Russia-based security research company Gleg has advised it will sell a security subscription service covering valuable zero-day exploits for software embedded into medical system software, creating concern within the healthcare community.
It’s observed that the exploits themselves may be difficult to implement into a real-world attack. The value of zero-day exploits continue to create legitimate avenues of income for security researchers and analysts, but only if organizations live in the present.
Zero-Day Threats
Computer systems are not perfect. They are not even close to being perfect. Whether executive teams impose ridiculous timelines or the products need to be first to market, developers are required to squeeze out what they can and pick up bugs consistently after a launch.
It’s like living in a house before the painting is done—it’s not totally finished and refined, but it’s financially responsible to move in while the rest is ironed out.
Sometimes though, it can be like living in a house before the plumbing is done… That can be where major zero-days are discovered.
Bugs are normally picked up and patched by the people who know the inner workings best. But sometimes they are missed.
Zero-day threats are exploits that are unknown to the company—unknown in the sense that they are completely under the radar, and likely not in use (since the use of these zero-day threats may be flagged to the security team if implemented).
All attackers love zero-day exploits, be that black hat or white hat hacking teams, state agencies or fortunate security researchers. They are incredibly valuable to all who discover them albeit for different reasons.
It’s an open door that isn’t being watched. In discovering a zero-day, hackers and state agencies can sit on these vulnerabilities and build malicious exploits.
Security of Medical Devices
Medical devices are renowned for having low security standards, with the publication Wired going so far as to label them the next security nightmare. This is largely due to the fact that the bulk of systems in a hospital, for example, are rarely updated—even at an operating system level.
When these vulnerable systems are affected, lives may be at stake—quite literally. As such, it will come as no surprise that a 2016 report identified the healthcare sector to have sent over $100,000 in Bitcoin ransomware payments to unlock systems as oppose to writing off the machines and data. It’s little wonder why they do this, but it also it feeds hackers’ desire to keep spreading malicious code.
Security Company’s Business Model
Everything is moving to “subscription” based, from the legal industry to the security industry. Knowledge is power and selling something only once is becoming antiquated. This is capitalism after all, why not find a way to sell things over and over again?
Gleg has packaged these zero-day exploits into a “MedPack,” which comes with 25 zero-days that patch software created by MediTEX while maintaining updates.
MediTEX provides quality assurance for reproductive pharmaceuticals, as well as therapy and dosage software.
Any practice or hospital that has deeply integrated a system by this company has a serious cost sunken and invested in it.
It becomes a question of risk. Is it worth a mere $4,000 per year to pay a company such as Gleg to patch the MediTEX software continuously, or can we risk a possible major lawsuit?
An action in medical negligence damages a wide circle of people from practitioner to entire practice, and if the action could be mitigated it is obviously preferable.
This is likely the thought process for any risk or legal head of a hospital or practice currently built with MediTEX software.
The Vulnerabilities
These are active zero-day exploits, and the details remain unknown to the vendor, let alone the public. But the reality is that these holes are open and potentially exploitable to anyone who can access the door.
It turns into an issue of disclosure obligation, which the company states as null. This perhaps is an important discussion that must be had publicly.
Medical vulnerabilities are fast becoming exposed as possibly life threatening, especially following last year’s WannaCry ransomware spread which halted several hospital operations, the financial damage difficult to quantify.
A Possible Solution
Hospitals and the healthcare industry are living in the forefront of medical technologies, science and microbiology at its very core. However, the industry would rather “set and forget” every computer and the associated networks that make up a hospital, or isolate systems from the internet.
This is where WannaCry ripped this measure apart by bilaterally spreading within a network. Hospitals and other life-sensitive utilities (water, power, etc.) simply require higher computer security budgets and more personnel as the world and threats within it change.
Is the information technology team in a hospital going to resync an angry surgeon’s desktop, or patch Windows 7 on a computer that doesn’t face the internet? That question was answered in 2017 as WannaCry demonstrated.
What’s needed? One viable solution may be health industry bug bounties. They’ve become huge in technology conscious companies and sectors, with platforms like HackerOne. It’s even easier for the private sector to set these programs up using these services.
The healthcare industry now needs to take the initiative and start offering some serious bounties for safe vulnerability disclosure.
Security researchers get paid, bugs get patched. The only loser would be subscription-based companies like Gleg, and the loss of their future revenue as they lean on research completed.
A problem with bug bounties in the health industry is the lack of widespread access to analyze these closed systems. Invitation bounty programs may rectify this.
It’s clear something is needed. Sure, the zero-days held by Gleg may not be incredibly life threatening, but the materialization of this leads to a realization of a possible catastrophe.
All it takes is a life threatening zero-day. In that instance, should a company be holding the patch like a carrot over the hospital? Or will an obligation to disclose be signed into legislation following tragedy?