Tag Archives: FDA

FDA Issues Medical Device Warning – But They Are Not Sure for What

Well that makes me feel a whole lot better.

The FDA says that devices that use the decades old IPNet software are vulnerable to hacking,

But they are not sure what devices that  may include.  Possibly insulin pumps.  Maybe pacemakers.

They also don’t know how many devices are affected.

Given that, I am not sure what use the warning is, other than to make people who use medical devices or have them implanted, worry.

They do say that they have identified 11 vulnerabilities that allow hackers to take over these devices.

The FDA also says that the bugs allow “anyone to remotely take control of the medical device and change its function, cause denial of service, or cause information leaks or logical flaws, which may prevent device function.”

The FDA is working with device makers, but they say that the problem is complicated.

Well, actually, it is pretty simple, but we are talking about the government, after all.

The concept is called SOFTWARE BILL OF MATERIALS.

Think of a home appliance such as a toaster.  The bill of materials for a toaster might include a heating element or two, a timer, a glass door, a display, etc.

In the software world, a software bill of materials means a list of every piece of third party software that is used in the system that is delivered.

At one point in time, things were made out of hardware.  Now, virtually everything contains software.

Manufacturers don’t want to have to produce Bills of Materials because it tells competitors what is inside and they have to upgrade the document when they make changes.

As long as customers don’t demand bills of materials, vendors are not going to produce them and make them available.

Occasionally, not knowing what is in the software you use can cause problems.  Perhaps you have heard of a small breach at Equifax?  Because they did not realize that Apache Struts was used on a particular server, that server wasn’t completely patched.  And the rest is history.

The Department of Defense is looking at making software bills of materials a required deliverable on defense contracts.

If you as a customer know that a system that you use contains a particular software library or module, then you can proactively watch to see if that software has been updated.  You probably will have to contact the vendor at that point to get an upgrade, but at least you can ride herd on the vendor.

In the case of medical devices, things are way simpler.  Since vendors have to submit paperwork to the FDA to get devices approved, the FDA **COULD** require those vendors to provide a bill of materials.  Then that data could be entered into a database and easily searched, avoiding warnings like this one.

But, we are talking about the government, so do not hold your breath.  Source: CNBC

 

 

 

Facebooktwitterredditlinkedinmailby feather

Friday News

FDA Begins Process to Change Patching of Medical Devices

The Food and Drug administration is beginning to understand that their 19th century strategy that requires manufacturers to recertify their products every time they apply a patch only leads to the devices being hacked – which they are being, regularly.  They have also asked Congress for more authority to manage the cyber security process including creating a cyber advisory board.  They are talking about requiring medical device makers to integrate patchability into device design.  Lastly, they are considering requiring manufacturers to provide the FDA with a software bill of materials at submission time.  Note that mostly, this is talk, so expect this process to take years.  In the meantime, medical device security will be right behind baby monitor security (Source: Health IT Security).

Hey Alexa, Are You Hacked?  Again?

Checkmarx researchers built a proof of concept attack using Amazon Echo “skills”, those extensions that allow third parties to add features to an Echo.  Until the exploits were patched earlier this month the attacker would have been able to capture and transcribe every word you said within range of an Echo.  Glad they are the good guys.   The moral is that with convenience comes risk.  You have to decide what your acceptable level of risk is.  (Source: Threatpost).

For Drupal Users is the Third Time a Charm?

For the third time in just a few weeks, Drupal has pushed out a critical patch for all versions.  This patch is a follow-on to Drupalgeddon 2, which allows a hacker to take over the server and if there are other servers on the network or other servers that the attacked server can talk to, use that compromised server as a launchpad to further attacks.  Just in case anyone has forgotten, this is exactly what allowed for the Equifax breach – a forgotten patch in the Apache Struts web framework.  If you have not applied this patch along with the other two, today is a good day to do that since there are active exploits for this vulnerability in the wild (source: The Register).

Ever Wonder if Hotel Keycard Locks are Safe?

Well wonder no more.  Researchers are scheduled to disclose a security vulnerability in older generation Vingcard locks, covering a million rooms in over a hundred thousand hotels later this month at a security conference.  The attack takes about a minute and creates a master key for the entire hotel.  The bad news is that there really is nothing that you, as a guest, can do about it.  Assa Abloy, who make the locks, has created a fix, but the fix has to be downloaded and manually deployed to each individual room lock, so likely many hotels have not done this labor intensive task (Source: Wired).

FISA Court Denies More Requests in Last Year than in Entire History

The secret FISA court that approves classified snooping requests for the FBI and NSA turned down 26 requests in full last year and 50 requests in part.  That is compared to 21 denials since the court was founded in 1976 through the end of the Obama presidency.  Out of 1,100+ requests last year that is still a small number, but still an indication of a higher level of review (Source: ZDNet).

 

Facebooktwitterredditlinkedinmailby feather