The number of cybersecurity vulnerabilities for IoT devices is on the increase especially for medical devices as they are now exposed to the world via connections to computer networks. Not only that there is also a greater number of interconnectivities between any IoT devices, humans and IT systems. This interconnectivity introduces a huge number of risks, threats and vulnerabilities to the IoT device. Therefore, it is extremely important to make sure that such devices are well protected and the right security measures are put in place.
In the past medical devices were isolated to a localized environment, this segregation allowed for these devices to be safe from outside interference such as hacking and other cyber threats. But although the recent advances in medical devices have resulted in much improved and sophisticated systems and better healthcare this also meant the integration of these devices, networking, software and operating systems, to the internet. This interconnectivity widely considered to be one of the causes of cybersecurity vulnerabilities in the health industry at large.
The evolution of such devices also meant increased threats to both patients and the healthcare organisation. Such threats can be direct and indirect and can not only have a huge impact on the organisation, but it can also have many impacts on hardware assets, software assets, information assets, physical assets and intangible assets.
The project examines vulnerabilities in wireless network, that affect IoT devices and especially medical devices and how the health care industry is plagued with these vulnerabilities which results in this industry being the victim of continuous cyberattacks more than any other. A vulnerability in this context is a weakness in the medical device, its hardware, software and network etc. The threat comes from an outside party such as a cybercriminal/hacker who is willing to exploit this vulnerability for malicious purposes such as ransomware.
The use of IoT technology in healthcare industry and even for simple wireless health monitoring is on the increase with new innovative technologies being applied to provide services. 66 Although the use of IoT in the healthcare sector has been slow it is expected to increase immensely over the next few years. 68
Recent high-profile attacks within the healthcare sector indicate that cyberattacks on medical devices and hospital networks are on the increase which therefore means an increase in the threats that these organisations face. These include threats like ransomware and extortion attacks, hacks on the device such as pacemakers or having a bug in one of the insulin pumps and even effecting things like defibrillators and other medical electronics.
The interconnectivity of medical devices with wireless technologies combined with poor hardware and software systems are a major factor resulting in cyberattacks against the health care industry. A possible motive and target for cyber criminals/hackers is to gain entry to the health care providers private networks, for example by exploiting poor wireless security and cracking the WEP and WPA/WPA2 key to gain access and to get to the data, once this is done they could take control of devices or use extortion by putting a lock/password on the access to critical data and demanding a ransom in exchange for removing the lock on the data/systems.
A new trend seen recently is exactly this ransomware attacks on health care organisations. This attack has been around for a while but only recently this has come to the attention of the mainstream media because the attackers are now specifically targeting hospitals and other healthcare facilities. The attackers get access and lock the computers/data and prevent the authorised users from accessing the information until a ransom is paid, often demanded in bitcoins. Bitcoins are demanded as due to the nature of this cryptocurrency, it is very difficult to trace the transaction back to the attackers. This is a perfect example of ransomware attack because due to critical patient data, drug history, and surgery directives, most hospitals and healthcare providers do not have any other option but to pay the ransom. 1
It is important to understand that technical vulnerabilities are just one aspect of security problems in this industry, all other aspects such as security standards, good governance, change of culture, staff awareness and training etc. need to be addressed to find a comprehensive solution. Not only that but it is also important to recognise the different threats and vulnerabilities that may exist in wireless networks and these healthcare IoT devices and look at the different ways in which they can be eliminated.
Such vulnerabilities and threats can include things such as: impersonation attack, replay attack, denial of service, computer virus and software falsification, ransomware attacks, eavesdropping and message modification, traffic analysis, insider threat, information loss, unauthorised information access, non-repudiation, consecutive authentication attempts, residual information. These are just some of the ways in which a device can be compromised through poor security and therefore it is important to have a thorough analysis of the different types of threats and vulnerabilities to protect the user and the health care organisation.
In this project a detailed analysis will be carried out covering the vulnerabilities mentioned and solutions will be suggested on how to provide maximum security.
To be able to have a secure data transfer between the patient and the medical device or between the medical device and the data collector the data in motion needs to be protected from unauthorised access and being tampered with. In this project a sample IOT device will be used to examine the wireless network vulnerabilities that are currently present using different attacks and suggested ways of how such wireless networks and devices can be made more secure.
Currently a lot of research is being carried out to find ways to protect IoT devices, as discussed later in the literature review chapter. This is due to the recent statistics and attacks that have been found that have been linked to IoT and health care organisations. According to a SANS institute report 94% of health care organisation have been the victim of a cyberattack. 2
The report also underlines the fact that health care providers were widely targeted, from this it can be deduced that the health care provider’s systems are not properly protected and often get compromised. For example, simple procedures not followed through such as changing the default password on a medical device, not securing the wireless networks etc. Over the years IoT has evolved rapidly and the uses for devices has also increased. The uses for such devices have also varied and more and more companies and organisations are adapting to the idea of using IoT to improve services, such as Microsoft’s involvement in the development of IoT in healthcare. 68
Another important aspect in the healthcare industry is the use of implantable devices. The implantable device security is an important issue because the user would not want something that is inside or on the body to be remotely controlled by someone else. A research carried out by British and Belgian scientists in December 2016 found that the new generation implantable cardiac defibrillators had flaws in the proprietary communication protocols. 3. Many of these medical devices are designed to have remote connectivity so that the medical staff can monitor, and even fine tune the operation of the device. 4
In this section I will discuss all the relevant research and practical works that have been carried out on the security of WiFi networks and medical device in IoT setting. The papers read in this section focus on more than one aspect of the different risks, vulnerabilities and security issues in protocols and systems.
2.1 Related work
In this section I will describe the overview of vulnerabilities that currently exist in medical devices and discuss known threats and security breaches that currently exist in healthcare organisations and the dangers of cyber-attacks.
Lake et al, suggested that security breaches are directly proportional to the degree of connectivity. Also mentioned that the quality of healthcare services has been improved since the introduction of internet enabled devices 5. Even though there are a number of benefits from having medical devices connected to the internet; there is a high probability that having these medical devices connected in such a way allows attackers to have access to sensitive information and infect devices with malware and so therefore putting human lives at risk. Most medical devices that are implantable for example pacemakers are primary targets for cyber-attacks not only that but deliver systems for medical use such as drug delivery are also another target. These targets form major concerns the more complex they are, the greater the risk to patient and has a serious function such as regulate body functions or are partially implanted.
