A vulnerability has been discovered in Microsoft’s Active Directory Federation Services (ADFS) that allows multi-factor authentication (MFA) to be bypassed with ease. The flaw is being tracked as CVE-2018-8340 and was discovered by Andrew Lee, a security researcher at Okta.

ADFS is used by many organizations to help secure accounts and ADFA is used by vendors such as SecureAuth, Okta, and RSA to add multi-factor authentication to their security offerings.

To exploit the vulnerability an attacker would need to obtain the login credentials of an employee and have a valid second factor authentication token. That token could then be used as authentication to access any other person’s account if their username and password is known.

A threat actor could easily obtain a username and a password by conducting a phishing campaign. The number of phishing attacks on healthcare organizations that have been reported recently show just how easy it is to fool employees into disclosing their login credentials. A brute force attempt on an account with a weak password would also work.

Obtaining the second factor token is a little more difficult. The second factor is often a mobile phone number or email address or a smart card PIN number. That information could also potentially be obtained through phishing or through a successful attempt to get the IT help desk to reset a user’s MFA token.

The vulnerability would be easy to exploit by an insider, since that person would already have a valid MFA token registered on the system. All that would be required to access the account of another employee would be their username and password.

The vulnerability is due to the way ADFS communicates during a login. When an attempt is made to login, the server sends an encrypted context log which contains the MFA token. However, the context log does not include the username, so no check is performed to ensure the MFA token is being used by the correct individual. If an attacker used a browser to gain access to an account using a known username/password and MFA token, and a second browser with just a username and password but no MFA token, a single MFA token could be used to gain access to both accounts.

Two-factor authentication is an important security control that can prevent unauthorized account access even if a threat actor has successfully obtained login credentials, although this vulnerability shows that the system is not infallible.

The flaw has now been fixed in Microsoft’s Patch Tuesday updates on August 14. Healthcare organizations should ensure that the patch is applied promptly to ensure their MFA controls cannot be easily bypassed.

The post Microsoft ADFS Vulnerability Allows Bypassing of Multi-Factor Authentication appeared first on HIPAA Journal.

A security researcher at McAfee (Douglas McKee) has identified a vulnerability in the communications protocol used by patient monitoring equipment. The flaw could be exploited by a threat actor allowing patients’ vital signs to be falsified and sent to central monitoring systems.

Patient monitors record patients’ vital signs and communicate the information to central monitoring systems. The central management systems collect data from many bedside patient monitors, allowing healthcare professionals to monitor multiple patients simultaneously. Information is usually sent over TCP/IP through wired or wireless connections and includes information such as blood pressure, blood oxygen levels, and heart rates. Decisions about treatment are made based on the information provided through those monitoring systems.

Vital signs are integral to clinical decision making. If vital signs are misreported, decisions could be made that could cause patients to come to harm – incorrect doses of medications could be provided, the choice of drug could be influenced by bad data, an incorrect diagnosis could be made, or there could be delays providing medical assistance.

Incorrect data could also lead to patients staying in hospital for far longer than necessary and additional unnecessary tests may be performed, which would come at a cost to the healthcare provider, insurer, or patient.

For the study, McAfee purchased a patient monitor and a central monitoring station on eBay that were manufactured in 2004 and ran Windows XP Embedded. While the devices were old, McAfee confirmed that the monitor and central monitoring station are still in use in several hospitals in the United States.

The researchers were able to create a simple device to emulate vital signs using a Raspberry Pi and conduct a replay attack. The researchers were able to send heart rate data to the central monitoring system indicating a steady heart rate of 80 bpm, when the patient monitor was no longer connected to the system. The researchers were able to do the same with other vital signs. This just involved a short loss in connection, which would likely go unnoticed.

For such an attack to be pulled off, the attacker would need access to the patient to disconnect the patient monitor and plug in the emulation device. The replay attack could allow normal heart rate data to be provided to the central monitoring station when the patient was actually flatlining.

The researchers were also able to devise an attack method that allowed vital signs data to be modified in real time. In this attack, access to the patient was not required. The attacker simply needed to be on the same network. The attacker posed as the central monitoring station, intercepted data from the targeted patient’s monitor, and then falsified the data and sent it to the real central monitoring station. This attack was possible due to a flaw in the Rwhat protocol that is used to send data over wired or Wi-Fi connections. Since data is sent over unencrypted User Datagram Protocol (UDP), data packets can easily spoofed and modified.

Conducting such an attack is not straightforward. Knowledge of the equipment and networking protocol is required, and the attack could only be performed on single or possibly small groups of patients. Some medical knowledge would be required, as the vital signs would need to be believable to a physician. The attack also only caused falsified data to be displayed on the monitoring station – The patient monitor continued to display the correct readings.

Such an attack may be unlikely but could be a threat for certain patients – Those testifying in trials or politicians for example.

If communications between patient monitors and central monitoring stations are encrypted and additional authentication checks are incorporated, such an attack would be much harder to pull off. It is also important for the equipment to be located on isolated networks with very strict access controls to reduce the potential for such an attack to occur.

The post Vulnerabilities in Patient Monitors Allow Vital Signs to be Altered in Real Time appeared first on HIPAA Journal.