Category Archives: Check Point

  • 0

Forrester’s 2018 Cyber Security Threat Predictions

Category : Check Point

Bigger Cyber Threats and Higher Risk

Webinar: Thursday, December 14 at 8:30 AM PT | 11:30 AM ET | 5:30 PM CET

2018 is around the corner, are you ready for the cyber security threats that come with it? The current threat forecast looks grim for consumers and businesses. Check Point is hosting a webinar featuring guest Forrester to bring you the Cyber Security Threat Predictions for 2018. Hosted by: Check Point Head of Threat Prevention Product Marketing, Tal Eisner, and featuring guest speaker, Forrester Senior Analyst Josh Zelonis.

Watch this webinar to learn about:

  • The financial motivation of IoT attacks
  • Extortion becoming the new normal is cybercrimes
  • Ransomware exposing lack of cybersecurity
  • Cybercriminals using ransomware to shut down point of sale systems (POS)
  • Cybercriminals sabotaging the US 2018 mid-term elections
  • How Check Point SandBlast prevents cyberattacks


  • 0

Uber Takes Cloud Security For A Ride

Category : Check Point

Cloud security has had a rough ride of it recently, and this past week its driver was the $68bn global transportation company, Uber.

Earlier this week, it was revealed that the personal details of Uber’s 57 million drivers and had been stolen back in 2016. The company then made matters worse by not reporting the breach to international data regulators, and instead paid the perpetrators $100,000 to delete the sensitive files and cover up the incident.

However, Uber’s failure to disclose the breach goes beyond non-adherence to best practice and journeys into the realm of the unethical. With such a large amount of sensitive data at stake, Uber was certainly obliged to report the breach immediately. It is no wonder then that it has made headlines and incensed both customers and legal authorities internationally.

This is not the first time Uber has driven into a security and PR storm, though. Back in 2015 a breach with a similar cause was disclosed a year after it was originally discovered. The cause then, and on this occasion, was elementary and easily avoidable.

How The Attack Happened

As well as using GitHub to store source code, the programmers at Uber had used a GitHub repository to upload security credentials, the keys to Uber’s servers hosted on Amazon. All it then took was for the hackers to find the keys and drive off with ‘the car’. In this case, the ‘car’ was driving license details, along with many other personal records of Uber’s international customers, including names, email addresses and phone numbers – none of which was encrypted, or protected by anything more than a username and password.

As discussed on this blog earlier this year, these breaches would be less common if companies took the shared responsibility model more seriously and adhered closer to cloud security best practices.

How The Breach Could Have Been Prevented

There are several ways Uber could have prevented this attack. By using two-factor authentication, which GitHub now provides, an extra layer of security would have prevented the hackers from logging into their account. The use of SSH keys and the separation of login details and code would also have reduced the risk. In addition, access could have been limited by implementing an SDP (software-defined perimeter) approach to their data itself. This would have leveraged multiple identification factors to ring-fence data that the hackers wanted to see, and thus making a breach far less likely.

Of course, cloud computing is the modern world of IT. It offers companies, much greater agility and enables them to deliver applications at a fraction of the cost and time. However, the shared responsibility model is a policy that must be adopted to ensure customer data is stored securely in the cloud by both the cloud provider, and the organization using it. In this way, companies can avoid being the next one to be taken for a ride.

Check Point’s Cloud Security Solution

Check Point vSEC compliments native cloud security controls to ensure customers can fulfill their shared security responsibilities. With Check Point vSEC, customers can secure their workloads and applications running in cloud environments, minimizing threats from breaches, data leakage as well as zero-day threats. Check Point vSEC provides comprehensive threat prevention security, access, identity, strong authentication, compliance reporting and multi-cloud connectivity to help organizations embrace the cloud with confidence.


