Journey of a 1000 Miles: Raising the Bar for Medical Device Security

A journey of a thousand miles begins with a single step.
Lao-tzu (604 BC - 531 BC)

Last week, the FDA and DHS released advisories referencing work we reported to DHS back in April. 300 backdoor passwords in a variety of medical devices, all wrapped up in a nice spreadsheet listing vendor, product, and backdoor password. Honestly, we could have reported 1000 different backdoor passwords, we could have even gone all the way to 10,000. We stopped at 300 because we felt 300 was sufficient to get our point across (and our wives told us to stop messing with these devices and to spend more time with our kids). The point is, this is an issue that affects all classes of medical devices and every medical vendor.

Medical devices are designed to support human life. When you look at a medical device, do you think of how a security issue could affect it? Do you think about how all of these medical devices are connected? Who do you think has access to that device? Do you think about who has had access to that device in the past? These are the types of questions that we think about when we see a medical device. These are the kinds of questions that a doctor and patient should never have to be concerned about.

Software security is not a new problem and the software security issues in the medical world are not special or new. Pioneers like Kevin Fu and Barnaby Jack have previously demonstrated numerous weaknesses in medical devices. Despite our efforts, researchers alone cannot shoulder the responsibility for driving medical device security. We could release security bugs in medical devices every day for the next 5 years, but such moves would be too tactical. A more strategic approach is needed, one that requires both technical and political expertise to push forward a new set of standards and requirements for medical device security.

One of the most fundamental security controls for hardware devices is firmware signing. Firmware is essentially the "brain" of the medical device. Firmware attacks allow for an attacker to reprogram a device, giving them complete control over it. For example, if the firmware for an X-Ray machine has been tampered, it could administer unusually high doses of radiation while at the same time reporting normal settings to the practitioner. Once a firmware has been compromised, it is nearly impossible for a practitioner to detect that the device has been compromised. There is no "anti-virus" software that can tell you whether a device firmware has been infected. In most cases, determining whether device firmware has been modified will require disassembly of the medical device. Many of the backdoor passwords we've discovered allow for the tampering of firmware. This is why we need firmware signing requirements for all medical devices. If done correctly, firmware signing provides assurance that the firmware has not been modified by an attacker. Even if someone were to discover a backdoor password for the device, they would not be able to use that password to infect the firmware.

"Firmware signing" sounds complicated. The good news is this problem has already been solved in numerous industries. Every iPhone requires signed firmware. Every iPad requires signed firmware. Every Xbox, PlayStation 3, and even the $199 Nintendo Wii requires signed firmware, signed system software, and even signed games. Do not let the medical device vendors convince you that such requirements are too expensive or too complicated to implement. This requirement could be implemented at minimal costs for new devices, will be completely transparent to the practitioner/patient, and is easily verifiable by regulatory bodies like the FDA.

We are by no means stating that requiring signed firmware will solve all medical device security issues. Even with signed firmware, vendors will still have to implement robust security mechanisms for authentication, authorization, and accountability. However, given the current state of medical device security, we believe firmware signing for all medical devices created in 2014 and beyond is a necessary first step.