Emma et al looked at finding vulnerabilities in medical devices 6. To do this they used Shodan (a tool to identify internet enabled devices) to be able to gather a large collection of IP addresses which will then be used in Nessus (a vulnerability scanner) to be able to see if there are any vulnerabilities in the devices. After the research was carried out it was found that 1,604/16,078 (9.97%) of devices with vulnerabilities 6. Also, the total number of vulnerabilities found in 1,604 devices was 3,964 this is a quite a large number of vulnerabilities that needs to be addressed 6. The most common vulnerability found was Dopbear SSH server. This is where the attackers can execute malicious code on the database and obtain and make available sensitive information that is held in the database. Not only that there were several other vulnerabilities found that are a very high risk as they included things like being able to use the command line to alter dosage of medication prescribed to patients and using x-ray machines and blood pressure monitors to be able to access information held on the patient by bypassing authentication on the system. These are major security issues that need to be addressed to be able to have a more secure environment in the healthcare.
Changwhan et al discussed the vulnerabilities and threats to be able to find out whether home healthcare services are reliable and improve security by proposing a protection profile for home healthcare medical devices based on common criteria 7. They did this by analysing the vulnerabilities and possible threats to help improve the reliability of home healthcare service and provide an appropriate security objective. In addition, proposed several requirements that need to be met for security purposes. The security requirements are divided into security functional and assurance.
Mauro et al proposed a novel authentication and key agreement scheme for implantable medical devices 8. This is to overcome the security and privacy issues that are available in implantable healthcare devices, this includes things like data leakage and malfunctioning of devices that have been compromised by unauthorised users. This is done by introducing the three-factor remote user authentication scheme, where the user in control of the node of the implantable medical device i.e. the patient and the remote user e.g. doctor can authenticate each other. Their system suggests that the proposed scheme is also secure against man-in-the middle attack and replay attack. The scheme uses the Dolev-Yao threat model 9 and use the pairwise key establishment between the controller node and its medical device in order to make sure that communication is secure between the two. Their scheme seems promising however the computation and communication costs still need to be improved.
Rasmussen et al 10. Proposed a proximity-based access control scheme for medical devices. This means the devices that are near are given access to resources. There are no considerations to replay attacks or man-in-the middle attacks, which makes it a not so secure scheme that requires more work to be done to improve security and only works when the person needing to program is within the proximity range.
Ellouze et al 11. Presented a scheme that suggests the ability to secure medical devices. They use a wireless and identification and sensing platform in the scheme. Furthermore, they used biometric keys to improve and secure authentication when devices are communicating with each other. This means the communication between the programmer and the wireless internet service provider that the medical device is using. However, such scheme is vulnerable to replay attack which suggests further work is to be carried out to improve the security of the scheme.
Jang et al 12. Proposed a hybrid security scheme that uses two heterogeneous cryptosystems: symmetric and asymmetric. They use this system to aid the levels of security that are different to meet the needs required by applications for example medical and non-medical in the wireless body area networks. The protocol has two stages and in the first stage the authentication process between the bio-sensor node (BSN) and the data server (certificate authority. Then in the second stage the local authentication is carried out and this is between bio-sensor node and the base station. Their protocol seems to target one specific issue and not take into considerations things such as providing anonymity and other functionality features including thigs like dynamic controller node addition and IMD addition.
During the research process it was clear to see that all of the research currently being carried out involves securing the medical devices on their own and the WIFI network in which they are being connected to which imposes the highest threat is not being considered. This due to the assumption that WIFI networks will be secure to use regardless and this is something that needs to be taken into consideration.
Qi Jing et al 53. Discuss the security problems that come with the IoT devices, they discuss the different layers that the IoT contains. They divided IoT into three layers including perception layer, transportation layer and application layer. The paper analyses the security issues of each layer and the security issues of IoT overall and provided solutions. For the perception layer there are two important technologies which required analysis, and these are WSNs and RFID. The security issues identified for RFID technologies were: uniform coding, conflict collision, RFID privacy protection and trust management. Whereas for WSNs they were: cryptographic algorithms, key management, secure routing protocols and trust management of nodes. Due to the issue of IoT handling heterogeneous data from different sources, the analysis of cross-layer heterogeneous issues in terms of security was also included. The second layer analysed was the transportation layer which includes local area network, access network and core network.
In the access network the security concerns for Wi-Fi were the encountering of phishing sites where the accounts and passwords of the users are compromised. They also suggested that the security risks in Wi-Fi come in two forms one is the network trap and the other is network attack. The suggested solution to both security issues were access control and encryption. Finally discussed the application layer security issues which consisted of security threats, service interruption and attack issues. Qi Jing et al concluded that IoT systems are more prone to security as there are fewer network defence mechanisms and so therefore it is important to come up with a lightweight solution that will deal with each layer separately and by looking at the solutions for the internet for big data and use them on IoT systems.
Another analysis carried out by Cole et al 54 on the security of an IoT system used to identify the location of patients and medical staff in healthcare facilities. The findings show that there is a need to physically secure edge nodes and it is very important to secure data before it is transmitted. During the analysis a denial of service attack was carried out and also other attacks to exploit the weakness of the system. It was highlighted that security should always be taken into consideration when developing such systems as they are vulnerable to many attacks. Finally, security risks must always be examined at the beginning of the system development this is to ensure that critical systems are adequately protected against majority of the attacks.
Mathy et al 55 came up with a key reinstallation attack that takes advantage of implementation flaws in cryptographic protocols to reinstall an already-in-use key. During the reinstallation process the associated parameters for that key are rearrange back to starting point and this includes the transmit packet number and the receive packet number replay counters. As known Wi-Fi networks use the 4-way handshake for a new session key to be produced. This has been a very secure method for Wi-Fi networks and no attacks were carried out for many years. However, Mathy et al show that this 4-way handshake is indeed vulnerable to their attack. And they did this by manipulating and replaying the messages being exchanged during the handshake. They also found that all the Wi-Fi networks are vulnerable to some aspect of the attack and this depends on the data-confidentiality protocol being used. Nonetheless, the attack does enable the attacker to decrypt frames and capture TCP connections and the impact of this is the ability of injecting data into unencrypted HTTP connections.
To conclude it is clear to see that there are many areas in IoT security which requires a lot of research to be carried out and especially the network security as this is how the devices are connected to the internet and also how the data is being transmitted.
