The first security vulnerability Michael Murray ever reported to Bugtraq was memorable in the way he found it. Back in 2000, the former security researcher discovered a flaw in a function in the Linux kernel after banging his hand on the keyboard in frustration when he couldn't get his telnet session to disconnect: Striking random keys ultimately crashed the session and exposed the bug. "That one was silly," he says of his unorthodox and inadvertent discovery method.
Murray now hacks GE medical devices and equipment for a living, and the bugs he and his team find could have serious consequences for patients and healthcare professionals. As director of GE Healthcare's cyber security consulting and assessment, the 15-year veteran of the security field is overseeing the product lifecycle development of the company's medical devices and equipment -- from the design phase and on. "Source code analysis, integrating security testing into the normal test cycle, and penetration testing at the end." It's all about building these sensitive medical systems and devices with cyber security in mind, rather than as an afterthought.
"I'm [still] breaking lots of stuff. I'm just breaking it before it gets to the customer to make sure bad things don't happen to people out in the world," says the former managing partner of security consulting firm MAD Security. He would not name the specific medical gear he hacks for flaws, but GE Healthcare manufactures, among other things, patient monitoring, medical imaging, and diagnostic equipment.
Security researchers thrive on unearthing holes and bugs in software and hardware, but some researchers such as Murray are now taking their hacking skills and security knowhow to traditional businesses and consumer product companies. Security expertise traditionally has been sparse in many of these industries, where white hat hacking often is misconstrued as troublemaking or joyriding. For researchers making the job change, it's not just about reporting zero-days anymore but rather finding ways to make the growing generation of Internet-connected consumer products more secure and safe for consumers.
Vulnerability disclosure remains a strategic weapon in the battle to try to stay a step ahead of criminals and spies looking for software bugs to exploit. But security bugs associated with the Internet of Things have raised software vulnerabilities to a whole new level -- one that in some cases involves public safety, with a wave of flaws found in medical devices such as insulin pumps, cars, TSA checkpoint systems, satellite ground terminals, cellphones and networks, home automation and security systems -- and even baby monitors. That has prompted some security experts and white hat hackers to help make these devices more secure from the get-go.
[Public safety issues bubble to the top in security flaw revelations. Read Internet Of Things Security Reaches Tipping Point.]
"We were concerned as parents and citizens," explains Joshua Corman, who, along with fellow security expert Nicholas Percoco, began a grassroots effort last year to bridge the gap between security research and the consumer product world. Corman says safety concerns began to resonate more and more for him this past year while shopping for a new family vehicle. He began to worry about the potential attack surface of networked features in the latest automobile models and the potential safety risks to his family.
Vulnerabilities in car automation systems were exposed by security researchers Charlie Miller and Chris Valasek, who hacked their own rides last year (a Toyota Prius and Ford Escape) to demonstrate how a networked car's acceleration, braking, and other vital systems could be sabotaged. They also have studied the risk of remote attacks against networked vehicles.
Corman, CTO at Sonatype, and Percoco, who is now vice president of strategic services at Rapid7, launched the I Am The Cavalry initiative in 2013. At DEF CON in August of this year, they unveiled a Five Star Automotive Cyber Safety Program aimed at ensuring public safety in the face of increasingly connected and automated vehicles. The group penned an open letter urging the CEOs of major US auto manufacturers to adopt the program, which includes a secure software development program, security updates to software in cars, and segmenting and isolating critical systems in a safe sector of the car's network, so that if the entertainment center is hacked, the braking system can't be tampered with, for example.
The electric carmaker Tesla Motors has taken a more aggressive and proactive strategy for securing its car technology. This year it hired the renowned white hat hacker Kristen Paget to oversee vulnerability testing and security for its cars. Paget, who declined to be interviewed for this article, is best known for her work assessing the security of Microsoft's Vista operating system for the software firm and for demonstrating weaknesses in the GSM protocol with her homegrown, spoofed GSM tower and fake base station that fooled smartphones into connecting to it in a demonstration at DEF CON in 2010.
This year, Paget brought a Tesla vehicle to the DEF CON 22 exhibit area in Las Vegas, where the company was looking to recruit more hackers to help sniff out security vulnerabilities in its software that controls the vehicles.
Luke McOmie, a security researcher best known by his hacker handle "Pyr0," did a six-month red-team stint this year with a major research hospital. McOmie, who since has returned to his previous work as an independent consultant, was part of the hospital's team of security experts tasked with hacking medical equipment and machines used by the hospital, which he declined to name.
He and his colleagues at the hospital performed a combination of fuzzing tests to look for commonly known vulnerabilities in the institution's medical equipment and devices. McOmie says he and his team dug around and found some zero-day bugs in some of the equipment they tested. "Some stuff was absolutely unnerving, but that's what we expected would happen." The goal was to catch any dangerous flaws that could lead to a major security incident.
Hacking away at medical devices is a delicate process: The systems obviously can't be connected to a patient during the testing process, so McOmie and his fellow red team members used a lab for smaller, more transportable devices. Larger systems like MRI or CT scanners had to be taken offline from patient care while they were tested. "You'd have three or four days to beat up this one device."
When McOmie initially was contacted by the hospital for the job, he was struck by how the CISO there "got it" when it came to security concerns surrounding medical equipment. "He understood how important this thing was," he says. "They understood how key it is to get a jump" on the threats.
But locking down medical equipment isn't so straightforward. "Any security solution we would be putting in place, we had to figure out a way to do it in a secure fashion that didn't impede or slow down" doctors and nurses from caring for their patients. "If they have to type a complex password at a workstation about a patient they are working on, that's obviously not efficient."
Tip of the iceberg
Justine Aitel, chief information security and solutions officer at Hoyos Labs, says more security researchers are needed to help secure consumer products and business systems. But it's not always an attractive gig for researchers: "We need to make the case that it's cool" to work on the defense side.
As a former security researcher and self-professed "old-school Windows hacker," Aitel now works on the business side of the security equation. Most recently, she served as CISO at Dow Jones, where she brought a white hat hacker's perspective to the company's security and risk management operations.
Having worked on both the researcher and enterprise sides of the fence, Aitel says she'd like to see, for example, more researchers helping find ways to bring a mobile device into the corporate BYOD environment, rather than just announcing a new iOS bug. "I still see a lot of people on the offense side, and I have all of the respect in the world for those guys. But we need those brains on some other problems" on the defense side, as well.
It's not always easy to make the jump from the security community to the consumer and business worlds, Aitel and others say. Sometimes it's just a matter of timing for the move.
"We're all getting old," quips Murray. "I've had this conversation with a lot of people who have taken their next jobs, not because of how cool or because of the money, but of what impact they might have."
The biggest shift for Murray? "Wearing a suit" to work. "But [there's] nothing I'm doing that 22-year-old me would be disappointed about."