Misconfiguration in telecom router leaks 30,000 patient data

Comment by Rainer Richter, Director Channels, SEC Technologies

“The Internet of Things is a curse and a blessing at the same time: while networked devices are streamlining our lives and opening up new lucrative business opportunities for businesses, the impact of increased connectivity on our physical and digital security is far worse.

The number of IoT devices is constantly increasing, and so are the risks of misuse, data theft, or dangerous manipulation. One does not even need a lot of hacking skills. If you want to cause a serious data protection incident, just take a conventional telecom router with a simple misconfiguration. While this might sound like a fake news, this happened in a Lower Saxon doctor’s office, quite recently. Their 30,000 sensitive patient and employee data were freely accessible to anyone on the Internet via a Windows server. A true disaster, not only in the eyes of the GDPR.

Who was to blame for this mishap? A simple inadequate configuration of the ports. As investigations revealed, the business router didn’t just open standard port 433 when releasing the service “HTTPS”, but some ten access ports from the Internet. A small mistake that could and did result in serious consequences for the end-user.

Iot Patient Imgs

The incident is a perfect example of the state of our current IoT security. More than 90% of IoT firmware files show critical vulnerabilities, as demonstrated by a review of the IoT Inspector firmware analysis platform. In addition to misconfigurations, the main issues range from hard-coded passwords in the firmware file system, hidden standard user credentials or SSH host keys… be it on network cameras or state-of-the-art children’s toys.

Manufacturers of IoT devices need a quick development cycle and a fast time-to-market. This leaves almost no room for adequately checking any product for potential security breaches even if such security issues are taken seriously. This is risky because dealing with the aftermath and its consequences – for example, in tens of thousands of IoT components used worldwide – is likely to cost you more than an early analysis and possible resolution before rollout. Keep in mind: Prevention is always better than looking for a cure.

Companies and service providers are strongly advised to take the lead and to look for vulnerabilities in devices used. To avoid any further nasty surprises, the firmware on new IoT device needs to be checked for vulnerabilities even before it is in use. There is no other preventive measure to take as doing so will ensure the necessary measures in terms of protection are taken, at the right time.”

Iot Patient Room