Medical Device Test

Service Overview ⫘

Goals of the Medical Device Hardware Penetration Test is to demonstrate if and/or how weaknesses in the device's hardware and/or software can be leveraged to compromise the device and affect patient care and device operability. Testing includes exploitation of vulnerabilities, username and password discovery, communication weaknesses, and hardware design flaws. Testing includes exploitation of vulnerabilities, username and password discovery, communication weaknesses, and hardware design flaws. The test will prove the "chain is only as strong as the weakest link" concept and discover security flaws not identified by vulnerability assessments.

Service Methodology ⫘

The Medical Device Hardware Penetration Test consists of several phases, each detailed below along with the respective methodology. Secureworks utilizes the Penetration Testing Execution Standard (PTES) as the standard basis for penetration testing execution, and the tools utilized during tested are covered in the Penetration Testing Execution Standard Technical Guidelines (PTES G). Secureworks also follows the FDA best practices for Cybersecurity, ensuring patient safety and operability. The FDA guidance can be found here: https://www.fda.gov/medical-devices/digital-health-center-excellence/cybersecurity.

Scope Validation ⫘

This step validates the communication methods used by a connected medical device. This is a safety measure and ensures patient safety as well as the accuracy of subsequent findings. Activities include the following:

• Ping sweeps and route tracing.
• Footprinting networks and systems.
• Network traffic captures and protocol analysis.
  • Device Inspection.
  • Device use case identification.
  • Hardware port identification.
  • Device board chip identification.
  • External service scanning.
• Internet domain name registration searches.
• Internet registry number searches.
• Domain name service (DNS) lookups.

Vulnerability Analysis ⫘

Vulnerability testing is the process of discovering flaws in systems and applications that can be leveraged by an attacker in both a local and network attack scenario. These flaws can range anywhere from host or service misconfigurations to insecure application design and kiosk escapes. The process used to look for flaws varies and is highly dependent on the particular device being tested. Criticality of located flaws will be elevated if patient care is affected by a located vulnerability.

Open Network Services Enumeration and Exploitation ⫘

Secureworks will attempt to identify data leakage and/or compromise vectors by monitoring and manipulating device communications. Communications channels include the following: wired ethernet, 802.11 wireless, Zigbee/ZWave, CAN bus, Serial, etc. Techniques include but are not limited to the following:

• Passive monitoring
• Man-in-the-Middle packet sniffing
• Encryption Downgrade attacks
• Authentication capture

Manual Verification ⫘

Automated scanning tools fail to report some vulnerabilities. Medical devices are a critical piece of patient care and safety. Therefore, manual verification does not rely on automated scanning. A testing methodology that solely relies on automated scan results gives a false sense of security. Automated scanning tools often report false positives — reported vulnerabilities that are not actually present. For vulnerabilities discovered through automated scanning, manual verification ensures report findings are accurate and that the vulnerabilities reported are an accurate representation of your environment. Without this often-overlooked step, time may be wasted attempting to remediate vulnerabilities that do not exist. All vulnerabilities are validated and verified, rated in tandem with the ability to interfere with patient care procedures.

Exploitation ⫘

The exploitation phase of the Medical Device Test focuses solely on establishing access to a system or resource by bypassing security restrictions. The main focus is to identify the main entry point into the device and to identify subsequent issues that could affect patient care and safety. Ultimately, the attack vector should take into consideration the probability of success and highest impact on the patient and organization.

Physical/Hardware ⫘

Secureworks will attempt to identify vulnerabilities in the physical design and the device(s) hardware to compromise the device(s). Techniques include but are not limited to the following:

• Tamper detection bypass
• Direct Memory Access via PCIe, Thunderbolt, USB3, etc.
• Debug and Programming exploitation: JTAG, UART, SPI, ICSP, etc.
• Direct storage attacks

Post-Exploitation ⫘

Post exploitation efforts focus on identifying flaws that could be used in subsequent attacks against the connected device or networked systems. Many times, static encryption keys, hardcoded passwords, .DLL hijacks and other types of vulnerabilities and flaws are located during post-exploitation efforts. Controls against Intellectual Property theft are tested during this portion of the engagement, with many organizations hoping to control the Intellectual Property that resides on the machine. Reverse engineering efforts can also aid in locating hardcoded passwords within binary files.

Firmware ⫘

• Should Secureworks obtain access to firmware during testing, firmware will be reverse engineered to inform additional attacks.

Outcome ⫘

Presentation of findings and deliverables compiled by Secureworks will be provided to you in the form of a report. The report will include the following:

• Executive summary
• Methods, detailed findings, narratives, and recommendations if any
• Attachments as needed for relevant details and supporting data

Customer shall have one (1) week from delivery of the report to provide comments to be included in the final report. If there are no comments received from Customer before the expiration of the review period, the report will be deemed final.

Upon completion of the Services, the Customer-designated contact will receive a secure/encrypted email confirmation from Secureworks. Unless otherwise notified in writing to the contrary by the Customer designated contact, within five (5) business days of such email confirmation, the Services and this SOW shall be deemed complete.

Scoping information ⫘

Medical Device Test ⫘

Scope	Description
Medical Device Test - Small	1 medical device.