How Your Doctor’s Coffee Jones is Going to Get Your Personal Data Stolen*
*amongst other things
There have been dozens of articles about the insecurity of various “smart” things, leaving your televisions open to ransomware; your lightbulbs vulnerable to viruses; your toaster unable to do the thing it loves to do the most: light bread on fire until it becomes brown. Turns out that our precious tea kettles are no exception — two years ago some researchers in London discovered that smart kettles could be made to expose Wi-Fi passwords in plaintext.
I know what you’re thinking: what does this have to do with my doctor? Well, it turns out that staff in hospitals and healthcare facilities drink a lot of coffee. Like a lot. I mean an actual ton of it. I can already hear the coffee-swillers out there, teeth stained and bitter breathed growling, “nobody drinks more coffee than me”, welp Walking Dead extra, unless you’re a surgeon, I beg to differ.
Now, your doctor drinking coffee isn’t inherently a problem. If it keeps my doctor from dozing off in the operating room, I say let’s get her some coffee, stat! Coffee is delicious, and the advent of smart kettles have made it possible for people to make every cup perfect — keeping our doctors, NPs, RNs and the brilliant support staff happy.
The in-vogue topic of the moment in Infosec and IoT is the insecurity of medical devices: infusion pumps susceptible to buffer overflows; pacemakers that can be hacked over Wi-Fi, you know, that old rag. But this got me to thinking: what are the odds that a group of people that LOVE coffee might want to throw an insecure smart coffee maker on the hospital Wi-Fi network? And what are the odds that these coffee makers might be exposed to the open Internet?
After a 5-minute search (executed 4/13/2017) on Shodan, the IoT Search Engine, it turns out those odds are pretty good — 64% of the U.S.-based Internet-facing devices running the telnet service in hospitals are also running the protocol indicative of smart kettles. This is based off cumulative search terms, “hospital”, “clinic”, “healthcare” and “physician”. I filtered out the results that had “animal” or “veterinary” in them.
“64% of the U.S.-based Internet-facing devices running the telnet service in hospitals are actually smart kettles.”
So, now I have another question for you: what are the odds the Wi-fi that these highly exploitable smart kettles are connected to share the same SSID and password throughout the hospital’s campus? I’d wager, pretty good. I mean, if you can’t boil a cup of water precisely to 100 degrees from 3 floors away, what is even the point?
Now, I know what you’re thinking: who cares if the smart kettle ends up on the hospital network as long as it’s not on a super-special network segment like, say, the cardiology ward? Well, I don’t want to burst your bubble:
Ok, so there’s a smart kettle on the cardiology ward Wi-Fi with telnet open…what does that all mean? Let’s walk through the worst case scenario:
- A bored person sits in the hospital waiting room. Has laptop, has a Wi-Fi card they can put into monitor mode. No Wi-Fi password, but can see that there are a couple of hospital networks out there — all of which are protected.
- Bored person looks around and notices a few members of the staff huddled around a slick-looking coffee pot. Sees one of them refill the pot with water and set the temperature on smartphone. Bored person got a good look at the coffee pot on the way to the bathroom — doesn’t see the tell-tale sign of an Ethernet connection; wonders if the pot is connected via Wi-Fi.
- Bored puts their Wi-Fi card into monitor mode and conducts a passive wireless scan. From this, bored person is able to learn the closest SSID in use as well as which devices are currently connected to it, including the coffee pot.
- Feeling reckless, bored person decides to have some fun, but the key is to not raise any suspicions which is why the coffee pot makes an excellent target (highly unlikely that anyone will know or care about it going offline). It turns out person knows a little bit about wireless networking, so person sets up a fake network on their laptop, giving it the same name as the hospital’s SSID without any encryption. Person begins to issue disassociation packets to try and force the other devices to reconnect to the fake network.
- Bored person learns that the coffee pot is, in fact, acting as a wireless client and is able to get it to connect to the fake network. Now that the coffee pot is on, person can run a quick port scan against the coffee pot, where person will discover that the pot has 2 ports open: 23 (telnet) and 2000 (iKettle).
- Person’s interest is piqued by the use of telnet. Why? Because telnet was specifically designed to allow for remote access and administration. The issue with it in this case is that it’s likely running with default credentials (username & password) on this coffee pot, meaning that getting access to the device, and by extension the other computers on the network, is trivial.
- Bored person has a couple of options at this point. Person can: a) run the exploit against the coffee pot, getting it to dump it’s Wi-Fi keys and passphrases (free Wi-Fi, woo!) or b) telnet into the coffee pot and use that as a beachhead to move to other places in the network such as radiology, records or even patient billing. Worst case scenario here: Person manages to pivot to a critical network (say cardiology) during an inopportune time (say during surgery) and changes electronic health records or, worse, starts taking down systems.
So, that’s how your doctor’s coffee habit could get your personal data stolen, tampered with or made inaccessible in a time of need. And please, administrators, save the ‘not in my network’ neck rolling. A Dark Reading report last year identified a 63% increase in cyberattacks on healthcare organizations. Don’t get me started on WannaCry, Mirai, ETERNALBLUE, DOUBLEPULSAR and all the other named Shadow Brokers dumps. A simple Wi-Fi exploit in a hospital is well within the realm of possible these days, just ask the folks at Broadcom.
What can you do about it? As a patient, honestly, there’s not much you can do about it, other than giving away dumb coffee pots to your health care providers during the holidays. Unfortunately, administrators don’t always know when these devices even show up in the network, especially the wireless ones. I don’t have a cool acrostic, but I’ll leave you with the same advice I gave my Dad (before just he asked me to do it) :
- Audit! This is cliche but it’s true: you can’t defend what you can’t see.
- Segment! This is the only time you’ll see me advocate for segregation. Isolate the devices to a non-essential part of the network which only requires Internet access. There is no reason in the world that it’s necessary for a coffee pot and a pacemaker to have access to each other. Pretty much every router provides basic VLAN capabilities with set up wizards which will prevent the device from communicating to any other device on the network.
- Monitor! Be sure you have the means to be able to detect segmentation violations or attempts to do so.
- Update! Keep the device firmware and security patches up to date. Devices built with security in mind will do this for you, so you don’t have to do it on your own, but it never hurts to check the manufacturer’s website to see if you have the latest software update.
- Block! If you’re able to do so, set up an access control list (ACL) for your network — that will at least keep new devices from connecting to your network. Again, even home routers have this basic feature so the only thing it will cost you is time.
- Disable! Pretty much, if you don’t need it or aren’t using it, don’t be afraid to turn it off, mute it or unplug it. Personally, when I’m not actively using my Echo Dot, I either leave it on mute or unplug it.
- Backup! If your device is sending data somewhere you don’t control, be sure you have a means to recover your data (pictures, documents, etc) at your disposal — this is most frequently done by continuously backing up data to a local drive or system. Equally important is to make sure that key stakeholders know how to access the backups.
- Read! I know this is the most boring step, but it’s important — read the terms of service and user agreements for your IoT devices. The data collected by those devices may not be yours to own, even though it’s about you.
If you read this article and understood words like telnet, ransomware, Wi-Fi, SSID and plaintext, I’m sure those steps are within your power to achieve.
Now wait until I tell you about the webcams with FTP open…