FDA Confirms Robotron Health Hack

Today the Federal Drug Administration confirmed reports that a death from insulin overdose earlier this week in New York City was the result of the hack of the Robotron IPumpe worn by the patient. FDA spokesperson Clark Stanley told reporters that the unnamed patient had been using the insulin pump for over a year with no problems and that the pump log showed an unauthorized change in pump rate just before the patient went into an insulin shock. The patient was declared dead upon arrival at Emanuel Unity Hospital.

 

“We are working with ECS-CERT and the Federal Bureau of Inquiry in our investigation of this incident,” Stanley told reporters.

 

“The attacker was able to gain access to the pump programing via the Ripple20 vulnerabilities reported earlier this month,” Immanuel C. Securitage, spokesman for the ECS-CERT told reporters; “The access to the device was via the Bluetooth service that is designed for use by physicians to program the device.”

 

Last week Robotron published a security advisory for the Ripple20 vulnerabilities in their Healthcare product line. The IPumpe had been identified as an affected product, but that “there is no risk to the patient because the device is not connected to the Interent.” Robotron has not replied to requests for comment.

 

Johnathan Quest, the FBI spokesperson confirmed that: “The Bureau has identified a person of interest in this case and is continuing its investigation.”

 

CAUTIONARY NOTE: This is a future news story –

Dragonfire Demonstrates Ripple20 at Cyber Augusta

Yesterday a team of researchers from Dragonfire Cyber provided a live demonstration of the Ripple20 vulnerabilities at the Cyber Augusta cybersecurity conference in Augusta, GA. Using a mini tank whose drive was controlled by the Robotron MotorSteuerung software, the team demonstrated how the known TCP/IP vulnerabilities could be used to take control of the movements of the vehicle.

 

Kate Libby, a Dragonfire spokesperson, told reporters that this demonstration was originally supposed to be done by company founder Dade Murphy, but due to his current incarceration in Singapore pending possible extradition to China, Dade was not able to make the meeting. “Dade spent two years here in Augusta at Army Cyber Command, so he was very committed to supporting Cyber Augusta,” she told reporters; “The team knew that we had to make this presentation for him.”

 

The mini tank used in the demonstration had US Army Cyber Command markings. There was widespread cheering when it rolled out on stage.

 

A member of the Dragonfire team that was not authorized to speak to reporters told me that the demonstration was particularly interesting because on Friday Robotron published an advisory stating that none of their products were affected by the Ripple20 vulnerabilities.

 

Robotron provided the following statement but refused to answer any questions about the demonstration.

 

“We published the Ripple20 advisory based upon the fact that we had not used the affected TCP/IP stack in any of our products. If the Dragonfire demonstration is an accurate portrayal of an attack on our MotorSteuerung software, then we have to conclude that the vulnerable TCP/IP stack is part of a third-party component of the software. We are in the process of working with the appropriate vendors to try to get to the bottom of the issue.”

 

Immanuel C. Securitage from ECS-CERT said: “Third-party software vulnerabilities are an ongoing problem in the cybersecurity arena. Vendors need to understand the vulnerabilities in the software libraries and components that they use and ensure that they are adequately mitigated when used in their products.” He refused to comment on yesterday’s Dragonfire demonstration.

 

CAUTIONARY NOTE: This is a future news story –

North Korean Casino Attack

The attack on the Wirths Clinic COVID-19 testing operation that led to at least 300 COVID-19 cases related to the Bump and Grind Casino may have been carried out by a North Korean cyber group according to Dragonfire Cyber. “We have indicators, including copies of instructions on how to reprogram the Robotron BCLesegerät barcode reader, that the attack was coordinated by the PRK’s UGG advanced persistent threat group,” Dragonfire Cyber spokesperson Kate Libby told reporters.

 

The UGG APT group (UGG stands for (Uilyo Gong-Gyeog or medical cyber-attack) reportedly specializes in attacks on medical devices and medical records. They have been responsible for a number of medical ransomware attacks.

 

ECS-CERT has confirmed that it has seen the evidence collected by Dragonfire organization but would not comment on the attribution. “We have not seen conclusive evidence that would support that contention,” Immanuel C. Securitage told reporters; “Nor do we think that, at this point in the investigation, there is any need to spend energy and investigative resources identifying a possible cyber villain.”

 

Johnathan Quest, spokesman for the Federal Bureau of Inquiry, told reporters that while the Bureau is looking at that cyber evidence, they were currently concentrating on tracking down the delivery driver that transported the samples from the Casino to the Wirths lab in Ventnor City, NJ. “That individual has disappeared and we want to talk to him about possibility that sample labels were changed in route to the lab,” Quest told reporters.

