have been Hajime and BrickerBot. The latter of which is designed specifically to permanently make infected devices unusable to anyone, making them essentially bricks. Hajime, which means “beginning” in Japanese, is a variant of Marai that infects the same devices using the same vulnerabilities but it repairs the hole behind itself. While it is still unknown who controls this network and what their ultimate intent is, it is none the less interesting. Particularly when you understand that Hajime is the command given traditionally to start a contest in karate, judo. Aikido or kendo. Are they preparing for battle, and if so with whom?
My IP Camera is Doing What?!?
So it’s no surprise that the IoT threat is becoming a major concern for all industries, with healthcare being no exception. The Mirai attack targeted CCTV cameras which almost all healthcare facilities own. Most of these are also IP-based and one of the most commonly infected. The implications of an incident of any kind in a healthcare setting has potential compliance and patient safety ramifications. A device infected with something like the BrickerBot malware discussed above can become unusable entirely, and for medical devices, this could be a serious implication both from a business sense and as a matter of patient safety, as connected biomed devices are quite expensive and critically important to patient care.
Fortunately, there are steps that organizations can take to protect themselves, their data, and most importantly their patients. The first is more effective and consistent asset inventories and network connected device monitoring. IoT devices, especially in healthcare settings, are rarely owned or even tracked by IT – you can’t protect what you don’t know exists. Secondly, use strict network segmentation, keeping devices far from the internet and monitoring this system 24/7 for strange activity. Finally, read the fine print and know the devices that are on your network. Keep meticulous records and set up alerts or have someone assigned to accurately monitor the various manufacturer’s websites for alerts, updates, and other information that may be pertinent. These steps along with basic controls are the best thing organizations can do to protect themselves.