US hospitals to treat medical device malware with AC power probes Two large US hospitals will in the next few months begin using a system that can detect malware infections on medical equipment by monitoring AC power consumption. The unnamed hospitals will be the first in a list to test the add-on monitoring platform dubbed WattsUpDoc to check for potentially life-threatening malware running …
That probably depends on the details of how the power in, charging circuit & battery are functionally integrated. If the battery & charge circuit of switched to the side when the power is on, and the battery is switched to (as is done with UPS) then this side channel may still work.
But your comment does point to the fact that this side channel attack only works on modern PC's and equipment because of the use of under filtered switching power supplies.
If you used an "old fashion" power supply that used a transformer, full or half wave bridge, and (optional) analog voltage regulator, you have to follow that bridge with a large (several hundred microfarad to several thousand microfarad) capacitor to put the 3db point for line ripple suppression well below the mains frequency (50 or 60 Hz).
That 3db point "works both ways". Most of the signatures these guys show have most of their info out to 300Hz, and above the mains frequency. And old fashion power supply, with it's 3db point at say, a few Hz, would leave them with basically no noise to analyze. The down side is that old fashion power supplies are bulkier, more costly & less efficient than switching power supplies, which is why they have been replaced in the last couple of decades.
But if you wanted your equipment to block this side channel, just design using a properly designed old fashion transformer based power supply with whopping capacitors.
This post has been deleted by its author
I am not convinced this system would work without throwing up numerous false positives and isn't anything more than playing on paranoia and fear. After all, as they say themselves; "We are thinking about those machines that are really hard to patch, really hard to upgrade, and really hard to get inside". And really hard to get malware on to, and with little to be gained from doing so.
It seems to be following the paranoid thinking prevalent these days that if it could happen we have to accept it will happen and need to protect against that possibility. A lovely gravy train for those riding it.
We need to get back to recognising and understanding the difference between threat and risk.
This post has been deleted by its author
ie like not letting any OS that is not within your control access the internet.
Why do these things need internet access anyway? Certainly not for web browsing.
Even if they need it to phone home surely its going to be cheaper to limit their access to the manufacturer via firewall rules?
Whats the sense in springing out cash for lots of these Whatsupdocs when you can fix things easier in software?
I refer the honourable gentlebeing to the sentence in the article which reads:
"They say the need to secure embedded systems without modifying code is critical for sectors such as healthcare which cannot due to risk or regulation easily patch zombie machinery."
Presumably, fixing it in software /and then re-using the device/ isn't easy if each change requires the thing to be re-certified (in a regulatory system which probably isn't set up for it).
You wouldn't believe the amount of regulatory BS you have to go through to do the most trivial modifications to a medical device. I think its OTT myself -- there are things that are potentially hazardous but most changes are benign - but the regulatory authorities don't discriminate.
As for what they're doing, its a variation on a theme by Tempest, the practice of securing devices used in classified environments against electromagnetic or other emissions that can be used to determine what they're being used for. (Yes, this stuff is real.....weird, but real.....) The only thing is that we're typically looking for malware to do something rather than send out information; a lot of medical devices don't have the capability to do anything interesting or malicious with the data they're working with and this system looks like its primarily going to be useful for collecting anomalies with those devices.
Having helped design and manufacture diagnostic imaging systems ie., computer controlled, ultrasound imaging, digital x-ray and differential transmission spectroscopy ie., breast cancer detection using light, I cannot see anyway this detection system will work. First would be the large isolation transformers required to meet the UL 544 leakage current requirements. Next would be the line filter required to meet the FCC Part 15 requirements. After that, there are usually a combination of several linear power supplies for the digital systems and some switching power supplies for any motors ie., disk drives, ultrasonic transducer drives, auto-focusing for lenses.
All of these systems ie., imaging devices, have their outputs connected by either Ethernet or USB or both to servers. Attempting to monitor the AC line to detect malware IMHO seems like a waste of time. Even the laptop type of control and monitoring for some Ultrasound and EKG systems, still have to meet the leakage current requirements ie., 10 microamps, for directly connected to the patient systems. The transformers and filters required in the main AC line would defeat the purpose of such monitoring.as described.
“We are thinking about those machines that are really hard to patch, really hard to upgrade, and really hard to get inside."
If they are so hard to get inside, how come they're running malware?!?! The problem is that they're too easy to get inside...
Like others on this forum I think it's ridiculous that such devices are connected to an Internet facing network in the first place. No doubt somewhere in the small print for these devices there's words suggesting the lack of wisdom in doing so.
Regulators
And actually, where are the regulators in all this? If a device like this is merely one component of a medical network, then why does the regulatory obligation seemingly stop at the Ethernet port? Shouldn't the entire network have to be developed to the same standards as the devices? After all the whole point of the Ethernet port is to provide functionality beyond the device, and presumably that functionality is seen as important otherwise no one would bother wiring it up. And if it is important then the network design and maintenance is as important as the device's design and maintenance.
Sounds like ineffective and misplaced regulatory oversight, and it's allowed a bad situation to develop that is going to be very expensive and difficult to rectify.
"You may well be right. What would you prefer instead?"
