Iot Patient Header

Misconfiguration in telecom router leaks 30,000 patient data

Comment by Rainer Richter, Director Channels, SEC Technologies

“The Internet of Things is a curse and a blessing at the same time: while networked devices are streamlining our lives and opening up new lucrative business opportunities for businesses, the impact of increased connectivity on our physical and digital security is far worse.

The number of IoT devices is constantly increasing, and so are the risks of misuse, data theft, or dangerous manipulation. One does not even need a lot of hacking skills. If you want to cause a serious data protection incident, just take a conventional telecom router with a simple misconfiguration. While this might sound like a fake news, this happened in a Lower Saxon doctor’s office, quite recently. Their 30,000 sensitive patient and employee data were freely accessible to anyone on the Internet via a Windows server. A true disaster, not only in the eyes of the GDPR.

Who was to blame for this mishap? A simple inadequate configuration of the ports. As investigations revealed, the business router didn’t just open standard port 433 when releasing the service “HTTPS”, but some ten access ports from the Internet. A small mistake that could and did result in serious consequences for the end-user. The incident is a perfect example of the state of our current IoT security. More than 90% of IoT firmware files show critical vulnerabilities, as demonstrated by a review of the IoT Inspector firmware analysis platform. In addition to misconfigurations, the main issues range from hard-coded passwords in the firmware file system, hidden standard user credentials or SSH host keys… be it on network cameras or state-of-the-art children’s toys.

Manufacturers of IoT devices need a quick development cycle and a fast time-to-market. This leaves almost no room for adequately checking any product for potential security breaches even if such security issues are taken seriously. This is risky because dealing with the aftermath and its consequences – for example, in tens of thousands of IoT components used worldwide – is likely to cost you more than an early analysis and possible resolution before rollout. Keep in mind: Prevention is always better than looking for a cure.

Companies and service providers are strongly advised to take the lead and to look for vulnerabilities in devices used. To avoid any further nasty surprises, the firmware on new IoT device needs to be checked for vulnerabilities even before it is in use. There is no other preventive measure to take as doing so will ensure the necessary measures in terms of protection are taken, at the right time.”

About ONEKEY

ONEKEY is the leading European specialist in Product Cybersecurity & Compliance Management and part of the investment portfolio of PricewaterhouseCoopers Germany (PwC). The unique combination of an automated Product Cybersecurity & Compliance Platform (PCCP) with expert knowledge and consulting services provides fast and comprehensive analysis, support, and management to improve product cybersecurity and compliance from product purchasing, design, development, production to end-of-life.

Critical vulnerabilities and compliance violations in device firmware are automatically identified in binary code by AI-based technology in minutes – without source code, device, or network access. Proactively audit software supply chains with integrated software bill of materials (SBOM) generation. “Digital Cyber Twins” enable automated 24/7 post-release cybersecurity monitoring throughout the product lifecycle.

The patent-pending, integrated Compliance Wizard™ already covers the upcoming EU Cyber Resilience Act (CRA) and existing requirements according to IEC 62443-4-2, ETSI EN 303 645, UNECE R 155 and many others.

The Product Security Incident Response Team (PSIRT) is effectively supported by the integrated automatic prioritisation of vulnerabilities, significantly reducing the time to remediation.

Leading international companies in Asia, Europe and the Americas already benefit from the ONEKEY Product Cybersecurity & Compliance Platform and ONEKEY Cybersecurity Experts.

 

CONTACT:

Sara Fortmann

Marketing Manager

sara.fortmann@onekey.com

 

euromarcom public relations GmbH

+49 611 973 150

team@euromarcom.de