Author: Guy Rosenthal

  • 0

The Danger Behind Santa’s Beard

Category : Check Point

Santa’s beard is usually white, the colour of purity and innocence. However, cyber-criminals targeting online shoppers enjoying the run up to the Black Friday and Christmas holidays this year could be trying to take advantage of that innocence.

Researchers at Check Point recently discovered that criminals have a new way to trick merry online shoppers via the massively popular AliExpress shopping portal. With more than 100 million customers and $23bn in revenue worldwide, AliExpress, part of the AliBaba Group, is one of the most popular places to shop online.

After discovering the vulnerability, Check Point Researchers immediately informed AliExpress who, due to their very serious approach to cybersecurity, took swift action and fixed it within two days of notification. This is highly commendable and sets an example to other online retailers.

How The Attack Works

The new vulnerability allows criminals to target AliExpress users by sending them a link to an AliExpress web page containing malicious Javascript code. Upon opening the page, the code is executed in the user’s web browser and thereby bypasses AliExpress’s protection against cross-site scripting attacks by using an open redirect vulnerability on the web site.

Theoretically, cyber criminals could initiate this attack through an email phishing campaign, leveraging AliExpress’s regular customer journey with barely any indication to the user that anything unusual or untoward is happening. Hence, it is unlikely the user would smell anything ‘phishy’ at all.

The attackers could then present a pop-up coupon offer on the home screen – running under an AliExpress owned subdomain – asking customers to provide credit card details to allow for a smoother and more efficient shopping experience. The attackers, however, are solely controlling this pop-up window with all credit card details entered sent directly to them rather than the shopping site.

With recent reports indicating that cyber-attacks on online retailers have doubled since 2016, shoppers should be aware that Santa’s beard may not always be as white as it seems, and remain vigilant while shopping online at any site this holiday season.

For more details on how this attack operates, please see our full research investigation.


Authors: Dikla Barda, Roman Zaikin and Oded Vanunu

  • 0

Never Home Alone

Category : Check Point

Securing IoT devices from your home to everywhere


The Internet of Things is happening now. With Internet connectivity rapidly expanding, smart homes are allowing users to remotely control various home appliances from anywhere at any time. Because devices are more interconnected now than ever, it is critical for enterprises to start implementing security by design. Security cannot be an afterthought anymore; it must be in the forefront of every IoT product and service design.

Recently, the Check Point Research team proved just how vulnerable IoT devices in the home can be. Our team found vulnerabilities within the LG Smart ThinQ platform that could let cyber criminals take control of home devices such as a connected refrigerator or robot vacuum and use a camera on the device to see inside the user’s home. However, cyberattacks on IoT devices are not just limited to the home environment. IoT attacks can happen in all industries; healthcare, retail, industrial control systems/SCADA, automotive and others. Once hackers find their way into a corporate environment, that breach can become a hacker’s beachhead for launching a wider attack into an enterprise core IT system.

Enterprises must build with security as a top priority. Incorporating even a simple security solution can help make a difference for any company.

Enterprises seeking to learn more about the latest advances in securing the Internet of Things can download this whitepaper to discover:

  • What are the challenges of IoT cyber security
  • The best way to bridge the IoT cyber security gap
  • What are the best security approaches that you should be thinking about

  • 0

How Hackers Could Have Taken Control of LG’s IoT Home Appliances

Category : Check Point

The second season of award-winning TV thriller Mr. Robot premiered with a scene that sent shivers down the cybersecurity world’s spine. In uncomfortably realistic detail, hackers virtually broke into a smart home, turning the home-based IoT technology against its inhabitants. The TV and stereo started switching on and off randomly, the water temperature in the shower went from boiling to freezing with little warning, and the air conditioning brutally forced the characters to leave their homes by reaching arctic temperatures. The most unsettling part of the whole sequence isn’t that this type of cyberattack might happen.

It’s unsettling because it’s already happening.

