Tensions run high in America after the decision to overturn Roe v. Wade; a 1973 court case granting citizens the right to have abortions. Regardless of any side an individual is on with this issue, people should care about the pressing threats in technology that are just recently beginning to see the light. Cybercriminals are masters at taking advantage of chaos. They see an opportunity at every turn, and with the chaos of the Roe v. Wade decision, of course they will decide to act.
The healthcare industry is renown for its highly vulnerable cache of sensitive data, but it continues to stagnate as other industries ramp up their cyber departments. It is not entirely the fault of hospitals that they are so behind in enforcing security policies and procedures. No one ever assumed that a hacker could be so low as to go after a patient’s health data, or even think to hack into life-saving medical technology. However, cybercriminals have proven that they do not care who they are targeting (whether that be big-time corporations or friendly Stan from down the street). In recent years, medical devices have become popular for demonstrating the scary consequences of how hackers can exploit IoT vulnerabilities and misconfigurations. One of the most startling demonstrations took place at the RSA Conference in 2019, in which an ultrasound imaging system was hacked with just “2 clicks”.
Like most medical devices, ultrasounds are seriously vulnerable and possess very few countermeasures to defend against security breaches. The two main vulnerabilities affecting ultrasound and other GE imaging systems include transporting credentials unprotected over the network (CVE-2020-25175) and exposing exposing credentials and other sensitive info. to unauthorized clients in the network, with the ability to be easily modified (read/write access given to attacker) (CVE-2020-25179 /MDhhex-Ray).
Common Attacks On Medical Devices To Look Out For:
Arbitrary code execution (RME remote code execution)
Ransomware
Malware
DDos attacks (Distributed Denial-of-Service)
Spearphishing
Cryptojacking
HOW THE COMPROMISE IS COMMITTED
The attack-vectors that cybercriminals use to corrupt ultrasound imaging systems and other medical devices are relatively basic. One strategic process may go something like this:
1. Medical Device OSINT (Open Source Intelligence) & Reconnaissance
It is very easy to find exploitive information of medical devices on the web. The first step of the Mitre Attack Framework (along with other cyber kill chains) is to perform reconnaissance; researching information for a target either actively or passively. Medical device brands often post a variety of white papers, demonstrations, and current security features of their products on their websites for the public to view. Since anyone can access this information, it is easy for an adversary to get a good grip on what they need to do in order to attack a target. See an example of the Epiq 7 Philips Ultrasound Imaging System.
2. Gaining Device Access
After gathering enough information for their attack, an adversary will then take the essential steps to compromise the system for access to patient data. This could include anywhere from the following:
Corrupting patient safe links
After getting an ultrasound, a patient may be forwarded a link containing their examination images. This is most common with new parents welcoming an unborn baby, aka the focus of our article. Parents who receive this link may exchange the photos of their unborn baby with family members or their friends, but there is some risk to this. Often times the link being shared to the patient is not encrypted, so it is not as safe as we think it is for transferring content between a “close-knit” circle. An or adversary can easily intercept this link or interfere in communication between two authorized parties with a MITM (man-in-the-middle) attack. If an adversary sees content being shared about new parents on social media (which happens all the time), they can easily corrupt the images via a social engineering scheme and gain access to an ultrasound image of the unborn, along with other confidential information.
Exploiting open ports & Ethernet protocols
Medical devices are often left highly unsecured, and the failure to leave ports open on such devices is a certain way of allowing them to become compromised. An open port is a TCP or UDP port that is configured to accept packets instead of rejecting them. A closed port is better for security because some packets being sent to a device are for malicious intent (whether that is used to scan for vulnerabilities or as an easy gateway for exploiting them). It is a basic security standard for all organizations to set their ports closed on devices that do not necessarily need to be open, and this goes for most medical devices. Otherwise, hackers can easily exploit the device via remote connection, or take advantage of unguarded Ethernet connection. Many newer medical devices are being connected to hospital LANs (Local Area Networks) with Ethernet cables, but if not protected, one adversary may be able to gain access to an entire hospital network.
Compromising Valid Credentials
Adversaries will often compromise hospital credentials (such as doctors, admins, receptionists, etc.) because they are often easy to obtain. Every organization should implement and practice strong password protocols, and this also applies to the medical industry. While security should pose no limit to an organization’s functions, the medical industry often views higher security standards as a burden to a hospital’s functioning. Medical staff tend to take the path of least resistance when setting their passwords and understandably so (typing an easier password saves time and possibly lives in their case). However, this path of least resistance often ends with numerous credentials being compromised, and the lack of 2FA or MFA even makes it worse. Most adversaries have no problem obtaining single-sign-on passwords through dictionary or brute force attacks. With an employee’s valid credentials, they can move laterally through the hospital network, and depending on how many upgrades in command they achieve, a wide array of sensitive patient data becomes exposed.
