At one point early on in the beloved C. S. Lewis children’s novel, The Lion, the Witch and the Wardrobe, Mr. Tumnus sets the scene, intimating the stakes involved and explaining his own timidity, saying, “The Witch is ever so watchful. Even the trees have eyes...!”
As a reader, this was the part that drew me in — making the story and the world within which it takes place that much more immersive and real. It seemed to strike a chord — first with the idea that what you perceive as mere backdrop can actually be interactive and significant in ways you don't realize, and then with the idea that even the most modest, unassuming objects can, unbeknownst to you, play a deciding role in a much larger ongoing struggle.
I thought about this a lot as we went through the responsible disclosure process for CVE 2019-10962. Discovered by CyberMDX Head of Research, Elad Luz, the vulnerability affects BD’s (Becton, Dickinson and Company) AlarisTM Gateway Workstations. These workstations — essentially mobile device mounting poles — look about as innocent and low-tech as possible and are used to simultaneously dock multiple infusion pumps. When docked, the pumped are also supplied with electricity and network connectivity. In many ways, equipment such as the AlarisTM Gateway Workstation are the hospital cybersecurity equivalent of Lewis' trees. And they too have eyes!
Image credit: BD
Exploiting the disclosed vulnerability, an attacker can execute a counterfeit firmware upgrade without any predicate authentication or permissions. Malicious files can then be transferred via the update and copied straight to the internal memory — overriding existing files. An attack of this sort can allow an attacker to disable the workstation, disrupt the flow of electricity to care-critical infusion pumps, falsify pump status information (vital for the nursing staff), and in some cases even alter drug delivery. In other words, if compromised, these simple mounting poles can potentially do real harm to patients.
It’s a haunting thought — the idea that what you’re most unmindful of, what blends most into the background, what you think to be entirely outside the field of play, and what you believe to be most inanimate might actually pose your biggest threat. But it’s nothing new. The same concept was known to the Ancient Greeks and, according to lore, used to defeat Troy. It’s still used in warfare today, with the best spies coming more in the mold of your accountant rather than the fictionalized James Bond.
It’s the same in cyber warfare: that which you wouldn’t think to examine is often that most worthy of your examination. Of course, relying on that logic alone isn’t particularly actionable and it may get you stuck in a strange loop. Which is why it makes sense to seek expert guidance; someone who knows the terrain well and is smart to its pitfalls — conspicuous and inconspicuous alike.
After all, without help from Mr. Tumnus and others more intimately familiar with the White Witch's tricks and traps, Lucy and her siblings would never have been able to end the perpetual winter and save Narnia.
Without a strong base of field-specific knowledge and some level of insight into the attacker mentality, you'll never be able to properly defend yourself. A spirit of vigilance is a good start, but it won't be enough. Your vigilance needs to be matched with equal measures of expertise and active investigation. Without that, you’ll never know where to look or what to do; and you may waste your time interrogating rock formations as the trees betray you!