I wonder if I should just rename this blog "M2M and IoT Hacks" and get it over with, as I'm now sitting on three or four articles about a big-name IoT or M2M installation being remotely exploited by external agents (sometimes good, sometimes not so much). The first of which popped up last week when the Department of Homeland Security's Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) announced that an Internet-enabled smart IV pump that's in fairly widespread use contains remote exploits that would allow attackers to take control of the device.
The model in question, the Hospira Symbiq Infusion System, is no longer being sold, and the manufacturer has yet to announce a security patch. There's also no word on whether new models derived from the Symbiq have similar vulnerabilities. The current workarounds are to disable network access for the devices and close the various ports required to enable their remote control functions. The specific ports listed are a little worrying:
- Ensure that unused ports are closed, including Port 20/FTP and Port 23/TELNET.
- Monitor and log all network traffic attempting to reach the affected product via Port 20/FTP, Port 23/TELNET and Port 8443. Contact Hospira’s technical support to change the default password used to access Port 8443 or close it.
While it's good to see port 8443 (the "backdoor" TLS port) listed, ports for the hugely insecure and obsolete FTP and... gasp... telnet ports are listed as well. Whether the advisory recommends closing them because they're actually being used by device or just because those ports should always be closed (and the protocols should never be used) is unclear.
As a number of users and commenters on various IoT forums also pointed out, these devices do ship with password protection. Unfortunately, many times the default usernames and passwords are not changed, or if they are, they are changed to something simple and memorable because the devices often need to be accessed by a large number of hospital staff.
The worrying trend of finding insecure hardware infrastructure continues. It's only a matter of time before the problem jumps from external assets like IV pumps to internal devices like pacemakers and deep brain stimulator implants.