TLP White: In this edition of Hacking Healthcare, we examine the Trump Executive Order targeting Huawei. We then break down some early industry reactions to that Executive Order. Finally, we dive into an unfortunate reprise of the ASUS update system hacks.
Authors Note: Congrats to everyone on the H-ISAC team for another highly successful Spring Summit. It was great to meet some of you there and to able to speak on Thursday to a great group. We look forward to seeing you next time. As a reminder, this is the public version of the Hacking Healthcare blog. For additional in-depth analysis and opinion, become a member of H-ISAC and receive the TLP Amber version of this blog.
Welcome back to Hacking Healthcare.
Hot Links –
1. Trump vs. Huawei.
Last Wednesday, President Trump issued an Executive Order that appears tailored to target Chinese telecoms giant Huawei. In a move that the administration described as necessary to protect national security and critical infrastructure, the order would prevent transactions involving “communications technology or services designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of foreign adversaries.”,  While no single country or company is named in the order, it is nearly impossible not to interpret it as the administration’s most pronounced push against Huawei yet.
The order is consistent with months of American anti-Huawei rhetoric about the security threat that Huawei would pose due to its relationship with the Chinese Communist Party. As we have noted previously, critics of the Chinese company have stressed that the Communist Party could force them to create backdoors or faulty equipment that could be made to fail in the event of conflict. Others have made the case that Huawei’s lax security measures and buggy products are not due to malicious political intent but are instead “serious and systematic defects in its software engineering and cyber security competence.”
2. Industry Reacts to Trump Executive Order.
Meanwhile, it took only a few days for President Trump’s Executive Order to have tangible effects. Google announced that as part of complying with the order, they would be restricting Huawei’s access to anything that “requires the transfer of hardware, software and technical services except those publicly available via open source licensing.” This decision to act quickly and decisively in response to the order foreshadows massive implications in terms of escalating the conflict with Huawei mobile devices in general.
Huawei sits at just under 20% of the mobile market and is currently the second largest producer of handsets in the world, and this week they were set to unveil a new flagship series of smartphones. While the new phones will be able to use the current Google Android OS through an open source license, the new Android OS slated to be released later in the year will be restricted. This could mean that apps like YouTube and Maps that have traditionally been packaged with the Huawei devices will be unavailable.
In the short term, the inability to access the newest versions of the Android operating system will be incredibly detrimental to Huawei and a boon to their competitors. The flipside is that if Huawei commits to either creating their own OS or sourcing one from a Google competitor, Google will have lost out on a sizeable chunk of the smartphone market. However, none of that may matter. Many chip experts are dubious that Huawei will be able to remain in operation without U.S. support, as chip makers Intel Corp., Qualcomm Inc., Xilinx Inc. and Broadcom Inc. have all committed to “not supply Huawei until further notice.”
3. ASUS Updates Attacked Again.
Months after acknowledging that their software update system was hacked to spread malware to their users, ASUS’s update system was again found to be spreading malware early last week. Researchers from ESET released a post last Tuesday detailing their assertion that the PLEAD malware attacks were being distributed through compromised routers and man-in-the-middle attacks. What makes the attack unusual is the manner in which the backdoor was created.
ESET researchers noticed that the backdoor was executed by a legitimate ASUS process and that the file was digitally signed by ASUS. The researchers at ESET took time to downplay that a supply chain attack was the likely cause, but they admitted that it could not be ruled out. Their preferred theory is a man-in-the-middle attack against D-link routers. ESET concluded their report warning that both types of attacks are likely to see a rise in usage over the next few years and that software developers should prioritize update mechanisms that are resistant to man-in-the-middle attacks.
Tuesday, May 21st:
Hearing: “Growing and Diversifying the Cyber Talent Pipeline” (House – Committee on Homeland Security)
Hearing: “To examine the digital advertising ecosystem and the impact of data privacy and competition policy” (Senate – Judiciary Committee)
Wednesday, May 22nd:
Hearing: “To examine aging and disability in the 21st century, focusing on how technology can help maintain health and quality of life.” (Senate – Aging Committee)
Thursday, May 23rd:
International Hearings/Meetings –
EU – No relevant hearings.
Conferences, Webinars, and Summits –
–HEALTH IT Summit (Florida) – Wesley Chapel, FL (5/21/19-5/22/19)
–HEALTH IT Summit (Mid-Atlantic) – Philadelphia, PA (6/3/19-6/4/19)
–HEALTH IT Summit (Southeast) – Nashville, TN (6/13/19-6/14/19)
–H-ISAC Healthcare Cybersecurity Workshop- Buffalo, NY (6/18/2019-6/19/2019)
–Healthcare Cybersecurity Workshop – London, UK (7/10/19)
–CybSec and Blockchain Health – London, UK (7/11/19-7/12/19)
–HEALTH IT Summit (Rocky Mountain) – Denver, CO (7/15/19-7/16/19)
–HEALTH IT Summit (California) – Los Angeles, CA (9/19/19-9/20/19)
–HEALTH IT Summit (Northeast) – Boston, MA (10/3/19-10/4/19)
–2019 H-ISAC European Summit – Zurich, Switzerland (10/16/2019-10/17/2019)
–HEALTH IT Summit (Southwest) – Houston, TX (11/14/19-11/15/19)
–Health IT Summit (Northwest) – Seattle, WA (11/19/19-11/20/19)
–2019 H-ISAC Fall Summit – San Diego, CA (12/2/19-2/6/19)
–Microsoft patches critical vulnerability comparable to WannaCry
–Venture capitalists predict more aggressive security tools will reap big bucks
–After Meltdown and Spectre, meet a new set of Intel chip flaws
–These firms promise high-tech ransomware solutions—but typically just pay hackers
–HCA Healthcare says analytics system can detect sepsis quickly
–Feds Target $100M ‘GozNym’ Cybercrime Network
Contact us: follow @HealthISAC, and email at email@example.com