Recently, Check Point discovered vulnerability, dubbed HomeHack, in LG’s smart home infrastructure exposing it to critical user account takeover. If attackers would have exploited this vulnerability, , they would have been able to log into LG users’ SmartThinQ® home appliances accounts and take remote control of the devices connected to the account.

The HomeHack vulnerability gave attackers the potential to spy on users’ home activities via the Hom-Bot robot vacuum cleaner video camera, which sends live video to the associated LG SmartThinQ app as part of its HomeGuard Security feature.  Depending on the LG appliances in the owner’s home, attackers could also switch dishwashers or washing machines on or off.

This vulnerability could have been widespread:  sales of the LG Hom-Bot robotic vacuum cleaner alone exceeded 400,000 in the first half of 2016.

We notified LG about this vulnerability on July 31 2017, and LG responded responsibly to stop possible exploitation of the issues in its SmartThinQ app and devices, releasing a new version patching this vulnerability at the end of September.

To learn more about the latest advances in securing the Internet of Things, download the Enabling the IoT-connected world through cyber security white paper.

LG is a leading provider of industrial, enterprise and home appliance IoT Devices.  It launched the SmartThinQ® line of home appliances in 2011, allowing users to monitor and maintain their homes anytime and anywhere, by remotely controlling them via an app. These smart devices include commonly used items such as dishwashers, refrigerators, microwaves, dryers, and robotic vacuum cleaners.

Dust of Privacy – Hacking the Hom-Bot

One of LG’s SmartThinQ appliances is the Hom-Bot vacuum cleaner. The company presents it as a hybrid between a vacuum cleaner and a watch guard, with HomeGuard security that can send out alerts when it detects movement. This function is designed to enable users to turn on the built-in video camera positioned on top of the Hom-Bot vacuum, which then provides a real-time video stream to the smartphone application.


However, this camera, in the case of account takeover, would allow the attacker to spy on the victim’s home, with no way of them knowing, with all the obvious negative consequences of invasion of privacy and personal security violation.

We discovered the HomeHack vulnerability residing in the login process of the user signing into their account on the LG SmartThinQ app.

First, the attacker needs to recompile the LG application on the client side, in order to bypass security protections. This enables the traffic between the appliance and the LG server to be intercepted. Then, the would-be attacker creates a fake LG account to initiate the login process. By manipulating the login process and entering the victim’s email address instead of their own, it was possible to hack into the victim’s account and take control of all LG SmartThinQ devices owned by the user, including the Hom-Bot robot vacuum cleaner, refrigerators, ovens, dishwashers, washing machines and dryers, and air conditioning units.

This vulnerability highlights the potential for smart home devices to be exploited, either to spy on home owners and users and steal data, or to use those devices as a staging post for further attacks, such as spamming, denial of service (as we saw with the giant Mirai botnet in 2016) or spreading malware.

As more and more smart devices are being used in the home, hackers will start to shift their focus from targeting individual devices, to hacking the apps that control networks of devices. This will give criminals even more opportunities to exploit software flaws, cause disruption in users’ homes and access their sensitive data.

As such, users need to be aware of the security and privacy risks when using their IoT devices and it’s essential that IoT manufactures focus on protecting smart devices against attacks by implementing robust security during the design of software and devices – rather than adding security later as an afterthought.

Protecting against HomeHack

To protect their devices, users of the LG SmartThinQ mobile app and appliances should ensure they are updated to the latest software versions from the LG website.  Check Point also advises consumers to take the following steps to secure their smart devices and home Wi-Fi networks against intrusion and the possibility of remote device takeover:

  1. Update LG SmartThinQ app to the latest version (V1.9.23), you can update the app via Google play store, Apple’s App Store or via LG SmartThinQ app settings.
  2. Update your Smart home physical devices with the latest version, you can do that by clicking on the smart home product under smartThinQ application Dashboard (if an update is available you will get a popup alerting you)

HomeHack Technical Details:

In the process of exposing this vulnerability, we looked into LG’s Phone application and the backend platform. To be able to use debugging tools, we used a rooted device. Initially, we encountered a root detection feature, which causes the LG application to immediately close if it detects the phone is rooted.

