Hot Topics in

Information Security

ABA-ISC

November 18, 2014

Medical Device Security

iHack

Net Neutrality

IOT (Internet of Things)

Topics:

Medical Device Security

● Despite many proof of concept attacks, there

are no known incidents of harm resulting

from deliberate attacks on a medical device.

● BUT ... there are many known cases of

software faults causing harm, even death,

absent external attack.

The Therac-25, aka The Death Ray.

Late 80s, See www.ccnr.org/fatal_dose.html

"Inside the treatment room Cox was hit with a powerful shock. He knew from

previous treatments this was not supposed to happen. He tried to get up. Not

seeing or hearing him because of the broken communications between the

rooms, the technician pushed the "p" key, meaning "proceed." Cox was hit

again. The treatment finally stopped when Cox stumbled to the door of the

room and beat it with his fists."

● Cause was a variable rolling over from 255 to 000

(rather than 256) opening a window during which a

safely protocol might be bypassed.

● People died.

New FDA Guidelines (Oct 2 2014)

“Content of Premarket Submissions for

Management of Cybersecurity in Medical

Devices”http://www.fda.gov/downloads/MedicalDevices/DeviceR

egulationandGuidance/GuidanceDocuments/UCM3561

90.pdf

General Principles

● Manufacturers should develop a set of cybersecurity

controls to assure medical device cybersecurity and

maintain medical device functionality and safety.

o Onus is on manufacturers to develop controls

o Specific recommendations (ie code signing) are ALL

nonbinding.

o FDA recognition that patients have a role in security

Akin to saying that those with pacemakers being

told not to stand beside microwaves

● Cybersecurity should not limit core

functionalityo "Controls should not unreasonably hinder access to

a device intended to be used during an emergency

situation."

o DRM?

● Documentation standards remain focused on

case-by-case inspections

o "Should" provide a specific list of all cybersecurity

risks considered, along with controls.

o Traceability matrix linking threats to controls.

o "Summary describing a plan for providing software

updates"

A Glimmer of Progress!

"The FDA typically will not need to review or

approve medical device software changes

made solely to strengthen cybersecurity"

Conclusion: FDA is Treading Water

● Everything remains nonbinding, to be judged

on a case-by-case basiso Software documentation requirements remain as

they were in 1999

o See "Off-The-Shelf Software Use in Medical

Devices"

http://www.fda.gov/downloads/MedicalDevices/D

eviceRegulationandGuidance/GuidanceDocume

nts/UCM073779.pdf

● FDA has basically adopted basic NIST

processes.o Identify, Protect, Detect, Respond and Recover.

The 2014 Celeb iPhone/iCloud hack

(aka The Fappening)

● Initial public release of images began on

August 31st.

● Prior to this public release, most images

were trading privately for some time.

● Four distinct batches spaced over a month.

Sharing methods were advanced,

persistent and immediate

● Initial public leaks were of individual images

via 4chan and image hosting services

● Torrents of collections quickly appeared.

● Mirrors were made to cyberlockers (ie

rapidgator)

● A few BTsync shares became the go-to

source for new public releaseso Caused a dramatic growth in the use of this

technology

o Pushed filesharing forwards much as Metallica did

with Napster.

Limitations of standard takedown

procedures

● Standard DMCA takedowns were/are

insufficient.o Copyrights vest in the taker of a photograph, not the subject.

o Not registered copyrights → no threat of attorney fees.

o Not published, never to be published → no threat of financial loss.

● Many notices were improper.o Example: Google initially rejected upwards of 50% of takedown

notices for links to images

https://torrentfreak.com/google-refuses-remove-links-kate-uptons-

fappening-images-140912/

o Most came from "Reputation Management" firms.

Many Images Contained Metadata

● GPS location/time ecto Allowed for "creepy" maps to be generated tracking

celeb movement.

o Extra creepy when tied to Google street view

● All images with metadata were taken with

iPhones.

How Were the Images Gathered?

Options:

● Deliberate release?

● Negligent / Accidental Release?