2. Project Objectives
As mentioned earlier the aim of the project is to carry out risk analysis on IoT wireless technologies specifically medical devices and examine the vulnerabilities in IOT devices and suggest ways in which security can be improved.
To meet the aims of the project, extensive research and carrying out few implementations to measure the efficiency of the current methods that are being used to secure data will be carried out. This will be done using hardware and software to collect and analyse the methods that have already been proposed and look at which one of them is the most efficient and one that can be improved. If such is found and there is a way of improving such a protocol, then further research is carried out to improve the protocol and propose a new solution where possible. (Copied from my own previously submitted work).
The following objectives would need to be followed to meet the aim of the project.
• To examine IOT medical devices in the health industry
• To examine Wireless Network Standards, Security and Vulnerabilities
• Construction of an IOT device using Raspberry PI, to simulate the functioning of a medical device.
• Penetration testing of Wireless Network where the IOT device resides using Aircrack-ng Suite.
A list Hardware and Software used during the project;
3. Project Research
The methodology used is as follows;
• A qualitative methodology to research and to examine, Wireless Networking, its vulnerabilities and Security.
• A testing methodology to be used to carry out penetration testing on the hardware (IoT LED device), as well as the local AP behind which it resides.
• A conclusion will be drawn as to the effectiveness of methodology and the suggestions made to protect the Wireless Networks and LED device from threats.
• Following the above methodologies applied the following deliverables are expected to be achieved.
o A review of IoT created medical devices in the health industry
o A review of wireless networks, vulnerabilities and security
o The creation of IoT based LED device
o Penetration testing of the IoT based LED device
To be able to successfully complete this project, it is important to follow a process and to decide on a protocol which, will form the methodology that will be pursued in this project.
The methodology chosen will be the iterative and incremental model and uses prototyping to build a sample system that will test the protocols. This is because when using such system feedback can be gathered and analysed which then feeds into the research purpose of the project and possibly lead to creating and implementing a new protocol.
Iterative and incremental means that small steps will be taken every time there is development. This is due to the project currently having time limitations and resources. Data collected throughout the analysis process using past research papers and models will be used to conduct a new protocol and discuss how efficient the current methods are.
As mentioned earlier each stage of the project will be carried out iteratively so that at each stage an improvement is made to the previous one and further analysis is carried out.
As the project is going to be research based mainly, the outcome will become clearer as further research is carried out. It expected to see some research already been carried out in this field and this will be an opportunity to develop such research further and enhance current protocols.
The research focus is performing practical penetration testing and not coming up with a new protocol.
4. Wireless Networks & IoT/Medical Devices
In this chapter I’m going to discuss wireless networks in general and how the same standards and issues apply to medical devices.
Wireless Networking Standard IEEE 802.11
802.11 is the main standard in wireless networking. It was mainly developed to satisfy the wireless networking needs at home and small office. It was initially limited to 2Mbps of data transfer rate and therefore need for new standards emerged. Since than many extensions have been developed, the table below displays how that development has occurred over the years.
Max Data Rate
Advanced Antenna Technologies
MIMO, up to 4 spatial streams
40, 80, 160
MIMO, MU-MIMO, up to 8 spatial streams
Security in Wireless Networking:
The main problem with wireless networking has always been everybody can hear everything going through the air. A packet capture device such as a wireless adaptor can tune in and listen to the packets going through the wireless network. So, if on a WIFI network the data is not encrypted, people can use sniffing, penetration tools/programs to see the data going through the network. 52 Therefore it is important not to just protect the WIFI network from unauthorised users gaining access but also the data that is being transmitted and this is highly important with the development of IoT.
Authentication and encryption are the two aspects that Wi-Fi security that are looked at. As one controls who can access the network and the other controls who can read the data respectively. They are also given the names “security and privacy” and implemented in the MAC layer 52 which means that the only security available here is between the client and AP.
The following image depicts the most common threats to wireless networking, there are many and securing wireless networks is quite challenging. The most common threat is obviously the unauthorized access through capturing of data packets from the air.
Image – Threats to Wireless Networks
WEP stands for Wired Equivalent Privacy, WEP was the very first encryption type used on the 802.11 wireless networks. Different levels of encryption were available on WEP i.e. a 64-bit key and 128-bit key. But in 2001 cryptographic vulnerabilities were identified in WEP. The main problem was that the first bytes of the output keystream were non-random which resulted in people being able to break the WEP keys. Therefore, WEP was determined to be insecure and a new way of encrypting traffic was needed so WPA was created. 17
WPA a successor to WEP, stands for WIFI protected access. WPA used a method cyphering the information called RC4 was used along with an integrity protocol called TKIP (Temporal Key Integrity Protocol). WPA implementation was simpler as it could be used on the same hardware where previously WEP was being used. Every packet was given a unique encryption key. But WPA was a workaround to the problems of WEP and a long-term solution was needed. 17
WPA2 was introduced in 2004, it was the final standard for this encryption type, RC4 cypher was replaced with a cypher AES (Advanced Encryption Standard). The TKIP was replaced with CCMP which much more secure protocol was to ensure that the data within the packet was genuine and confirmed where it came from. 17
Medical devices – wired and wireless connections
The following connections are used by most medical devices to transmit data wirelessly.
• Devices connect to some form of electronic medical record (EMR)
• Devices connect to image and other data storages (PACS)
• Remote access of data and images (Physicians, Clinic staff etc.)
• Remote service to the devices (Updates by manufacturer, repair etc.)
• Remote management of devices (clinical updates)
• Remote control of devices (configuration settings, therapy level etc.)
• Communications between medical devices (diagnostic device communicating with monitoring or drug control devices) 18
What is a Medical Device?