I think we'd all prefer and benefit from effective and well focused regulatory oversight.
Part of the problem is that the regulators seem not to have a good feel for where the system boundary should be. In the case of medical devices it's clear that they don't consider the network to be part of the system, yet as any old IT bod knows the network most certainly does matter. We spend a lot of money in IT on network firewalls, network switches, virtualised networks, etc. It is never an afterthought that we throw together after we've put in a load of servers.
Fixed Configuration
With medical devices the regulations prevent you automatically apply OS updates, etc. The regulators approve a fixed hardware design with a fixed software payload; applying updates makes it a "different" device that has not been approved.
So if the 'fixed' nature of the software is so important, how come they're quite happy for these things to be connected to networks that evidently expose them to a grave and real risk of having their software altered by hackers remote installing malware? It's almost as is they're relying on a naive opinion that "no one would ever hack a hospital"... And as I implied in my comment above, if the network provides important functionality, how come the 'fixed' configuration philosophy doesn't extend to the network too?
Inconsistent Regulation
That is inconsistent, has been demonstrated to be ineffective and the regulations need to be updated. However connecting them up to the Internet has been allowed for so long that it is the de facto rule, and all hospital IT is now structured that way. Regulation that doesn't properly and rapidly account for changes in the world isn't worth having at all.
If they want to keep their "fixed configuration" philisophy then they're going to have to apply that to the network too. This realistically means a closed network not connected to the Internet where there are no USB ports or optical drives available on any machine on the network. I can't see that going down well...
"And when you've sorted medial equipment, avionics regulation is in need of a serious reconnection with reality."
Again the situation there is that the regulators have failed to set a clear system boundary within which their rules apply. They've incorrectly set the system boundary as being the whole aircraft, and regulated within that.
However Boeing and Airbus have both implemented a single aircraft-wide network that carries or is exposed to passenger devices. The FAA/EASA let that happen seemingly without once considering the possible consequences of connecting passenger devices. Connecting them makes them part of the system. Passenger devices cannot be regulated. Thus the system now comprises an approved subsystem (the aircraft) and many unapproved subsystems (the passengers' mobiles, etc). With wildcard devices being part of the system all that regulatory oversight now counts for nothing, for it is no longer the same system that the regulators approved.
Of course they have done testing of the separation of passenger and flight control network data, and they have probably been successful in achieving adequate separation. However, no one can be totally sure of that. In contrast a single successful hack would prove that adequate separation had not been achieved.
Penny Pinching, Pound Foolish
The reasons Boeing and Airbus have for doing that is to economise in off-aircraft communications channels. The flight control avionics, the airline's own systems and the in-flight entertainment need to provide off-aircraft communications for various reasons, and sharing a single sat comm terminal makes it "cheap".
Except it's not cheap. First it creates the situation we have now where no one is quite sure whether or not anyone with a mobile can hack and down an aircraft. That's going to be expensive to put right.
Setting that aside, sharing a sat comm terminal is an incredibly short sighted thing to do. Bandwidth upgrades are clearly going to be a major requirement of airlines competing to provide a better service to paying passengers. That means hardware upgrades.
Upgrading a Shared Sat Comm?
With a shared sat comm terminal that means getting a whole new and improved unit designed, tested, approved by the regulators as still allowing the aircraft to fly safely, and installed. That's an expensive process, largely because of the approvals that have to be gained first. That process has to consider (amongst other things) whether or not it still correctly separates passenger and avionics network data. That will have to be checked differently every time they add new features. Effectively they would be redesigning the approval tests every time the design changes, adding more time and cost.
As any IT bod knows, a system that's exensive and slow to upgrade isn't going to be very profitable.
Upgrading a Separate Sat Comm?
Now imagine if the IFE were a completely separate network (with a data diode connection from the flight control avionics to get data for the moving map display), and had it's own sat comm terminal. That could be upgraded at will with minimal regulatory oversight because it is never going to be critical to safety of flight (at least not once basic EMC and airworthiness approvals are in place). Meanwhile the sat comm terminal for the flight control avionics just sits there, never upgraded because it won't ever need it.
That would be a lot cheaper and quicker to do; across the whole life of the aircraft the airlines would be able to offer a premium service that's always the best, with upgrades being easy to role out. And an added benefit is that it avoids the whole mess we have now.
Maybe they're all these medi devices and craparsed medi software are totally safe because hackers have long ago moved on to other targets and don't focus on embedded XP, and are also avoiding any unpatched OS platforms. Sure ...
Haven't seen any erstwhile commitment from GE, Siemens, Fujitsu, HP, or Philips that tout the ability to support or are claiming compatibility with any version of anti-malware, any version of white-listing, any form of data encryption. Bunch of greed wonkers still nursing the $1m investment they made back in '06, and still claiming to end users that "we can't support that, the FDA won't allow us to."
If you have this crap devices/software in your healthcare operations - well you better have the sh!t walled off in protected vlans with no internet access. Otherwise - we'll see your name in the hall of shame (see ocrportal.hhs.gov/ocr/breach/breach_report.jsf ).
Yes, making functional software that is also secure seems to be far to difficult.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
