In January, I pointed out that at least eight of the top ten medical device manufacturers worldwide have either never reported a vulnerability to CVE.org or have only reported a small number of them. I said this not as direct criticism of medical device makers, but as illustration of the fact that intelligent device makers of all types are mostly not reporting vulnerabilities at all. After all, if medical device manufacturers – which are subject to the most stringent cybersecurity regulations worldwide – aren’t reporting vulnerabilities, what hope is there that manufacturers of baby monitors will do so?
Why is it important that the developer of the software or
the manufacturer of a device report the vulnerability themselves? The reason is
simple: A very high percentage of vulnerabilities are reported by the developer
or manufacturer. If they don’t report it, in most cases nobody else will. This
means that, when a user of the device wants to learn about vulnerabilities
found in the device, when they search a vulnerability database they will never
find any.
I want to note that nobody is saying that any software
developer or device manufacturer should report a vulnerability for which a
patch isn’t yet available, except in extraordinary cases like when a
vulnerability is already being widely exploited. In those extraordinary cases, user
organizations like hospitals should be able to learn that products they use
have that vulnerability, so they can mitigate the threat using other measures
(like removing the device from their network altogether), pending availability
of the patch.
At least one major medical device maker (MDM) has told me
they report vulnerabilities in their devices on their customer portal so their
customers can learn about them, although they admit this isn’t a foolproof
method to keep this information out of bad hands. They may correlate one of
those vulnerabilities with a published CVE number, but if they don’t report the
vulnerability to CVE.org, a search on a public vulnerability database will
never yield the fact that their device is vulnerable to that CVE.
Of course, this means that nobody other than a customer of a
medical device can learn of vulnerabilities in it, and nobody (whether a
customer or otherwise) will be able to compare competing devices to learn
whether they have the same vulnerabilities. But of course, this might be a good
thing. After all, if none of your competitors are reporting vulnerabilities
(and there’s no way in most databases to tell the difference between a device
that’s never had a vulnerability and one that’s loaded
with them, but has never reported a single
one to CVE.org), who wants to stand out by reporting them?
At our most recent OWASP SBOM Forum meeting, we were
discussing this problem, and I said I didn’t think there was a good excuse for
the fact that the MDMs aren’t usually reporting vulnerabilities in their
devices. At that point, the device security manager for one of the most
prestigious hospital organizations in the US provided a very good reason why the
MDMs don’t report them (and I’ll point out that I’ve known this individual
through the NTIA and CISA SBOM efforts since 2020. In general, he doesn’t trust
MDMs as far as he can throw them):
1.
Hospitals, like many other organizations
(although probably more so), are seriously backlogged in applying security
patches. This is partly because, unlike a lot of organizations, it is very hard
to bring a device down when it’s time to apply a patch, since they’re often
hooked up to patients – and nobody wants to see a technician disconnect Grandma’s
infusion pump to apply a patch!).
2.
If the MDM follows the usual practice of reporting
a vulnerability only after they have released a patch for it, it’s likely there
will be a significant time lag between the vulnerability report and when most
devices are protected by the patch.
3.
Of course, this would pose a serious risk to
patients. And I'll point out that the same reasoning applies to electronic relays that control the power grid, devices in pipeline pumping stations, etc.
But another serious risk to patients is being hooked up to a
device that carries vulnerabilities that have been there for a year or two, whose
existence has almost certainly become known to the bad guys by now. There needs
to be some deadline by which the hospitals will either have to patch the device
or take another mitigation step, like removing the device from their network
altogether. Maybe that would be six months for vulnerabilities that aren’t
being actively exploited, but three months for vulnerabilities that are on the
CISA KEV (Key Exploitable Vulnerabilities) list.
If the hospital can’t meet those deadlines, they’ll have to
invest in enough extra devices, so the hospital doesn’t have a vulnerable device
sitting on their network forever, without anyone outside of the manufacturer
and the hospital knowing about it.
Any opinions expressed in this
blog post are strictly mine and are not necessarily shared by any of the
clients of Tom Alrich LLC. If you would like to comment on what you have
read here, I would love to hear from you. Please email me at tom@tomalrich.com.
My book "Introduction to SBOM and VEX"
is now available in paperback
and Kindle versions! For background on the book and the link to order it,
see this post.
No comments:
Post a Comment