Our first step was to bypass this anti-root mechanism. Using an ADB (Android Debug Bridge) tool, we pulled the application and decompiled it. Looking at the code, we revealed two functions that are responsible for the root detection:

As you can see, both functions call finish to execute onDestory method, which closes the application.

To bypass this mitigation, we simply removed the “finish” calls and recompiled the application.

After bypassing the root detection, we setup a proxy which allowed us to intercept the application traffic. At first, we encountered an SSL pining mechanism, which prevented us from intercepting the application traffic and investigating it.

Then, we went back to the code to learn how LG implemented the SSL pinning mechanism:

We patched this function and recompiled the application again, this time adding to it debugging capabilities. By removing all obstacles, we achieved the traffic interception.

Our next step was to create an LG account and log into the application. By analyzing the login process, we found that it contains the following requests:

  1. Authentication request – verifies user credentials.
  2. Signature request – creates a signature based on the username from authentication request.
  3. Token request – use the signature response as a header and username as parameter to get access token for the user account.
  4. Login request – sends the access token in order to login to the application.

We found that there is no direct dependency between step 1 and steps 2-3. This means that the attacker could use his username to pass step 1, and then change the username to the victim’s in steps 2 and 3. Step 4 would allow the attacker to complete the login process to the victim’s account.

By exploiting the HomeHack vulnerability, as described above, the attacker could take over the victim’s account and control his smart LG devices.

How it all started:

When we first started our investigation, we initially looked into the Hom-Bot itself and searched vulnerabilities in the device itself. We disassembled the Hom-Bot to find the UART (Universal Asynchronous Receiver/Transmitter) connection.

This gave us access to the filesystem. The UART connection can be found on top of the camera near the label console. By connecting to the UART, we managed to manipulate the U-Boot and receive access to the filesystem.

While debugging the main process, we looked for the code responsible for Hom-Bot’s communication with the SmartThinQ mobile application.

This is when we had the idea to investigate the SmartThinQ application – leading to the discovery of the HomeHack vulnerability, which turned the Hom-bot to Hom-Spy.


Author: Roman Zaikin, Dikla Barda and Oded Vanunu

  • 0

Account Hijacks Affect Everybody, Even ‘Top Dogs’

Category : Check Point

Being “cool and smart” was the name of the game when we were at school, and it seems nothing really changes as we get older. With the ‘cool factor’ among IT professionals translating into the adoption of modern IT technology, it’s not surprising to see why today’s businesses are being pushed ever faster towards to the cloud.

But of course there are other good reasons why 70% of companies (Gartner 2016) are already moving their IT infrastructure closer to the stars with cloud services. Whether it be data storage and servers or the increasing use of SaaS products, cloud computing allows businesses much greater agility and enables them to deliver applications at a fraction of the cost and time.

This is the modern world of IT. As budgets continue to be squeezed, the ‘Try Before You Buy’ model that cloud services offer, along with the option to stop a subscription, is often irresistible to economical companies. Integration is also usually instant and requires next to zero down time, if any at all.

However, like the school days, being cool also meant your ‘Top Dog’ status was vulnerable to competitors or enemies. So too is it the case with the use of cloud computing. As a result, it is crucial that those who adopt the latest tools are aware of their weaknesses.

The main security challenges of cloud services are:

They Are Externally Exposed – Cloud services can typically be accessed from any location and any device; all that is required is an internet connection. While easy access can be an advantage for agile companies the result is that services which run in the cloud are also more exposed to breach attempts than those that run on premise services and remain behind the perimeter.

They Only Come With Default Security – Typically cloud services are provided with some basic security in place, security that still allows unrestricted open internet file sharing and the propagation of malware through file sharing.

