Friday, June 8, 2012

Click Here to Download Your AVEA Ventilator Software Update. Trust Me.

[Updates contributed from readers appear at the bottom of this blog post.]

Summary: The web server distributing the software updates for a ventilator (a medical device) itself needs some help with software updates. According to Google, the web server was infected with 48 viruses and 2 scripting exploits. 20 pages resulted in malicious software being downloaded and installed without user consent. 
The risks should be obvious. This is an update for a medical device, and yet one must download it in a manner as if software sepsis is no big deal. Health care professionals might as well stop their washing hands while they're at it.

Hospital IT staff:  How much do you trust the Internet for updating medical device software? A number of researchers in software upgrades bemoan the general state of the art for secure software updates.  Worse, the cryptographic technology at the core of commercial software update mechanisms is broken and being actively exploited by the Flame virus.

Well, if you work for a hospital, the Flame virus is probably the least of your worries.  You just want to keep your HIT systems and software-controlled medical devices working.  Vendors routinely install software updates for medical devices from the Internet or USB keys.  I've seen medical sales engineers download pacemaker-related software from the Internet.

Today I tried to download a software update for CareFusion AVEA Ventilators.  What I found may disturb hospital IT staff.  Here's a screenshot.  When I clicked on the highlighted link for "AVEA Ventilator software update," a second dialog box popped up, "Warning: Visiting this site may harm your computer."


What's this second dialog box?  It's a feature in the web browser that uses the Google Safe Browsing service.  For this particular web server that provides the software update for a ventilator, Google had the following data for www.viasyshealthcare.com:

What happened when Google visited this site?Of the 347 pages we tested on the site over the past 90 days, 20 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2012-06-08, and the last time suspicious content was found on this site was on 2012-06-03.
Malicious software includes 48 trojan(s), 2 scripting exploit(s).
Malicious software is hosted on 3 domain(s), including nikjju.com/, lilupophilupop.com/, koklik.com/.
This site was hosted on 1 network(s) including AS26651 (CAREFUSION).
Wonderful.  I am downloading ventilator software from a web server known to have 48 trojans and 2 scripting exploits.  Hurray for science and technology.  Clicking on the CAREFUSION link provides further assuring data:
What happened when Google visited sites hosted on this network?
Of the 3 site(s) we tested on this network over the past 90 days, 2 site(s), including, for example, viasyshealthcare.com/, sensormedics.com/, served content that resulted in malicious software being downloaded and installed without user consent.
The last time Google tested a site on this network was on 2012-06-08, and the last time suspicious content was found was on 2012-06-06.
On the same site, I found another product that discusses its software update mechanism for Cortical Stimulator Control Units.  The company advises its customers to "Click Run" when the "File Download Security Warning" dialog box appears.  The instructions appear to refer to a CD rather than an Internet download, but I wonder how many technicians take a short cut by downloading an update via the Internet.  That Internet is so darn convenient.

I find it difficult to establish trust in the safety of software affilatied with reports of "malicious software being downloaded and installed without user consent."

What's the way forward?  That's a longer discussion.  Let me update you over drinks.  For starters, go read the Google papers on web malware [Trends in Circumventing Web-Malware Detection and All Your iFRAMEs Point to Us].  Here's to a better and more secure software update infrastructure.  Cheers.




Update 1: The CLEAN MX realtime database offers further details on the infection. According to CLEAN MX, the web server was infected with the "JS/Redirector.JL.1" virus for 1666.3 hours from March 23, 2012 to May 31, 2012.  CLEAN MX appears to have evidence recorded of the gbfhju.com/r.php SQL injection attack on the viasyshealthcare.com website. You can find the evidence of malware by searching the archived HTML source for "gbfhju." This particular SQL injection attack malware hit hundreds of thousands of websites earlier this year. Also, the Department of Homeland Security wrote to me that according to http://web-sniffer.net/, the site seems to be running an old version of .NET.

Update 2: Hat tip to Shawn Merdinger who points out that CareFusion appears to violate the spirit of its own legal disclaimer concerning not to "post or transmit any information or software which contains a virus, trojan horse, worm or other harmful component."  It also says, "By using the CareFusion.com web site, including any software and content contained therein, you agree that the use of the Site is entirely at your own risk.... THIS DISCLAIMER OF LIABILITY APPLIES TO DAMAGES OR INJURY CAUSED BY ... COMPUTER VIRUS." This technique reminds me of Riegel vs. Medtronic, but so much more efficient when a manufacturer can simply disclaim malware liability in medical device software.

4 comments:

  1. Did you contact CareFusion about the malware on their website?

    If so, what was their response?

    ReplyDelete
    Replies
    1. I wrote to security@carefusion.com but the email bounced back as undeliverable. Searching for "security site:carefusion.com" results in several URLs. Clicking on the "Manufacturer Disclosure Statement for Medical Device Security" search result leads to an "Error 404: the page you have requested cannot be found." That's assuring.

      http://www.google.com/search?q=security+site:carefusion.com

      I did report the problem to FDA; however, there is no effective national or global process for acting on such cybersecurity reports for medical devices. The reports get mixed in with general adverse event reports, and incidents with known injuries or deaths usually receive more swift attention.

      The NIST Information Security and Privacy Advisory Board points out that current medical device reporting methods are not designed to capture indicators of medical device cybersecurity problems. It's a systemic problem of both government and industry, and is not unique to CareFusion.

      http://csrc.nist.gov/groups/SMA/ispab/documents/correspondence/ispab-ltr-to-omb_med_device.pdf

      It would be nice if medical manufacturers created more meaningful ways to report cybersecurity problems. For example:

      http://www.google.com/about/company/security.html

      Anyhow, Google's Safe Browsing service has been advertising the malware infection for months. One wonders how many hospitals ignored the browser security warning when downloading the ventilator software.

      Delete
    2. Does anyone have a list of all of the specific URLs that infected/loading exploits?

      Delete
    3. Alas, I am not aware of any actionable information to help HCPs on your question of establishing trust in this particular software update. It's tricky to manufacture software distribution in a trustworthy manner.

      However, an SQL injection attack typically means the entire website (rather than a single web page) is vulnerable to tampering. For your other medical devices: ask your vendor how you can verify the authenticity, integrity, and freshness of medical device software downloaded over the Internet. If the answer does not involve peer-reviewed cryptographic techniques, then be extra skeptical.

      The consumer electronics industry has several mechanisms to reduce the risk of software update tampering. Example:
      http://support.apple.com/kb/HT5044?viewlocale=en_US&locale=en_US

      Delete

All comments are moderated to prevent spam, so please pardon the delay while our anti-spam team looks at incoming messages.