Bugs in the hospital: how to pwn your own pethidine machine by Paul Ducklin.
Paul describes CVE-2015-3459.
From the NVD description:
Hospira Lifecare PCA infusion pump running “SW ver 412” does not require authentication for Telnet sessions, which allows remote attackers to gain root privileges via TCP port 23.
PCA = patient-controlled analgesia.
It’s score?
CVSS v2 Base Score: 10.0 (HIGH) (AV:N/AC:L/Au:N/C:C/I:C/A:C)
Impact Subscore: 10.0
Exploitability Subscore: 10.0
Perfect. 10’s across the board.
Paul goes on to point out the many reasons why Telnet should not be used under any circumstances but fails to acknowledge that vendors for the Internet of Things (IoT) care more about profit than they do about security.
Kurt Mackie, in Microsoft beefs up Azure for Internet of Things, says Microsoft CEO Satya Nadella:
depicted a future world that will have “26 billion general purpose compute devices” by 2019 that would produce “something like 44 zettabytes of data that’s going to be in the cloud.”
How many of those “26 billion general purpose compute devices” will be vulnerable to cyber attacks?
Off hand, I would say all of them, if current conditions are an indication of the future (they often are).
Think about that for a minute. There are “secure” systems but that comes at the price of being cut off from the rest of the world, guarded by fences and people with guns and obsessive security procedures. None of those will be true for devices on the IoT.
Criminal laws and penalties haven’t stopped the gentle tides of current cyber-insecurity. Given that history, they are laughable as an approach to stopping the tsunami of cyber-insecurity that approaches with the IoT.
There is presently and will be in the future, any number of snake oil solutions to software security issues. If you like the idea of patching a punctured tire by wrapping another punctured tire around it, you may be happy with one or more such solutions. At least until they fail.
There are alternatives, workable alternatives. Not to eliminate risk or achieve complete security, but to make the level of risk manageable, not random or episodic. Incentives (software liability) for more security, standards for software practices, better sharing of vulnerability information, are only a few of the current alternatives to spewing more insecure software to form the IoT.
If you start feeling too good on a pain machine in the hospital, someone may have rooted your machine. A little late to be working about the security of the IoT at that point.