As a result of these security challenges, there are three main attack vectors that cloud services make vulnerable to organizations; The first is ‘Account Hijacks’, that is gaining unauthorized access to an individual or organization’s email or computer account for malicious purposes. According to a recent Check Point survey, Account Hijacks were the biggest concern amongst customers and partners. The second is ‘Malware Delivery’ and propagation especially through in-app file sharing services, such as Box or One Drive cloud apps, in order to commit a variety of cyber-crimes. And finally ‘Data Leaks’ which so easily occur, either intentionally or unintentionally, due to the seamlessness of sharing information when using cloud services.

Indeed, due to these security challenges of the cloud, the Check Point Incident Response team is seeing cloud services, both SaaS and IaaS, security breaches becoming increasingly common. A recent case saw customers of a North American financial services company transfer funds to a bogus foreign bank account set up by cyber-criminals. Through a phishing attack, the criminals had managed to compromise a company employee’s Office 365 account and send emails to customers posing as an official accounting representative in order to carry out the theft. Several millions of dollars were transferred before the breach was discovered.

But you don’t have to be working in an Incident Response team to notice this problem. On an almost daily basis the news headlines tell a similar story. Last month, Deloitte, one of the world’s largest accountancy firms, was the victim of a cyber-attack that went unnoticed for months and had affected six of their clients. It is strongly believed that the hackers breached an administrator account of Deloitte’s email system, which was stored in the Azure cloud.

Attacks have also reached national government levels. Earlier this year, 90 email accounts of members of the UK Parliament, including the Prime Minister’s, were hacked. The response by the UK government’s digital team was to shut down access to email for all those affected in order to avoid any potential blackmail attempts the hackers could have carried out.

As seen from the above examples though, whether they are financial, informational or reputational, the overall effect on victims of these types of attacks is huge. And what they all have in common is their direct connection with the vulnerabilities of the cloud.

Often the solutions to these security challenges currently available are not good enough. They are cumbersome, create larger cost overheads for IT departments and are usually incomplete and inefficient. Evidence of this, as we have seen, is the high, and increasing, number of breaches occurring worldwide and at every level, even including enterprises that invest heavily in security services and products.

The good news though is that Account Hijacks can be prevented. So just as you were able to be the coolest   kid at the school prom you can also still be the coolest and most modern IT hero in your organization.


Author: Yoav Shay-Daniely

  • 0

Bad Rabbit Ransomware Attack Blocked by Check Point SandBlast Anti-Ransomware

Category : Check Point

A new ransomware attack called Bad Rabbit has struck organizations in Eastern Europe, and is now spreading to Turkey and Germany. Russian media outlets were among the first to report the ransomware, along with transportation systems in Ukraine.

The malware is spread by a fake Flash update installer. Like the WannaCry and Petya cyber attacks, the Bad Rabbit ransomware attack could have been prevented. Ransomware and other malwares are not the new normal. Don’t let preventable attacks such as Bad Rabbit ransomware compromise your organization, community, or infrastructure. Watch this video to understand what ransomware is, and why being a target of cyber attacks is an unnecessary emergency. Then, read the whitepaper, “The Next Cyber Attack Can Be Prevented,” to learn five actionable strategies to avoid being tomorrow’s ransomware.

Please subscribe, to learn more, visit: –

  • 0

KRACK Attack, How Secure is Your Wi-fi Connection?

Category : Check Point

A cybersecurity researcher of KU Leuven in Belgium, Mathy Vanhoef, has revealed a flaw in Wi-Fi’s WPA2’s cryptographic protocols. The discovery is alarming as the WPA2 protocol, the most common and secure Wi-Fi access protocol since 2004, is trusted by all for keeping Wi-Fi connections safe.

