On 1/8/2019 4:00 AM, Thiago Macieira wrote:
On Sunday, 6 January 2019 14:16:38 PST Roland Hughes wrote:
And those devices still have an input mechanism: their scanner ports. It's
possible to send malformed data to their I/O pins to cause an exploit.
Heck, it's theoretically possible to do that with the scanning head
itself: paint your chest with some pattern in UV and when you go for a
tomography, bam! the device gets hacked. Remember how the iPhone 1 was
jailbroken by a 1x1 pixel TIFF image opened in the Safari browser?
I have no idea what you are speaking of here. Perhaps it is from a part
of the medical device world I've never worked in. None of the devices
I've worked with have exposed I/O pins.
They don't need to be exposed directly for data to be sent to them. The
medical devices have probes, image and video acquisition, etc. You can hack
through those. Granted, this would be a terribly difficult hack and the hacker
would be right there visible to everyone, but it's theoretically possible.
Maybe that will work on one designed and built in North Korea then
smuggled into the country, but, not on anyone I've worked on or heard
about designed and built in America. That stuff is all modular. It will
look like a single device, but, that is the visual magic of the case.
Any byte outside of a limited range value in the fixed size message and
to the bit bucket it goes.
Now if you are talking about _consumer_ products which measure blood
pressure, heart rate, glucose "for entertainment purposes" ala FitBit
and some devices potentially sold at drugstores but __definitely__ sold
on Amazon.com which __never__ went through FDA regulated development
process and cannot legally call themselves "medical devices" in any way
shape or form, yes, all kinds of badness is most likely there. But for
stuff legally allowed to call itself a medical device in this country,
only NASA pre-faster-cheaper-splat days had more rigorous development
rules and physical testing. This is why all of those late night lawyer
commercials you see are for drugs and implants.
Diagnostic and monitoring equipment has required periodic manual checks.
Even if you are hooked up to a 24x7 full vitals monitor medical staff
are required to come into the room every so often to manually take your
vitals. Given level of design document vetting required before the first
drop of solder can fall and the immensely long clinical trials I'm
shocked any surgical robot ever makes it to market.
Having said all of that, your fears may become a reality thanks to
little snot nosed Donny.
https://www.reuters.com/article/us-fda-devices-proposal/fda-proposes-new-fast-path-to-market-for-certain-medical-devices-idUSKBN1E6031
The 510(k) process is how replacement diagnostic equipment with manual
verification procedures was able to quickly put out lead free
replacement devices once lobbyists went down in flames trying to
overthrow the international lead free regulation. My gut tells me this
new proposal will see a rash of surgical robots attempting to fast track
and other fools trying to connect their devices to the Internet so they
can force out mandatory updates either during unsafe times or OS "fixes"
which haven't really been tested. Not cool. Field updates are currently
done by trained service personnel to ensure the device isn't in use or
about to be connected to a patient.
Perhaps I've just been lucky, but every device I've worked on to date
has had isolated components which communicate via a message queue. The
message queue only supports a limited number of serialized messages
(usually serialized COOA messages with fixed length fields.) If a stream
of garbage came in from a replaceable component, the stream would be
ignored by the message queue and an alarm sounded. Even the USB ports
I've seen on them will not communicate with an off-the-shelf keyboard,
mouse, thumb drive, or insert USB device here. Only a limited set of
custom devices could connect in any way.
But there's a higher layer that parses the messages that were received. My
point is that a suitably crafted message could trigger an exploit / DoS in the
device. And again, you don't need access to the bytes to send that message,
you can do it by causing the actual capture device generate them.
In theory, if any component were allowed to communicate via dynamic
streams or used XML your statement would be correct. Each message of a
certain supported type is a mandatory length with fixed length fields
all having allowable octate values. Too short, too long, unknown type or
one octate outside of the allowed range and it goes to the bit bucket.
Maybe the IoT surgical robot is not a 2019 technology, but there are
plenty of other IoT ones that are. Those MUST update. Frequently. For
those, if you're not able to deploy a fix within one week, do us all a
favour and don't sell your device.
Should I assume that last statement was directed at Google and Android?
<Grin>
No, since Android does actually have an update cycle and Google's own Android
devices get those updates very quickly. Apple is good too. They don't update
every week, but they have the ability to do so if required.
No, it's aimed at everyone else, those who take months or a year to update, if
at all. Whether it's running Android, Tizen, WebOS or a custom-built Linux
(using Yocto Project or not) is not important.
https://www.linux.com/news/2017/9/android-oreo-adds-linux-kernel-requirements-and-new-hardening-features
Many of those devices have no ability to patch
themselves or be patched by a non-technical user. Lots of "new" products
being sold on eBay and other places which only list Android as their OS,
not the version. One has to go digging into other sources with the model
number and date of manufacture to learn they are still running, in some
cases, cupcake. These machines will just keep moving from home to home
with whatever exploit installed on them.
Right. Those are the ones I am kindly asking the manufacturer to not sell at
all. If you don't have a full ifecycle update plan, don't sell. That may be as
little as 2 years until obsolescence, but it can be 10 or 15 years.
If I don't get an update after 2 years, my smart fridge will be 2 years smart
and 13 years a dumb fridge I overpaid.
Your "smart" fridge was dumb and overpriced before you bought it. Now
Google, North Korea, China and anyone else who wants to knows everything
which happens within listening distance of your kitchen. The information
about when you leave each day, if you have an alarm on your house and
what the keypad code is, even if you own a dog are all available for
sale on the Dark Web to any crook looking for a safe time to rob your place.
https://www.theguardian.com/commentisfree/2016/feb/09/internet-of-things-smart-devices-spying-surveillance-us-government
And you have to watch out for the crickets.
https://www.wral.com/crickets-could-be-behind-the-cuba-sonic-attack-mystery-scientists-say/18108109/
<Grin>
--
Roland Hughes, President
Logikal Solutions
(630)-205-1593 (cell)
http://www.theminimumyouneedtoknow.com
http://www.infiniteexposure.net
http://www.johnsmith-book.com
_______________________________________________
Interest mailing list
Interest@qt-project.org
https://lists.qt-project.org/listinfo/interest
