Don’t Overlook the Obvious

Posted by Bobby Kuzma, CISSP on Oct.16, 2014

Last week, I tagged along with my girlfriend to a doctor’s appointment since she couldn’t drive. Being well, me, I tend to look at every environment that I walk into from the perspective of How Can a Bad Guy Ruin Their Day. Yes, I’m one of those oddballs that prefer to sit with my back against a wall at restaurants. The clinic is a newer building, built about 5 years ago to spec for the large multi-specialty clinic that owns it.

This is a clinic that has especially good information security, and a diligent and attentive compliance manager, whom I happen to know personally. These are not the rank amateurs that I see most of the time.

Overall, I was fairly happy with what I saw until I got into the exam room. That’s when my Bond villain tendencies came out to play. Like most practices that have deployed electronic health records, there was a workstation in the room. It was built into a quaint little alcove in the wall, out of the way, with only the keyboard, mouse and monitor directly accessible. The cables led to an interesting looking cabinet immediately to the left. There is no lock on the cabinet door. Hrmmm.

And then the nurse left the exam room. Let’s see what we have here:

  • We have a Windows 7 Professional system, publically accessible, and left in contact with unauthorized people. Hi there.
  • We have an unlocked cabinet that contains the CPU.
  • We have a network connection that’s going to be inside the unlocked cabinet
  • I have 4 bars of LTE signal on my cell phone from this exam room.

The technical term for this scenario is “A Badness Thing”…

We were left alone with this machine for about 10 minutes, which is not atypical for a busy practice stacking patients at 15 minute intervals. To reiterate, this is me musing about potential attack vectors that have been overlooked. I did not execute any of the attacks I am about to describe.

If I can touch it, it’s not your computer anymore

Let’s just start with physical attacks against the machine. Accessible USB ports mean that we can potentially place keyloggers or other malware on the machine.

We could deploy a blue pill attack to shove a hypervisor shim underneath the operating system, give it a quick reboot, and we now have full control over the machine, and all the data that passes through it. Blue pill attacks are incredibly difficult to detect.

Beware the indescript beige boxes

I mentioned the unlocked cabinet with the network jack.  I could shove a small, indescript box in-line with the network. Something like the PwnPlug. And oh yes, it’ll probably never be found.

Since its in-line with a legitimate host on the network, we can even do an 802.1X bypass attack to fake out any Network Access Control that might be deployed. Now I’ve got a bridgehead into the network, and if I’ve planned properly and stuck a cellular modem on it of some kind, I now also have an out of band connection into the network.

Scared yet?

So….

Think about the avenues that an attacker will take to get a device onto a network. Work to minimize the ways that an attacker can get onto the network directly. Physical security is just as, if not more important than network security when it comes to protecting an environment.

And if the required annual risk assessment has missed this avenue of attack, and a breach happens, I can guarantee that the Department of Health and Human services will not be gentle as it levies massive fines,  pour encourager les autres.