The attack, known as a ‘KRACK Attack’ (Key Reinstallation Attack) works by allowing the attacker to decrypt a user’s data without needing to crack or know the actual Wi-Fi network’s password. The attacker does this by decrypting the secure Wi-Fi connection and turning it into an unencrypted, and hence unsecure, HotSpot. For this reason, merely changing the Wi-Fi network password will not prevent or mitigate such an attack from taking place. However, a limitation of KRACK attacks is that they can only be carried out by an attacker who is within actual physical proximity of the targeted Wi-Fi network.

It should be noted though that the WPA protocol encrypts only the physical medium between a user’s device and the Wi-Fi connection it is joined to. Furthermore, all secured apps and websites do now use some sort of end-to-end encryption protocol such as HTTPS, which is designed to work over unsecured channels (such as unencrypted Wi-Fi connections). As a result, the only way to access this secure traffic is by performing an additional SSL Man-In-The-Middle (SSL MITM) attack.

Fortunately, SSL MITM attacks are already detected and protected by Check Point’s SandBlast Mobile on both iOS and Android devices by immediately alerting the user and blocking all corporate assets. SandBlast Mobile also helps to verify that mobile devices on your network are in compliance with the latest OS versions and security patches. You may request a demo of SandBlast Mobile here.

In addition, Check Point’s Capsule Cloud provides a worldwide service that secures remote PCs and laptops in any location against SSL MITM attacks, allowing users to connect to the internet securely in any Wi-Fi environment. Depending on an organization’s requirements, the same level of security can also be acquired through Check Point’s VPN.

In response to these recent WPA2 vulnerabilities, as illustrated by Vanhoef’s KRACK attack, we advise all mobile users to ensure they have installed a mobile security solution such as SandBlast Mobile and accept any software updates that their mobile provider issues.

Check Point Wireless products are not vulnerable:


  • 0

September’s Most Wanted Malware, Locky Shoots Back Up Global Rankings

Category : Check Point

Check Point’s latest Global Threat Index has revealed a massive increase in worldwide Locky attacks during September, with the ransomware impacting 11.5% of organizations globally over the course of the month.

Locky has not appeared in our Global Threat Impact Index, which reports on the top ten most prevalent malware attacks globally every month, since November 2016. However, attacks in September were powered by the hefty Necurs botnet, which in itself was ranked at number ten in the table. These attacks shot Locky up 25 places overall, to sit just behind the Roughted malvertising campaign in pole position.

Locky’s distribution began in February 2016, and it rapidly became one of the world’s most prominent malware families. It spreads primarily via spam emails containing a downloader disguised as a Word or Zip attachment, which contains malicious macros. When users activate these macros – usually via a social engineering instruction – the attachment downloads and installs the malware that encrypts the user files. A message directs the user to download the Tor browser and visit a webpage demanding a bitcoin payment. In June 2016, the Necurs botnet released an updated version of Locky, containing new detection avoidance techniques.

This latest resurgence of the Locky ransomware family shows that businesses must remain vigilant to all forms of malware – both brand-new and well-established variants. Sophisticated cybercriminals will continually seek ways of tweaking existing tools to make them potent again, while powerful botnets can give old variants a new lease of life, enabling them to rapidly target users around the globe. To put the Locky statistics into context, more than one in ten organizations around the world were affected by this single ransomware family – a familiar variant that has been known to cybersecurity professionals for over 18 months.

Top 10 ‘Most Wanted’ Malware:

*The arrows relate to the change in rank compared to the previous month.

