Dive Brief:
- Cyber criminals are using information from error messages to exploit vulnerabilities in connected medical devices, a new white paper by IoT security firm Zingbox warns.
- Zingbox identified numerous IoT devices leaking sensitive and technical information due to error handling issues. Vendors were alerted to those findings between early May and late August of this year.
- To date, only one company, Johnson Controls, has issued a patch to secure its devices, according to the report.
Dive Insight:
The internet of connected medical things market is forecasted to hit $158 billion by 2022. With more and more connected devices being used, more hospitals, physician practices and patients are at risk from cyber and ransomware attacks.
A recent FDA action plan seeks new authorities to require manufacturers to build security updates and patch capabilities into products beginning at the design stage and to have formal processes for handling vulnerabilities discovered after products are on the market.
This latest trend in cyberattacks greatly increases the odds of a successful attack, Zingbox says.
According to the analysis, information disclosed via error messages included database running in the server, database usernames, software stack trace, source code line numbers where failure occurs, server file system path, class names and arguments and source code methods and parameters.
The analysis uncovered error message issues with seven vendors' products.
Johnson Controls released a patch for its Metasys and BCPro smart building systems. Two other vendors, Change Healthcare/peerVue and CareStream told Zingbox they are planning to issue a patch.
Siemens and Fujifilm indicated they would not release a patch, while CBORD and Nuance had yet to respond to Zingbox's notification. Many of the notifications involved medical imaging devices.
To secure error messaging, Zingbox recommends vendors send custom error messages without disclosing details, including information sent to log messages, and avoid error messages that might alert an attacker about usernames, passwords and other internal configurations.
Providers can play a role, too, by identifying connected technologies in their network, monitoring them for suspicious activity, using real-time alerts and proactively addressing vulnerabilities when they're exposed.