Vulnerable IoT: A Case Study of e-Alert
In this article we discuss problems in IoT systems that can have major consequences using the Philips e-Alert system as an example.
IoT and Health in General
The Internet-of-Things lends itself well to the health sector. In many sectors, the value proposition of introducing IoT products is unclear. And, as discussed in our article 3 Elements of IoT Success, having a clearly defined value proposition is a requirement of a successful IoT product. However, in the health sector, it is usually very clear what the advantages are. For example, being able to detect critical issues before they occur and being able to monitor heart rate at all times to ensure heart health are some prime examples of the potential benefits of IoT.
This is what makes health related IoT products so compelling. However, like most things, there is no pro without some form of con. Philips' e-Alert system is a great example of this.
Background
The Philips e-Alert system is "an intelligent hardware- or software-based tool that keeps a close virtual eye on your MRI system performance" (source). In other words, it is an IoT product that enables remote monitoring of an MRI system. The idea being, potential future issues could be avoided by detecting some system condition and notifying a system manager via mobile notification. The value proposition is very clear - reduce downtime of MRI systems. The value was so clear that this system won the “Most Innovative IoT Solution” at the World Communication Awards in 2017 (source).
Problems
So where exactly are the problems? Like many IoT systems they reside in the implementation.
In August 2018, the ICS-CERT (now part of CISA) released an advisory describing a large list of vulnerabilities found in the Philips e-Alert product (source). As the advisory outlined, there were nine major flaws found in the system. These flaws ranged in severity but "CLEARTEXT TRANSMISSION OF SENSITIVE INFORMATION" and "USE OF HARD-CODED CREDENTIALS" were the most critical ones (source).
The consequences of these vulnerabilities were concerning. The "CLEARTEXT TRANSMISSION OF SENSITIVE INFORMATION" issue, for example, could have enabled attackers on the network to obtain the credentials and critical data of users of the system. This could allow an attacker to impersonate an authorized user of the system.
Another concerning issue was the "UNCONTROLLED RESOURCE CONSUMPTION" vulnerability. An attacker could potentially affect the e-Alert system in a specific way causing the system to consume more memory or CPU than intended, leading to a denial of service attack. A denial of service in terms of a health system could be the difference between life or death — in this case, it would mean the difference between a functioning MRI machine and a non-functioning MRI machine.
Response and Fixes
Philips responded by addressing four of the nine vulnerabilities in a software update released in June 2018. The remaining vulnerabilities, including the "UNCONTROLLED RESOURCE CONSUMPTION" issue, were patched in subsequent updates. At the time of the advisory, no known public exploits targeting these vulnerabilities had been identified (source).
Philips also communicated with affected users to provide mitigation methods while fixes were being rolled out. The e-Alert product has since been discontinued, but the lessons from this case remain highly relevant to IoT security today.
Conclusion
A few things can be learned from this IoT case study. For one, award-winning IoT systems from large companies can have MAJOR vulnerabilities. Aspects such as encrypted transmission of data cannot be expected by default. Secondly, critical bug fixes can take longer than expected. It took Philips multiple update cycles to address all nine vulnerabilities. Thirdly, providing mitigation methods to affected users and releasing public statements regarding the issues will help decrease loss of trust in a situation like this. Finally, the importance of organizations like CISA (formerly ICS-CERT) in the IoT landscape is clearly visible here. Since Philips addressed the four biggest vulnerabilities before the release of the advisory, it is clear that they were aware of these issues. However, it is not clear if they were aware of the other issues mentioned in the advisory.
As an extension of this, it is important to realize that Philips is a very large company with significant resources. If these problems existed in a Philips system, what types of problems exist in smaller companies' products?