  1. ↔ Roughted – Large scale Malvertising used to deliver various malicious websites and payloads such as scams, adware, exploit kits and ransomware. It can be used to attack any type of platform and operating system, and utilizes ad-blocker bypassing and fingerprinting in order to make sure it delivers the most relevant attack.
  2. ↑ Locky – Ransomware which started its distribution in February 2016, and spreads mainly via spam emails containing a downloader disguised as an Word or Zip attachment, which then downloads and installs the malware that encrypts the user files.
  3. ↓ Globeimposter– Ransomware disguised as a variant of the Globe ransomware. It was discovered in May 2017, and is distributed by spam campaigns, malvertising and exploit kits. Upon encryption, the ransomware appends the .crypt extension to each encrypted file.
  4. ↑ Conficker– Worm that allows remote operations and malware download. The infected machine is controlled by a botnet, which contacts its Command & Control server to receive instructions.
  5. ↓ Fireball– Browser-hijacker that can be turned into a full-functioning malware downloader. It is capable of executing any code on the victim machines, resulting in a wide range of actions from stealing credentials to dropping additional malware.
  6. ↔ Pushdo– Trojan used to infect a system and then download the Cutwail spam module and can also be used to install additional third party malware.
  7. ↔ Zeus– Banking Trojan that uses man-in-the-browser keystroke logging and form grabbing in order to steal banking information.
  8. ↑ Rig ek– Exploit Kit first introduced in 2014. Rig delivers Exploits for Flash, Java, Silverlight and Internet Explorer. The infection chain starts with a redirection to a landing page that contains JavaScript that checks for vulnerable plug-ins and delivers the exploit
  9. ↓ Ramnit– Banking Trojan that steals banking credentials, FTP passwords, session cookies and personal data.
  10. ↑ Necurs – Botnet used to spread malware by spam emails, mainly Ransomware and Banking Trojans.

HackerDefender, a user-mode Rootkit for Windows which was the third most prevalent malware in August, dropped out of the top ten altogether. The most popular malware used to attack organizations’ mobile estates changed from August, with Triada moving up from third place, followed by Hiddad and Gooligan:

Top 3 ‘Most Wanted’ mobile malware:

  1. Triada – Modular Backdoor for Android which grants superuser privileges to downloaded malware, as helps it to get embedded into system processes. Triada has also been seen spoofing URLs loaded in the browser.
  2. Hiddad– Android malware which repackages legitimate apps and then released them to a third-party store. Its main function is displaying ads, however it is also able to gain access to key security details built into the OS, allowing an attacker to obtain sensitive user data.
  3. Lotoor– Hack tool that exploits vulnerabilities on Android operating system in order to gain root privileges on compromised mobile devices.

If any organizations were still in doubt about the seriousness of the ransomware threat, these statistics should make them think twice. Ransomware has taken up two of the top three spots – one a relatively new variant that just emerged this year, and the other an older family that has just had a massive reboot. All it takes is for a single employee to be taken in by a social engineering trick, and organizations can be placed in a hugely compromising position. This is why a multi-layered cybersecurity strategy is so important, one that protects against both established malware families and brand new, zero-day threats. Cybersecurity tools need to look for suspicious behaviors or general characteristics, like embedded macros in documents, not just familiar malware signatures – precisely what tools like our SandBlast™ Zero-Day Protection and Mobile Threat Prevention are designed to do.

Check Point’s Global Threat Impact Index and its ThreatCloud Map is powered by Check Point’s ThreatCloud intelligence, the largest collaborative network to fight cybercrime which delivers threat data and attack trends from a global network of threat sensors. The ThreatCloud database holds over 250 million addresses analyzed for bot discovery, more than 11 million malware signatures and over 5.5 million infected websites, and identifies millions of malware types daily.

Check Point’s Threat Prevention Resources are available at:


  • 0

First, Do No Harm. Securing Healthcare IoT Devices

Category : Check Point

“When a hacker takes control of all networked medical devices at a hospital in Dallas and threatens to kill one patient every hour if his demands are not met, the Cyber team must find the source and figure out how they accessed an airtight security system.” That’s the plot summary of an episode of crime drama CSI: Cyber, which was broadcast in late 2015.

The episode proved to be prescient by predicting two attack trends that have emerged over the past 18 months. The first is targeting of hospitals by cybercriminals: in 2016, at least 14 hospitals were attacked with ransomware. A Los Angeles hospital reportedly paid $17,000 to regain access to medical records showing treatment history, results of X-rays, CT scans, and other medical tests. Earlier this year, the UK National Health Service was severely impacted by the WannaCry ransomware attack, resulting in operations being cancelled and hospital wards closing. After all, hospitals run some of the most mission-critical IT in the world – making them a prime target for malicious hackers looking to make costly demands.

