Meltdown and Spectre – the newest vulnerabilities to affect the health industry

In January 2018, the cybersecurity world was hit by two Intel vulnerabilities, Meltdown and Spectre, affecting a substantial number of the world’s computer processors designed by Intel, AMD and ARM. From smartphones to PCs, supplied by any vendor and running almost any operating system, the vulnerabilities affected practically any modern computer.

Despite some patches being issued for the devices affected by these vulnerabilities, there has not been a complete solution and the vulnerabilities still represent a significant security risk to the health industry, especially with regards to the medical devices that it relies on so heavily. These medical devices are controlled by an application, meaning they can be directly compromised by Meltdown and Spectre. Unfortunately, because these vulnerabilities are part of the processor, the security protections that are usually in place are irrelevant. The vulnerabilities exist in the underlying system architecture of the medical devices, so can be exceptionally long-lived, providing attackers with sufficient time to develop direct attacks.

What are the effects?

The health industry relies on the use of so many medical devices every day, including things like MRI machines and pacemakers. It is likely for these devices to be compromised, putting patient data and safety at risk.

The vulnerabilities create the possibility for hackers to steal very sensitive patient information and personal data. This is to do with the memory of the application. For example, a hacker would be able to figure out how and when sensitive data is accessed or transmitted, then steal that specific information related to that patient from memory before it is sent over the network encrypted by SSL of the Operating System.

Equally, through vulnerabilities like Meltdown and Spectre, unauthorised people may gain access to more personal information from the backend systems. Credentials and keys required to access connected or backend systems, if exposed, would allow an attacker to further compromise systems containing more information and that of many patients.

It’s no quick fix

When it comes to mitigating the vulnerabilities on devices, it is going to take time to patch and update the large number of systems affected and, it could be that not all medical devices will ever get updated.  Although some patches have been issued, many have been recalled as they haven’t helped, in some cases they have actually made things worse. The most poignant example is that Intel recently pulled back the patches they issued for Spectre. The process is already fairly slow, and patch recalls are certainly not going to help.

Despite these patching difficulties, it is still possible to increase the security around Spectre, and application protection can provide this.

Protecting applications against Spectre involves hiding key materials, hiding data, and making the application and its control flow more difficult to instrument.  There are several techniques which facilitate this, including white box cryptography, data encryption and control flow obfuscation. With white box cryptography, the key to the data is never resident. This means for attackers to gain access to any data, they would have to pull back and reverse most of the application before figuring out how to replay the authentication, making it very difficult to make any progress towards accessing patient data.

Meanwhile, changing the control flow makes it more difficult to instrument the application and identify areas of interest, meaning identifying the registers or the memory locations in order to extract information becomes a lot harder. Encrypting the data within these registers or memory locations then adds another layer of protection as it hides the important values when not immediately needed. If an attacker does manage to exfiltrate the register or memory location, if the data is encrypted, they would have to figure out how to decrypt that piece of data which, unless they have the key, is significantly difficult to do.

What does the medical industry need to do?

With cybersecurity beginning to frequent the national news, more and more people are worrying about the security of their devices, applications, and internet. When it comes to medical devices, patients may start to feel less comfortable with those used for their treatment. Companies need to start promoting the efforts they are making to secure their medical devices, and the applications are used to control them. Whilst they do not need to flaunt their security strategy in front of attackers, patients need to be able to feel confident the medical devices being used for their treatment have been properly secured. Much of the time it is unlikely doctors or hospital staff will be able to explain the security behind the devices they are using. It comes down to the argument of clinical functionality and treatment being a higher priority than cybersecurity. Really, it is the manufacturers of the devices who are responsible for ensuring and demonstrating the security of the medical devices

Rusty Carter, VP of Product at Arxan Technologies

Leave a Reply

Your email address will not be published. Required fields are marked *