● Hack of iPhones?

● Hack of iCloud Accounts?

● Not a hack.

IBrute (Hack of iCloud)

● https://github.com/hackappcom/ibruteo "It uses Find My Iphone service API, where

bruteforce protection was not implemented.

Password list was generated from top 500 RockYou

leaked passwords, which satisfy appleID password

policy. Before you start, make sure it's not illegal in

your country. "

● Certainly a part, but not the complete answero Questions as to timing

● Gave Apple an easy outo Blame put on users with easy-to-guess passwords

Non-Hacking Suspects

● Deliberate leak for publicity.o Possible if only one or two, but very unlikely given

the number.

o Several have made statements under oath that this

was not the case.

● Negligent leak / images sent to con artist.

● Leak by Apple employee.o Apple retains some access to all iCloud material

o None from iOS 8 / iPhone6

Possible LOVINT ?

● Leak from within US intelligence communityo NSA admits multiple incidents of "LOVEINT"

o Snowden described the gathering of such images as

a "fringe benefit" http://www.washingtontimes.com/news/2014/jul/18/edward-snowden-says-nsa-treats-nude-file-

photos-fr/

● Selected Celebs point to western, white,

male attackers.o Predominantly US film/TV personalities

o No Russian/Japanese targets

o Matt Smith (although through girlfriend’s phone)

● Images were taken without detection

Implications for Non-Celebs

● Watch out for BYOD

● Everything touching an iPhone or other

cloud-connected device should never be

considered deleted.

● Passwords still matter.o iBrute used a very short and known password list

o Any password not on list might have survived the

week

● Cloud providers cannot be trusted to react

quickly, or ever. Do your own encryption!

Net Neutrality

● Rooted in Powell-era (Bush-era) FCC

decisions

● Rate preferences posing distinctions

between:o Cable-company-owned ISPs

o ISPs owned by telephone companies

Common Carriers, nearly all Baby Bells

Net Neutrality

Rulemaking

● The typical FCC rulemaking proceeding gets

a few hundred comments

● The Net Neutrality proceeding already has

4M filings, with several thousand significant,

substantive filings

Net Neutrality

Why is there no answer?

● Telecommunications Act of 1996

o Assigned jurisdiction of the services now known as

the Internet to Title I

● The debate has more energy because

Congress has abdicated its policymaking

role in this area

● Huge finances of Baby Bells (including

Verizon) and cable companies give them a

louder voice than all the other interests

Net Neutrality

Conclusion

● This debate isn’t two-sided; it’s much more

complex

● Leaving the decision to the FCC ignores the

voices of less-well-represented parties

● The ABA could advocate for lesser voices,

instead of just repeating corporate counsel

talking points

● This is the watershed digital moment for this

era

Internet of Things at NIST

● Directed by Obama administration to

establish standards for security of industrial

control systems (SCADA) and other

emerging technologies

● Began August 2014

● Close connection to Cyber Framework

Working Party established pursuant to

February 2013 Executive Order

Internet of Things

Process

● Managed as a pseudo-voluntary process at

NIST

o Working groups on architecture, taxonomy, cyber

security

o Dramatic implications based on billions of port

connections across Critical Infrastructure

● Objective is draft standards documentation

circulated early in 2015

o Eventual voluntary use in Critical Infrastructure

sectors

Internet of Things

Process Failures

● No connections to other, truly voluntary,

standards processes at OMG, Open Group,

and other standards bodies

o Serious defect in process; could lead to incompatible

standards and/or NIST-process irrelevance

● NIST-typical confirmation of a pre-ordained

draft

o No tolerance for debate not on track for confirmation

of original Report outlines created in August plenary

meetings

Acknowledgements:

Created by the

Information Security Committee

of the

American Bar Association

Richard Abbott, Chairperson

Martha Chemas, Chairperson

Michael Aisenberg, Vice Chair

Brendon O’Connor, Vice Chair

Science and Technology Law Section

Security, Privacy & Information Law

Fair Use Encouraged