The second trend was the hacker exploiting vulnerabilities in smart devices in the hospital to enable the attack. The CSI:Cyber team discovered that the hacker originally got access to the hospital’s network through a smart TV (Check Point’s researchers discovered a very similar vulnerability shortly after the show originally aired), enabling him to remotely control the connected medical devices.

Lifesaving innovation, limited security

The risks of attacks like this cannot be easily dismissed. The healthcare sector has embraced the Internet of Things (IoT) enthusiastically, with one estimate valuing the global IoT healthcare industry at over $100 billion by 2020.

On the one hand, it’s easy to see why. Smart devices have huge lifesaving potential: they collect and analyze health data that was previously inaccessible; they enable healthcare practitioners to rapidly and remotely deliver personalized advice and treatment;. The combination of big data and machine learning within the IoT will mean more innovations in healthcare than ever before.

On the other hand, this proliferation of connected technology has worrying implications for the integrity of sensitive patient data and the smooth running of healthcare organizations.  Healthcare IoT devices need to be able to protect the data they collect, transmit, and store from malicious interception/That means that if they have not been designed and manufactured with robust security ‘baked in’ from the ground up, they are vulnerable.

Unfortunately, this often happens because medical devices that are approved by Food & Drug Administrations may need to be re-certified for use after an update – adding considerable expense and delay to the update cycles, even when there are vulnerabilities present, and hence many devices stay vulnerable many years after the relevant security patches have been issued and implemented in other environments.

Assessing the risks

So just how vulnerable are health IoT devices to attack? To assess this, it’s important to distinguish between the different types of device available, and their intended uses.

There are wearable medical devices, both external equipment such as insulin pumps, and implanted devices like pacemakers. It’s easy to see how a lethal intervention could be done remotely by controlling the device – this could be done directly and deliberately, or simply threatened as part of an extortion attempt.

Then there are stationary devices within hospitals, such as intelligent pharmacy dispensers or chemotherapy stations. Once again, the possibilities for cybercriminals to interfere with patient care – to potentially life-threatening levels – by hacking into the device are worrying. The same data pathways that allow doctors to make adjustments to how the devices perform can also be used maliciously, if the hacker is able to gain access. As mentioned earlier, it is possible to gain access to the networks used by medical devices by infecting another device – such as a smart TV or tablet PC – and moving laterally within the hospital’s networks… unless those networks are carefully segmented.

Diagnosis and remedy

All this might seem to paint a grim picture. But there are many ways in which the designers and manufacturers of healthcare IoT devices, as well as the organizations and individuals that deploy them, can mitigate these risks.

First, ‘privacy by design’ – which, incidentally, is also necessary for any organization subject to the upcoming EU GDPR – should be integral to the design of all healthcare IoT devices. Similarly, a Secure Software Development Lifecycle (S-SDLC), which incorporates threat modelling, should be adopted by all manufacturers as a matter of course.

And second, when healthcare organizations begin building an IoT ecosystem, they must ensure that they have an appropriate mobile and endpoint security system in place. An integrated approach, which ensures that all devices are protected with a single security architecture, is the best strategy. Such a solution needs to cover aspects such as device discovery, network segmentation and provide protection against the potential multiple advanced attack vectors based on threat prevention solutions. All of the above aspects should be centrally orchestrated with a single platform that provides coherent policies across the varius network segments

The Internet of Things can be a lifesaving shift in how the healthcare sector delivers patient care,but it can also be an open invitation to malicious cybercriminals who wish to extort payment, steal data, and cause actual harm. Designers, manufacturers, practitioners, and patients need to work together to keep this new landscape in good health.