WHY WOULD CYBERCRIMINALS WANT TO GO AFTER ULTRASOUNDS AND OTHER MEDICAL INFO?
People outside of the medical industry often forget that ultrasound technology can be applied to a variety of places for an affected patient. Not only is ultrasound imaging used to view the progress of a baby during the stages of pregnancy, but it is also used to scan anything from a patient’s breasts, kidneys, liver, rotator cuffs, arteries, spleens, elastography (tissue strains), etc. A compromise of any of these images is an astounding boon for the cybercriminals who pull it off. Demonstrator’s at the 2019 RSA Conference state that these images are “lucrative patient data that can be sold at a premium on the Dark Web”.
The Dark Web offers numerous ventures of nefarious activity, and the exploitation of private medical data is highly sought after by buyers. One of the main reasons why people purchase ultrasound images is that they may be looking for illegal transplants to perform (ordering a “hit” on a known healthy individual). Organ sales make up a big source of revenue on the Dark Web. This is mainly because of desperate people who cannot wait on the list out of fear they will die before receiving a legal transplant. Even more disturbing, some people will buy ultrasound images and their physical parts even if they are not used for transferable medicine (hands, feet, forearms, etc.).
Unfortunately, these motives, we can readily explain. However, it took some serious research to find out the truth about the “underground ultrasound market” and its connection to stealing images of unborn children. There are many reasons why cybercriminals would hack into ultrasound imaging systems. Here is what was found:
-Public Scandal
Cybercriminals enjoy exposing an individual’s private life or personal secrets because it may cause harm to the target victim’s reputation. Pregnancy is an event that many women prefer to keep private for a certain period of time. Usually when finding out, they may only want to share the news between their immediate family members or close friends. However, cybercriminals love to ruin a good surprise. This was seen with mega-superstar Adele, whose ultrasound photos were leaked to the public by hackers in 2016. Not only was the star’s family privacy breached (adding the extra stress of tabloids, paparazzi, and the general media she was trying to avoid), but fans were sharing the photos of her unborn baby and making comments about its appearance. How can you possibly judge someone’s appearance if they haven’t even been born yet? The effects of this severe breach in privacy was devastating to Adele, who rightfully, just wanted to have a private pregnancy without all of the scandal. Certainly, many other women can relate.
On the other hand, some women may prefer to keep their pregnancy private for reasons that are less joyful. It is often typical for a woman to get an ultrasound before an abortion, in which the technology is used to ensure three main facts: 1. There is a viable pregnancy, 2. Discovering the gestational age (to see if a woman is under 10 weeks and thus eligible for the medical procedure), and 3. Determining the precise location of the pregnancy. In December of 2021, Planned Parenthood was hacked exposing the personal information of about 400,000 women who had received abortions, including their names, addresses, dates of birth, identification numbers, etc. While no ultrasound images were reportedly stolen, attackers could easily follow the example of the Planned Parenthood hack and release clinic photos.
Such images could easily be used for blackmail or extortion to get victims to do their bidding. Additionally, in the wake of the Roe v. Wade epidemic, releasing ultrasound photos could endanger the women planning to move to states that perform legal abortions. Should their residential state government decide to ban out-of-state abortion travel or punish women with civil lawsuits for seeking such action, cybercriminals could have a lot of fun targeting vulnerable women with this sensitive data. As for now, most adversaries are targeting the Supreme Court and pro-life institutions for restricting the freedom of womens’ bodies (supposedly, anarchists share a distinct hate for government control). However, these criminals and their “support for the cause” could shift just as easily depending on the circumstances. Hopefully, state governments will remain separate and not enforce such restrictions, avoiding this hypothetical scenario.
-Changing Information “Switched At Birth”
Cybercriminals are easily able to modify the information contained in ultrasound images. Changes could include anything from inaccurate depictions of the unborn child’s gender, the status of their growth, health, or location inside of the mother’s womb. If the child has a severe medical risk, attackers could make sure that parents or medical professionals are not informed. Even more disturbing, attackers could easily distribute the ultrasound photos of different children to the wrong set of parents, performing a “switched at birth” scheme.
-Clinic Scams
How easy is it to fake an ultrasound? According to numerous sources, it isn’t quite as hard as one would think. The “underground ultrasound” business is a dark network of scam-artists and scam-clinics who take advantage of expectant mothers. Their appalling and elaborate schemes should not go unnoticed, but the truth is that there are a few “centers” across the country performing fraudulent ultrasounds for money. One such scam occurred in 2016, in which a group of soon-to-be mothers discovered that they had been provided the exact same ultrasound image at an Ontario clinic. It is relatively easy to steal a full-proof ultrasound image and display it “accurately” for a makeshift business venture. Nobody has to be a real medical practitioner to operate an ultrasound imaging machine, and if acting a certain way, many patients may not recognize medical malpractice when it is happening in real-time. A contributor on Quora demonstrated the typical dialogue that ultrasound practitioners may say during the procedure (“What does a fake ultrasound report look like?”):
"The liver is, from what I can see,
Exactly where it should be,
The margins are regular,
The texture looks similar,
And there is no evidence of HCC.