According to WHO (World Health Organization) a medical device is;
Any device, appliance, implant, software, material or apparatus that is used alone or in combination intended by the manufacturer of such a product for human beings for one or more of the specific medical purpose(s) of:
• Diagnosis, prevention, monitoring, treatment of diseases
• Investigation, replacement, modification support of anatomy or of a physiological process
• Supporting of sustaining and improving life
• Control of conception
• Disinfection of medical and other devices
• Providing information by means of in vitro examination of specimens derived from the human body. 19
Medical Device Examples:
Here are some examples of commonly used medical devices and their function in hospitals, clinics and other healthcare organisations;
• Physiologic monitors (Devices that monitor patients and inform the observers of the patient’s condition) 56
• Defibrillators (A device used to control heart fibrillation by applying a small current to the heart or wall next to it) 57
• Infusion pumps (A device that delivers fluids to the body in a controlled way such as nutrients, drugs, antibiotics, hormones, insulin) 58
• Anaesthesia units (A device that administers a mixture of medicine/gases in a controlled way to the patient) 59
• Ventilators (These devices provide a patient with oxygen)
• Extracorporeal Assist (These devices help provide oxygen/gas to the patient in a controlled way to assist the lung and heart function) 60
• Vital sign monitors (These monitors help the healthcare provider in providing patients pulse, BP, temperature, respiration etc. information) 61
• CT & MRI scanners (These devices provide X-Rays and through Magnetic fields provide pictures of organs, bones etc.)
• Foetal monitors (These devices provide information on the rate and rhythm of the foetal heart) 62
• Laboratory analysers (This workstation provides measurement to different chemicals and other characteristics in a biological samples)
• Diagnostic ultrasound (This device uses a high-frequency sound wave to provide clear images of various areas of the patient’s body) 63
• Patient beds (Some of these are quite advanced and may carry monitoring equipment)
• Electrocardiographs (This is a sample test carried out using various heart monitoring devices) 18
Medical Device Stakeholders:
The main stakeholders in the creation and use of medical devices and some of the problems they face in tackling the security related issues of IOT based medical devices and IT equipment;
Manufacturers often lack the knowledge of how the medical device is used by the end user due to this limited contact they find it difficult to cover every aspect of the device’s security. The main priority of most manufacturers is always geared towards making money therefore often cut corners to avoid expensive security solutions that could help healthcare providers in securing their assets.
Many manufacturers are under the illusion that the security of medical devices is not an issue as these devices are less prone to attacks, they couldn’t be any wrong as the recent increase in the number of cyberattacks on healthcare organisations has proved. And due to this the manufacturer have started to look at device security in a more serious way. 22
The software developers are responsible for designing systems and providing code that makes the device work, they are also responsible for providing updates and patches that make the device safer from latest ongoing threats. The main problem lies in the fact that the developers move on to other products and have limited knowledge of ongoing advanced security threats especially to products that were designed earlier and that are no longer supported by the developers. 22
The Governments are often seen as the compliant authority by the clients and the healthcare organisations. The Government is also expected to be more aware of any ongoing security threats that could impact various sectors.
The healthcare sector and more importantly the security of medical/IOT devices is often overlooked by the Government due to lack of knowledge by the Government of this sector. 22
In the UK a manufacturer who wants to manufacture and supply medical devices must follow the following regulations;
• the Medical Devices Regulations 2002 (SI 2002 No 618, as amended)
• the General Product Safety Regulations 2005 (SI 2005 No 1803) 20
In UK clear guidelines exist by the Medicines and Healthcare products regulatory agency which advise on how to outline a systemic approach in the acquisition, deployment, maintenance, repair and disposal of medical devices. 21
In the US the FDA is responsible for the security of medical devices and have reported about security issues in the healthcare sector as well as highlighted issues about other WIFI equipment such as games consoles interfering with medical devices. 22
The main users of medical devices;
Hospitals are the main users of IoT medical devices worldwide. The question is who is responsible for the security aspects of a medical device in a hospital, and what about the security of the devices that have been implanted in patients. There are so many issues to consider from the safety of hospital-based devices and equipment to the threat to implantable devices.
hospitals often have little knowledge of cybersecurity threats to their systems and medical devices, especially if the device is implanted in a patient and is no longer based at the hospital. Most hospitals do not have many security specialists who investigate these threats, and counter them in a proactive manner. 22
The clients and users of the implantable devices are the main stakeholders and often have most knowledge of how the device works and whether it is functioning correctly. Some may even be capable of researching if there are any security threats to the device in question. But should the client or user be responsible for carrying out an update that could put their lives at risk? Should this be allowed at all? Should a security threat be reported even though the device is currently working correctly?
There are so many questions and all these need to be addressed in a comprehensive security policy that should be strictly implemented by hospitals as well as all healthcare organisations. 22
Medical Data Under Threat:
Healthcare industry’s data specifically related to medical devices, which is under threat includes but is not limited to;
• Images from X?ray, CT, MRI, Ultrasound
• Waveforms from ECG, BP, EEG
• Demographic information
• Vital signs (e.g., heart rate, BP, pulse ox, respiratory, temp)
• Alarm parameters
• Drug type & dosage
• Control and configuration settings (e.g., infusion rates, therapy
• Timers, anaesthesia & radiation delivery settings)
• Laboratory (e.g., chemistry) results
• Sounds from blood flow, respiration
• Patient personal information 18
5. IoT/Medical Device Vulnerabilities
A look at what are the main threats that are affecting IoT/medical devices and healthcare organisations in general, this is not an exhaustive list of threats to this sector but covers most common threats and vulnerabilities;
Lack of Effective Policy & Security:
Although most governments require hospitals and major healthcare organisation such as NHS to have a comprehensive policy to ensure management of medical devices and a specific system in place to ensure that all risks associated with the acquisition, deployment, monitoring, use, storage, repairs and disposal of such equipment. Not all healthcare organisations especially small ones may not have a system in place that includes the security aspect of such devices. The tremendous increase in the number of cyberattacks on the healthcare organisations around the world points to a lack of security policy and awareness. 21
Legacy Operating Systems & Software:
This is a common phenomenon in the health industry at large. Walk into any hospital, clinic even a GPs office and one would notice a whole plethora of equipment including very old medical equipment, PCs, and network devices. Often due to lack of investment in IT in the medical sector old Windows operating systems connected to medical devices and equipment is till is use and either never upgraded or even protected through regular patches and updates.
Often operating systems are running that are no longer even supported by the OS manufacture such as Windows 98, Windows XP, Windows 2000 still in use. For instance, it was reported by Virta Laboratories, Inc. that medical devices were often shipped with older operating system, various medical devices were shipped in 2012 with completely outdated Windows XP operating system. 23.
This provides a hole in the security and makes the system open to hackers, crackers and other malicious parties, especially if the device is also connected to WIFI.
If these devices running such unsupported operating systems and connected to WIFI provide an easy target to malicious parties specifically in an open public environment like a hospital or a clinic. Anyone with a laptop could sit in a waiting area and pretending to be a patient and freely carry out attacks. 24
Lack of Software Updates & Patching:
This is a problem in most industries including IT let alone the Health Industry which is way behind all other in terms of updating and patching software and operating systems. The main problem with health industry is the lack of support from manufacturers as often applying a patch or an update ends up crashing the device.
