Cybersecurity firm Forescout Research Labs has unearthed a new set of 33 major vulnerabilities in Internet of Things (IOT), operational technology (OT) and IT devices, which could allow hackers to access and manipulate them. These cybersecurity threats are particularly pertinent to the healthcare system, as the devices affected include the room temperature and ventilation units used on Covid-19 wards to initiate the evacuation of patients, as well as the temperature monitors used in storage spaces for vaccines.
Details about these vulnerabilities have been published as part of AMNESIA:33, the first study to be completed under Forescout’s Project Memoria initiative. Project Memoria aims to be the largest ever study on the security of TCP/IP stacks, a set of communication protocols used by the internet to transmit information. The goal is to develop a more sophisticated understanding of common bugs and threats, and how to mitigate them.
Seven open-source TCP/IP stacks used by major device vendors were analysed as part of AMNESIA:33, with the 33 vulnerabilities found across four of them. Four of these vulnerabilities are critical ones, meaning they have the potential for remote code execution on certain devices.
Forescout estimates that more than 150 vendors and millions of devices are vulnerable to the vulnerabilities unearthed in AMNESIA:33.
“We strongly believe this is only the tip of the iceberg,” says Forescout senior vice president of research Elisa Costante.
What is a TCP/IP stack?
The TCP/IP stacks affected by these threats can be found in operating systems for embedded devices, systems-on-a-chip, networking equipment, OT devices and a myriad of enterprise and consumer IoT devices.
TCP/IP stacks are critical components of all IP-connected devices as they enable basic network communications. For the same reason, attacks on these protocols are especially dangerous, as the code in the components can allow a hacker to possess every incoming network packet that reaches a device. This means that devices that just sit in a network and aren’t running a specific application can still be exploited, by virtue of being part of that network.
Costante says: “The threats that are critical are the ones that allow an attacker to get full control over a device. Either this device, because of its configuration or because of the way it’s working, is open to the internet, or the attacker first gets access to the network via another weaker device or a networking router that is accessible via the internet, and then jumps into the most critical device.”
Many of the vulnerabilities reported within AMNESIA:33 arise from bad software development, and relate mostly to memory corruption. They can cause denial of service, information leaks and remote code execution.
What does this mean for healthcare cybersecurity?
As Covid-19 vaccines begin to be rolled out across the UK, the TCP/IP vulnerabilities have the potential to spoil the storage of the doses and put many more lives at risk. This could have a devastating impact on the country as it attempts to recover from the impact of the pandemic.
“We discovered that one of the types of devices that is vulnerable is temperature monitoring for vaccines,” says Costante. “Last week IBM Security discovered a phishing campaign targeting the distribution of the Covid-19 vaccine. If you connect that phishing information to the fact that certain devices are vulnerable you can put together a more advanced, persistent threat, that doesn’t only extract relevant information but can also automatically carry out some attacks by messing with the temperature.”
The Pfizer vaccine currently being rolled out needs to be kept extremely cold in storage, at -70°C. At this temperature, it can be stored in a ‘freezer farm’ for up to six months. Once shipped to a vaccination centre, it can be stored for up to five days in a fridge at 2°C to 8°C. If this temperature is meddled with by a hostile actor, spoiling the vaccine samples, the consequences could be deadly.
Costante says: “We have evidence that nation-states have ways of [carrying out] cyber wars and so forth. If a country has a nation that, for political reasons, it benefits it to not get out of the pandemic, that could have a big impact.”
Due to the complexity involved with identifying and patching vulnerable devices, Forescout advises that the best way organisations at risk can help prepare themselves against TCP/IP attacks is by adopting network monitoring systems that provide granular device visibility. This way, they can monitor network communications and isolate vulnerable devices or network segments as they’re detected.