The gallbladder looks distended,
Which is what we all wanted,
A few polyps aside,
No stones are inside,
A trip to the OR is highly not warranted!"
An average person without a lot of medical experience would not realize that this is a report for an abdominal ultrasound, but once a “doctor” says “I can see your baby!” and flips the screen to show a pre-recorded video or image, people tend to get excited and forget the facts. Hackers are easily capable of providing the means to perform these scams (whether that is selling fake ultrasound photos and video content to scammers, or selling real images that belong to different people over the dark web). Therefore, it is always a good idea to double-check the center that you are visiting for a medical procedure. Although it is sad to say, these days, almost anybody can pose as a doctor using technology and basic cyber skills. It is crucial that you ensure the care you receive is legitimate and be on the lookout for anything suspicious. Visit this site for the common signs of fraudulent ultrasound images. (BabyMaybeBlog).
-Child Identity Theft
An appalling application of stealing ultrasound images is that sometimes, cybercriminals will sell such data on the dark web along with an unborn child’s personal information. The purpose of this baffling act is identity theft, but for a child. There are several benefits that cybercriminals get from posing as an unborn person. Not only do younger children have a “perfect” credit history (since they have made few purchases), but their social security numbers (SSNs), dates of birth, gender, and other identifying characteristics are legitimately intact causing little trouble for the buyer. According to John Brandon’s article on the New York Post, “Hackers are selling babies’ personal data on the dark web”, these children will often grow up unaware of the fact that someone else in the world is living their identity… until they are confused with the criminal posing as them. Shockingly, cybercriminals sell perfect, digital profiles of these children for a high price (including proof of the person’s existence with the ultrasound image). They also aid in providing directions for how to file fraudulent tax returns, applying for healthcare, insurance, and other essential institutions.
-Human Trafficking
Human trafficking is a crime in which traffickers exploit adults or children for profit, usually for the purpose of performing labor or engaging in commercial sex acts. Human trafficking is a wicked and despicable practice that even today continues as a modern form of slavery. Unfortunately, the invention of the dark web has facilitated this criminal activity, allowing a portal for criminals to target and access their victims online. While ultrasound images are being sold on the dark web for a variety of purposes, it is feared that these images could be applied to the human trafficking of unborn children. After Roe v. Wade, it is possible that surges in the foster care system and unclaimed children will be seen across pro-choice states in the U.S. These children, especially ones who come from unstable homes, are highly vulnerable targets for human trafficking.
While some groups are using technology to fight against human trafficking (monitoring social media platforms, going undercover, or even using cyber skills to compromise illegal trafficking groups), overall, cybercriminals offer their services to target and control victims. Spear-phishing and ransomware attacks are common methods for accessing a victim’s personal information, and therefore controlling them to do anyone’s bidding. Multiple cases of sex-trafficking have occurred because a victim was discovered via social media communicating with their abductor. For attackers, it is so easy to access a victim’s accounts and gain their trust in a simple social engineering scheme. With the current generation being brought up in a “social-media age”, it has become more challenging to protect them from the dangerous people on the Internet (which aren’t going away anytime soon).
HOW DOES THIS ALL CONNECT TO ROE V. WADE AND WHAT DOES IT MEAN FOR THE NEXT GENERATION?
What your correspondent discovered was heartbreaking. Never did I imagine that people were capable of plotting these devastating acts, but to see them being committed in real life, every day, is impossible to forget. Not only is it just plain wrong to do any of these things to any human being, but to a child who has years ahead of their life to live is even worse. Not all of these crimes have been happening because of Roe v. Wade. In fact, these crimes have been occurring for years as technology and the medical industry has progressed, but only with Roe v. Wade, they become more sensitive. Please, please, please. Protect your children. The people who are doing these things are extremely dangerous and they do not care at all if they are targeting an innocent child.
While we have a need to guard our personal information and privacy, that also goes towards protecting our families and the young lives who we are supporting. After Roe v. Wade, people need to seriously start being more cautious because adversaries will definitely take advantage of the turmoil. Do everything that you can to ensure that the medical advice you are seeking is from a legitimate source, that you are visiting certified centers, and that your information is being guarded by the medical institutions pledged to the task. All of this is connected and all of this is important to consider as technology continues to serve as the solution or the catalyst for our most prevalent issues.
Comments