The present medical devices are often manufactured by various international companies and it is not always easy to find an update or patch the system without very specific support by these providers. For instance, if a hospital in the UK is using a device made in by a third party in China than it would be very difficult for that individual hospital to get help and support to make the device more secure. As due to advancement in IoT the number of small manufacturers has increased 24.
General Lack of Security in Medical Devices:
Medical devices often lack sophisticated security features which are present in other devices like Routers, Switches, laptops etc. Due to basic functions of these devices it is not always easy to implement higher security as that may affect the clinical nature of the product. For instance, introducing security features in a medical device could make it not able to communicate with other medical equipment. 24
Network, Web and Software Security:
Exploiting network vulnerabilities is a common but very important threat. This creates further vulnerabilities over the internet. This includes vulnerabilities in Web Servers, Databases and other third-party software.
• Web Servers: if the devices are connected to the internet through a web server, if the security of the web server is compromised than the malicious parties will be able to hack into these devices and access any medical devices connected through this server.
• Databases: Many IoT medical devices are often linked to databases, as they are often transmitting data that is stored. Databases are vulnerable to SQL (structured query language) injection attacks, these are common and once they occur the confidentiality, integrity and availability of data is seriously compromised.
• Software: This applies to any software that is being used by the healthcare provider, if the software has security vulnerabilities, it puts the entire infrastructure under threat as the attackers could exploit known vulnerabilities of these software to hack into the system. 24.
Attacks through a compromised device:
If a single device is compromised it is much easier for hackers, and cyber criminals to attack other interconnected devices within the health institution. For instance, if a hacker can get into the healthcare providers internal network due to a compromised wireless network or device than this will provide an open access to attack any device connected to the network within that organisation.
Lack of Education & Awareness:
This is another common problem within other industries including the IT sector. But even more so in the health industry where majority of staff are not inclined towards information technology let alone cybersecurity issues. Many issues are prevalent here such as;
• Lack of secure disposal of devices often containing sensitive data
• Not changing the default password of a newly deployed device
• Sharing passwords in paper form in a very insecure public environment
• Lack of or non-existent security education and training to staff.
• Allowing shoulder surfing to occur, where people can see or read the users screen. 24.
Attacks of this nature are on the up, where the hackers/cybercriminals find a way to hack into the healthcare provider’s system and once they are in and have access to the records, put an encryption on the data unless a ransom is paid by the healthcare provider. Technically it works where Crypto ransomware software encrypts the provider’s data and locker ransomware prohibits the genuine user from accessing their own data.
According to Sophos 54% of organisations have been hit by ransomware over the past year. 25.
According to this report by HealthITSecurity, ransomware attacks against healthcare organisations jumped significantly in the third quarter of 2017. 26
The most common cause is through email-related security threats.
Social Engineering & Phishing:
Accidental or intentional leak of information by staff on social networks poses a security theat. Also, deceptive emails and clicking on links associated with these malicious emails remains the biggest cause of malware and ransomware attacks in healthcare organisations.
This threat is prevalent in the health industry as well as any other industry. Insider threat intentional or unintentional could cause a massive security problem. If a single hacker or an organised criminal gang can access the data could put a lock on the information for ransom.
Poor Disposal Policy:
This is a common problem in most industries. The disposal of old equipment such as PCs, Hard drives, network devices, medical devices often lacks a specific proper and secure company disposal policy. Often companies dispose of or donate the equipment without properly wiping the data on these devices. This provides an opportunity to any malicious parties to get hold of this equipment and using forensic techniques try to extract sensitive data from these devices.
Limited Power of Security Devices:
Medical devices, specifically implantable devices lack power and are often dependent on battery life. In case of sophisticated encryption software, it is more than likely that the batteries would deplete quicker than without such security measures and this would likely create problems in some devices.
Theft of Equipment:
People could just walk away with a medical device or other sensitive equipment containing data as a typical hospital contains thousands of medical devices and it is a public place. Lack of security in this respect could cause a major security hazard.
Denial of Service Attacks:
A dedicated denial of service attack by an organised criminal gang or even a simple de-auth attack using aircrack-ng suite by an individual is enough to cause disruption to a WIFI network. This type of attack could take down vital systems and render a healthcare organisation completely vulnerable.
Physical and Accidental Damage:
Physical malicious destruction of medical devices or other equipment at the hospital could also pose a major threat due to it being a public access area. Security in hospitals has always been poor, often doors are left unlocked and anyone could just walk in and grab a piece of equipment or device and walk out unnoticed.
What needs protection:
• Personnel, Hardware, Software, Networks, Devices, Printers, Scanners etc
• Fire, Natural disasters, Floods, Vandalism, Theft, Burglary and Terrorism 27
More threats here: 28
Through Aircrack-ng and other software available on the net, any malicious person could use these to scan and attack any wireless network. Krack and other threats to Wi-Fi networks continue to exploit vulnerabilities.
6. WIFI Controlled IoT/LED Device (Medical Device)
7. Wireless Network Penetration Testing
The purpose of this chapter was to carry out penetration testing on the IoT LED device as well as the wireless network. The aim was to disrupt the IoT device despite various security measures available to protect it at the AP level as well as security offered through the Raspberry Pi OS. I wanted to knock the device off the wireless network as well as wanted to test denial of service attack.
After research and advice, I decided to use the following methods to achieve the above objectives;
• Aircrack-ng Suite
• Krack Attack
• DoS Attack
• New WPA2 Attack
8.2 DoS attack
The purpose of denial of service attack is to deny legitimate users’ access to a network, website, emails etc. either by rendering the website completely unavailable by crashing it or making it work very slowly. This is done by attacking the target resource this can either be webserver or network; by sending many requests at one time. As a result, the server slows down and cannot respond back to the requests being made, therefore crashing the server or slowing it down. 36
This is a very dangerous attack as it cuts off the users from using the internet and so leading huge loss of money and business. This is especially worrying in the healthcare sector since if medical devices connected to the network lose connection at any point during usage can result in data loss, putting patient’s life at risk and delaying access to important files that the doctors might require access to and many other risks factor the list is endless.
