'Ripple20' Flaws in Medical Devices: The RisksResearcher Elad Luz of CyberMDX Explains Threats, Mitigation Strategies
How do the recently identified "Ripple20" TCP/IP code flaws potentially impact medical devices? And what steps can healthcare organizations take to help mitigate the risks? Elad Luz of the security research firm CyberMDX, which assisted cybersecurity consultancy JSOF in studying the vulnerabilities, offers an analysis.
The 19 Ripple20 vulnerabilities disclosed by JSOF on Tuesday involve a low-level TCP/IP software library from Cincinnati-based Treck, which makes software for implementing various networking protocols in embedded systems (see Millions of Connected Devices Have Exploitable TCP/IP Flaws).
The discovery of the flaws was also the subject of an alert issued by the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency.
Far Reaching Problems
The Treck software is used in a diverse range of IoT devices, ranging from industrial control systems to healthcare equipment, including infusion pumps.
The vulnerabilities can potentially allow "a hacker to run their own code on the targeted device," Luz explains in an interview with Information Security Media Group. "And that code can do whatever [the attacker] desires ... including shutting down the device."
A critical first step in mitigating the risk is to identify all the potentially impacted gear within an organization, Luz says.
"Imagine you're a hospital with thousands or tens of thousands of connected devices. You have to find out if you have certain affected models. And you want to know about every one of them because even if it's only 10 devices out of tens of thousands, it's those 10 devices that are the weakest link."
In the interview (see audio link below photo), Luz also discusses:
- Details of the Ripple20 flaws and the potential impact of exploits;
- How healthcare providers and device makers can address mitigating the vulnerabilities;
- CyberMDX's involvement in the Ripple20 vulnerability research and what the firm found regarding medical devices.
As head of research at CyberMDX, Luz oversees medical device vulnerability and protocol research in controlled laboratory environments. Having uncovered several highly publicized vulnerabilities in the last two years, Luz has become a vocal advocate for tighter pre-market and post-market security alignment, a better understanding of the unique implications inherent to vulnerabilities in medical environments and stronger governmental oversight.