There are two different types of DoS attacks namely: Denial of Service and this type of attack is carried out by a single host. The second type is called the distributed DoS and in this attack the attack is performed by more than one PC, often hijacked or zombie machines that all aim towards the same victim. The attack floods the network with too many requests. 36.
How does DoS work
There are five main types of attacks that can fall under the category of DoS attacks. These are:
Ping of Death: As know the command “ping” is used for testing the availability of a network resource. This is done by sending small packets to the device that is on the network. The number of data packets sent is above the maximum number that TCP/IP allows which is 65536 bytes. The small packets are broken down into smaller ones and then they are sent over to the server and this is done using the TCP/IP fragmentation. When many packets are sent the server cannot handle such amount and therefore they end up slowing down, crashing and having to reboot.
Smurf: This is a network layer attack that is like ping floods where a huge number of Internet Control Message Protocol (ICMP) Echo request packets are sent that are aimed at an Internet Broadcast Address. Smurf is classified as an amplification vector that increases its destruction possibility by abusing features of broadcast networks. 37.
Buffer overflow: As known a buffer is a temporary area for storage and when more data than allocated is placed there by a system process that data overflows causing data leak to other buffers; which can in turn corrupt or overwrite the data that was originally held on them. In the attack the extra data sent holds specific instructions on placed by the hacker that could trigger a response that will cause damage to files or change data or reveal private information. 38.
Teardrop: This is where the TCP/IP fragmentation reassembly codes are targeted. It’s done by causing the fragmented packets to overlap one another on the host receipt; during the process the host tries to reconstruct them but fails. As a result, the system crashes due to the large number of payloads being sent to the targeted device. 39
SYN attack: This is when the TCP/IP stack are exploited by an attacker and it is done by sending SYN packets and supressing the SYN-ACK packet. A large amount of data is sent to the link to flood the link. Also, a lot of bandwidth doesn’t sometimes need to be generated for the attack but the resources on the device are tied up.
DoS (Denial of Service): Smurf
8.3 Krack Attack (Key Reinstallation Attack):
The KRACK attack was first exposed in May 2017 by Mathy Vanhoef and Frank Piessens, two researchers at KU Leuven (the largest university in Belgium). The authors published the research paper titled ‘Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2’ in October 2017 which caused a worldwide concern about the future of the WPA2 security. It meant that every single IoT device in the world was vulnerable to Krack Attack. 40.
Android and Linux systems were mostly susceptible to Krack attack due to the implementation of open source ‘wpa_supplement’. The method of attack was to manipulate these devices to install an all zeroes encryption key, hence rendering the WPA2 protection ineffective.
Krack attack is also referred to as (Key Reinstallation Attack). Krack attack is possibly the most severe weakness which has been discovered in the WPA2 protocol and the first vulnerability that allows the attacker to read the WPA2 encrypted traffic without awareness of the actual wireless password.
The main notion for this attack is that when a client asks to join a network, the 4-way handshake is executed to be able to gain a new encryption key. This key is installed once the 3rd message is received, and an encryption protocol is used to encrypt normal data frames. This is not always the case as sometimes messages get lost or dropped so to ensure that they are not, the access point will transmit message 3 again and this results in the client receiving more than one message 3.
The same encryption key is installed each time the client receives the message; and so, resulting in the nonce being reset and replay counter used by the encryption protocol. This allows the attackers to abuse such system by forcing these resets by gathering and replaying retransmissions of message 3 of the 4-way handshake. The encryption protocol is then attacked using the forceful reuse of nonce in that method and so packets can be replayed, decrypted and forged. Mathy suggests that “the attack works against WPA1, WPA2 and personal and enterprise networks” 65. Also any “cipher suite (WPA-TKIP,AES-CCMP and GCMP)”. 65
8.4 New attack on WPA/WPA2 using PMKID
The attack that is going to be discussed in this section is a new attack that has been released recently earlier in August 2018. The attack was discovered by accident during the process of looking for ways to attack WPA3 security standard. Any future attacks on WPA3 will be difficult to construct due to the improved method of key establishment which is called “simultaneous Authentication of Equals”.
A new security flow in WPA WPA2 PSK (pre-shared key) passwords. In this attack the capture of full EAPOL 4-way handshake is not necessary. This is because the attack is carried out on the Robust Security Network Information Element of a single EAPOL frame. The attack mainly exploits PMK caching feature of wireless standard protocol. PMK stands for pairwise master key it can be calculated using this formula PMKID = HMAC-SHA1-128(PMK, “PMK Name” | MAC_AP | MAC_STA) where HMAC-SHA1-128 is an algorithm. So, AP caches this PMKID, so it doesn’t have to perform these complex calculations in some situations like in case of roaming.
This attack also solves many problems such as no more regular users required – because the attacker directly communicates with the AP (aka “client-less” attack). Also, no more waiting for a complete 4-way handshake between the regular user and the AP. And no more eventual retransmissions of EAPOL frames (which can lead to uncrackable results). In addition to that no more eventual invalid passwords sent by the regular user and no more lost EAPOL frames when the regular user or the AP is too far away from the attacker. Finally, no more fixing of nonce and replay counter values required (resulting in slightly higher speeds). 42
For the attack to work some tools were required to perform and execute the attack and these include: hcxdumptools, hcxtools and hashcat. These were all available on github (image 98,99,100,101,102,103,104). The HCX tools is used to extract the PMK ID from the data dumps. The hcx dump tools were used for dumping target access point communication management frames. Finally, the hash pad is used for cracking password using PMK ID. This attack does not require the user to be connected to the WIFI to be able to view the password.
Once all the tools were downloaded it was then time to select the target of the attack.
• To do this needed to have the wireless adaptor waln0 to be put in monitor mode and select the target (image105,106).
Then in the hashcat folder insert the BSSID of the target into a file and save that file. The file will act as a filter list for selected stations later when the command for executing the attack is run. Then the hcx dump tool is used for fetching pmk ID from target network. Once that’s done the command;
hcxdumptool -o hash -i wlan0mon –filterlist=filter.txt — filtermode=2 — enable_status=2
• The above command was executed to perform the attack (image 96, 97, 107)
After some time, the results were a message was shown which stated “FOUND PMK ID” this is received when the AP receives the association request packet and it supports sending PMKID. This PMK ID is then extracted from pcapng file using the hcx cap tools using the command;
# hcxpcaptool -z hashtocrack hash
• The hcxpcaptool converts the captured data from pcapng format to a hash format that is accepted by hashcat (image 110)
After executing that command;
# cat hashcarck
was executed to validate hash. Then the hash was cracked using hashcat using the command;
# ./hashcat -m 16800 hashtocrack -a 3 -w 3 ‘?l?l?l?lre!123’ – – force
once the hash has been cracked it was viewed in hashcap file. Using the command;
# ./hashcat -m 16800 hashtocrack -a 3 -w 3 ‘?l?l?l?lre!123’ – – force –show
• The columns (PMKID,MAC AP, MAC Station, ESSID) are all hex coded (image 108)
• Once that command is executed the password is then displayed (image109)
New attack on WPA/WPA2 using PMKID
As mentioned earlier the attack is based on PMKID, caching and the attack uses one of the issues of PMKID caching and this is the WLAN password is being moved out in the air while hashed. This therefore makes it an easy target for brute-force attacks. And the discovered attack is nothing but “an offline brute-force attack against the WPA2 password”.43
While doing some research into this new attack it was found that this attack does not work on all routers and it only works on specific routers as some routers might be protected against such attack 42 on the website it is also stated that this attack will work against all “802.11i/p/q/r networks with roaming functions enabled” 42. Also, it depends upon channel noise and model. It was also found that this attack does not work when roaming is not enabled, and this needs to be checked in the router advanced settings. While performing the attack I tried attacking on the same channel and that seemed to work as well.
8. Security Solutions
A list of common threats previously discussed in Chapter V and what can be done to counter those threats.
Lack of Effective Policy & Security – Countermeasures
Guidelines from Medicine & Health products Regulatory Agency and Regulating Medicines and Medical Devices (MHRA) is the first step that any healthcare organisation needs to follow and should involve most if not all the following recommendations;
• A robust policy on acquisition, deployment, use, monitoring, security, disposal, repairs etc. of medical equipment
• A well represented team concentrating on the security of medical devices
• An up to date database of all the devices, their status and location
• A robust policy and procedure on loaned medical equipment
• Risk management policy involving all medical devices 21
The Open Web Application Security Project (OWASP) is a non-profit organisation which focuses on improving the security of software suggests the following guidance for healthcare providers and other clients for deploying medical devices;
• Purchasing controls
• Perimeter defences
• Network security controls
• Device security controls
• Interface and central station security
• Security testing
• Incident response 44
Legacy Operating Systems & Software – Countermeasures
Legacy operating systems should be upgraded to the new OS and through cooperation and support from the medical device manufacturers. A change of OS should only be authorised once confirmation has been received from the manufacturers that the device in question will work with the new OS and once thorough testing has been carried out to ensure correct functioning. Such a change should only be deployed gradually and there should always be a back out plan in case of problems and incompatibilities, so applied changes should be able to be reversed.
Lack of Software Updates & Patching – Countermeasures
A dedicated person or a team who only look after the information technology security for the health organisation is vital. This team should be responsible for ensuring that all the operating systems, software and medical devices are up to date and a comprehensive antiviral, antiworm package is in use. A software update or patch should not be implemented until tests have been carried out and it is confirmed that the device in connecting will continue to operate once the patch has been applied.
There should always be a back out plan in case of bugs in the software and possible incompatibilities with the medical devices.
General Lack of Security in Medical Devices – Countermeasures
As currently known majority of network enabled medical devices within hospitals are not secure and this is due to the issue of them being deployed without taking into consideration the security. 44, 45
Network, Web and Software Security – Countermeasures
The deployment of IoT devices with WIFI capability are on the increase within the healthcare industry, this means that some devices are accessed by the users through web servers. It is therefore vital that these Servers are secure through regular updating and patching of the system.
Databases should be separated from the web servers and ideally should be behind a firewall with private IP addresses. The data within the databases should be encrypted and importantly all data on a database must have backups. Regular updates and patches should always be applied.
Software and specifically third-party software must be monitored and updated regularly, the security team must be aware of the latest vulnerabilities and security threats to the software being used by the healthcare provider and if identified need to be addressed urgently.
Attacks through a compromised device – Countermeasures
A compromised device is a major vulnerability for any organisation. If a device is hijacked or a Wi-Fi network infiltrated, this allows easy access to all the devices within that network to the malicious party. For instance, during the penetration testing I was able to break the WPA2 key and using the key I would have been able to connect to the network and interfere with all the devices connected within that network. Here are some steps that would help the healthcare provider to improve security towards such an attack;
• Strong Wi-Fi password
Lack of Education & Awareness – Countermeasures
Improved cybersecurity awareness and training is a must in any organisation, but particularly in the healthcare industry which is vastly targeted and where majority of staff are not inclined towards embracing technology let alone security of such technologies. But it is up to the healthcare organisation to encourage the staff through various means including;
• Classroom Security training
• Security Awareness section on the website
• Simulation of attacks on devices and how to counter them
• Helpful hints through email weekly or monthly
• Encouraging staff to attend Security seminars
The above methods should be deployed to encourage staff to take the security of devices and premises seriously as be aware of all the threats to the patient’s data and medical devices by being aware of threats and vulnerabilities such as software and email vulnerabilities, ransomware and other threats to the valuable data, data and password security, viruses, spyware, adware etc.
Although arranging and providing training and increase awareness through various means may cost the healthcare provider, in the long run it will provide immense benefits such as increase staff confidence, a better culture, it will save the healthcare provider a lot of money. Refhttp://blog.integrityts.com/5-benefits-of-security-awareness-training
Social Engineering ; Phishing – Countermeasures
Social engineering simply means fooling someone into releasing information. This type of attack is mainly aimed at people through manipulation and involves extracting valuable data information to launch an attack later.
The mechanics of this type of attack involve phishing, communicating through email, social media or other communication that may put fear, urgency in the victim who may click on a malicious link, website or accidentally reveal sensitive information during a conversation.
Because this attack involves a human connection, preventing such an attack is difficult but increased awareness through training, and recognising a threat could limit these attacks. Other methods to counter such attacks also include;
• Increased awareness of spam and phishing emails asking for personal information or to click a malicious link
• Not giving personal information over the phone or email or in popup windows
• Awareness of phone phishing
• The healthcare organisation should install reliable anti-spam filters, anti-malware and anti-viral software to counter these threats
• Awareness and training on how to use social media safely 46
Limited Power of Security Devices – Countermeasures
In the problems chapter it was stated that most IoT medical devices were dependent on batteries to operate and often problems occur due to the life span of battery power. This is an issue that can only be addressed by the developers/manufacturers of such devices. The healthcare providers need to work with the developers, and governments to ensure new technologies are applied to IoT medical devices to increase significantly power as well as to make them less reliant on battery power.
Poor Disposal Policy – Countermeasures
Any disposal policy needs to be covered under a comprehensive security policy of any healthcare provider. Clear guidance should exist as to how an IoT medical device should be disposed of. For instance, in case of a device being taken out of service. The data on the device should be wiped through a policy procedure. The data should be wiped in a way that no forensics methods applied by a third party would be able to recover anything.
In the following article by NHS, excellent guidance is provided to healthcare providers on how to dispose of devices that contain data including hard disks, optical devices in a safe manner. 47.
The guide produced by MHRA and Medicines ; Healthcare products Regulatory Agency contains excellent tips for healthcare providers regarding safe disposal of medical devices. 21
Theft of Equipment – Countermeasures
If excellent security exists to protect the infrastructure of a healthcare provider, it would make no difference if someone is able to just enter and walk out with a piece of hardware, device or other equipment.
Good physical security needs to be implemented to stop theft or devices and equipment. This should include a good quality manned monitoring system of the premises, as well as physically security at entrance and exists.
Physical and Accidental Damage – Countermeasures
A good physical security is a necessary requirement for every healthcare organisation including hospitals, clinics and surgeries. This needs to be implemented as part of a comprehensive security policy’s physical security control.
Solutions should include but not limited to:
• Physical Access control system
• Perimeter detection and alarm systems
• Monitored surveillance CCTV
• Physical barriers, preferably manned
• Good lighting system
• Patient and visitor controls 50
Aircrack-ng – countermeasures
One of the solutions implemented by hardware manufacturers is to ensure that the latest wireless cards are not compatible with Aircrack-ng and other hacking software. Although it is still possible to buy specifically designed for this purpose.
Constantly updating and patching devices.
Denial of Service Attacks – Countermeasures
There are not many solutions to mitigate a DDoS attack however one of the solutions that can be applied is the addition of measures that ensure the maximum size of the packets. This can be done by adding a checker to the reassembly process, this is so that after packet recombination the maximum packet size constraint is not exceeded. Another countermeasure is the creation of a memory buffer that has a good amount of space that can cope with the packets that exceed the optimum level set.
Also, not many years ago in 2013, Microsoft Windows had an attack on the IPV6 packets for it and it was patched. This was done through the “dropping malformed packets before they reached the targeted host computer” 51.
A network administrator can also disable the ping flood and stop the device from being able to send and receive requests using the ICMP. Therefore, this removes the process of request and Echo reply. However, this has the effect of disabling all the network activities that involve ICMP, where the device does not respond to ping requests, traceroute requests and many other network activities 51
Also dividing the area covered by the access point can help with the loads balancing on the wireless network and decrease the impact of DoS attacks.
Specialist products; 48, 49
Krack attack – countermeasures
An article published in November 2017 by Ava Piero at Fing.io suggested the following solutions to protect against the Krack attack, and I believe these are still very effective.
Update the Router:
This is a common problem where home routers are hardly updated. Users are often quick to update PCs, Laptops and other devices, whereas router updates are often overlooked. If the router has a vulnerability updating internal devices is not going to provide an effective security as anyone from outside can scan the system and exploit a vulnerability to user’s router.
Most devices are now able to download and install updates without user intervention.
Update all devices:
This is an obvious solution at any given time, but due to the sheer number of devices at risk it is highly recommended that all IoT devices are updated to ensure they are protected against Krack.
If there is a vulnerability especially Krack, then it is recommended that Ethernet is used while the device is still being patched. The krack vulnerability only effects Wi-Fi.
It is more secure to use websites which contain the ‘https’ web address. This option can now be specifically chosen in the browser window i.e. ensuring web services are SSL encryption enabled. 64
Setting up and using a virtual private network on all devices before connecting to any Wi-Fi network provides protection. The VPN creates a secure tunnel through which the information send over the Wi-Fi connection is encrypted.
Avoid Public Wi-Fi:
It is also recommended that if the user is going to work on sensitive data such as customer data, financial transactions etc, connecting to Wi-Fi in public area’s such as airports, cafes, hotels and other open access facilities should be avoided.
New attack on WPA/WPA2- countermeasures
At the moment there are no current countermeasures for this attack as it is a recent attack.
9. Critical evaluation
The main objective of the project was to have a working IoT device which would perform a function through a website designed specifically for this purpose, a device that would mimic the functioning of any medical device. These objectives were achieved.
The project also provided an excellent opportunity to research, and evaluate the functioning of such devices, their strengths and weaknesses as well as an in depth look at how these devices were affected through vulnerabilities in wireless networking. The project also addressed various vulnerabilities in Wi-Fi networks including latest attacks and how these threats could be addressed through improved security measures.
From the creation of the IoT medical device and application of various tests to exploit vulnerabilities in the local Wi-Fi network and through extensive research into Wi-Fi networks, threats and vulnerabilities and using factual deductions and critical evaluation of the project, strengthens the fact that IoT devices in general and wireless networks are vulnerable but could be better secured through the implementation of security policies and procedures in traditional computing methodologies.
Here is a list of objectives achieved:
• To examine IOT medical devices in the health industry
• To examine Wireless Network Standards, Security and Vulnerabilities
• IoT Device construction (medical device that performs a function)
• Enabling access to the IoT device globally through a website
• A password protected website creation (To control the device)
• Disruption testing of IoT device and removal from Wi-Fi network (through Aircrack aireplay-ng function)
• Crack WPA/WPA2 Wireless Network Key using brute force attack (through Aircrack-ng function)
• New WPA/WPA2 using PMKID
• Other penetration testing of Wi-Fi network
Objectives requiring further research and testing:
• A simple password protection method was used, where a hard-coded password was used, a more sophisticated method could be deployed in the future to make the password immune to easy or brute force cracking, i.e. only allowing authorised personnel access through authenticated directory services.
• I was not able to test WEP using aircrack-ng suite due to unavailability of this insecure method.
• Some of the threats such as Krack that were investigated and tested did not penetrate the WPA/WPA2 since most of the devices as well as the wireless networks had already been patched to cover for those threats. Further tests involving other devices such as cameras, and very specific medical equipment could be planned and carried out to tests against Krack