 

Charles Willoughby, a former State Department expert on North Korea was asked why the government of the Peoples Republic of Korea would want to sabotage COVID-19 testing in the United States? Willoughby told me that, “The PRK will support any low-cost operation in the United States that will sow disorganization, distrust or disunity. They know that they cannot compete directly with the United States so they seek to indirectly weaken the authority and resolve of the federal government.”

 

At today’s news conference, Libby was asked about how Dade Murphy was doing and if she had any information about how the case against him was proceeding in Singapore? “Dade’s spirits are high and he is being treated well,” she told reporters; “His attorney’s continue to express confidence that the courts there will not send him to stand trial in China on these trumped up charges.”

 

CAUTIONARY NOTE: This is a future news story –

Barcode Hack Cause of Casino COVID-19 Outbreak

The ECS-CERT today announced that it had discovered how cyber attackers had managed to change test results at the Wirths Clinic that allowed at least 13 employees of the Bump and Grind Casino in Atlantic City, NJ to return to work last month while infected with COVID-19. “The hackers were able to reprogram the Robotron PrAnalysator because of access that they gained through the barcode reader that read patient information on the sample vials being tested at the clinic,” Immanuel C. Securitage told reporters.

 

Erich Mielke, spokesman for Robotron, said that their BCLesegerät barcode reader had a feature that allowed the use of barcodes to program the communications that the device had with various Robotron clinical devices. “In a clinic laboratory environment, it is easier to use the barcode on a sample vial to provide instructions for the processing of that sample rather than requiring a technician to input the instructions at the keyboard; it increases lab thru put,” Mielke explained.

 

The Clinic uses the Robotron BCLesegerät barcode reader to read and enter patient testing data into the clinic database and to provide tracking data to the PrAnalysator, according to the Clinic spokesperson, Aribert Heim. “We were not aware of the feature of the reader that allowed barcodes to be used in programming the reader.” Heim told reporters.

 

Jerry Catena, a spokesman for the Casino told reporters that all testing supplies had been provided by the Clinic. “Wirths Clinic provided the supplies and a doctor to supervise the sample collection activities,” Catena explained; “Our first aid teams, all certified EMTs, did the actual sampling. We have no idea how this could have happened.”

 

“We have confirmed that the labels on the sample tubes were changed on about half of the samples collected at the Casino,” Clark Stanley from the Federal Drug Administration told reporters. Half of those changed labels would have caused a report of no virus and no COVID-19 antibodies, the remainder would have resulted in a no virus and positive for antibodies reporting.

 

The Federal Bureau of Inquiry is still investigating the incident, according to Johnathan Quest. “We have determined that the substitute labels were not printed on a Robotron label printer,” Quest told reporters,
“We are continuing to look at the forensics to try to determine where they were printed.”

 

A total of 250 COVID-19 cases have now been traced back to the Casino’s initial opening weekend.

 

CAUTIONARY NOTE: This is a future news story –

Casino COVID Outbreak Due to Testing Hack

The Federal Drug Administration (FDA) confirmed today that a recent surge in COVID-19 cases in the middle Atlantic states was the result of testing errors at a medical laboratory providing clearance for casino employees to return to work at facility in Atlantic City, NJ. “The investigation is on-going,” Clark Stanley told reporters; “But it appears that the automated testing for SARS-CoV-2 antibodies at the Wirths Clinic in Ventnor City, NJ was compromised by a cyber-attack.”

Stanley went on to explain; “We now know that thirteen of the employees that were reported to have antibodies to the virus did not have the antibodies but did have active COVID-19 infections. Six of those employees were working on the Casino floor during the weekend opening two weeks ago. They are the expected source of at least 200 COVID-19 infections, perhaps more.”

Johnathan Quest, a spokesman for the Federal Bureau of Inquiry confirms that it is working with the FDA on the investigation of this apparent cyber-crime. “Investigators from our Cyber Crimes Division are working with both the FDA and the ECS-CERT on this case,” Quest told reporters; “None of the 200 COVID-19 patients currently related to this incident have died, so we are investigating this a cyber fraud and criminal assault case. That could change if any deaths result.”

ECS-CERT is looking at known vulnerabilities in the Robotron PrAnalysator that was being used by the Clinic.

CAUTIONARY NOTE: This is a future news story –

US Security Researcher Arrested in Singapore

The State Department confirmed today that it had been notified by the government of Singapore that Dade Murphy, CTO of Dragonfire Cyber, had been arrested at the request of the Chinese government for cyber fraud. An extradition hearing is scheduled for later this week for his transfer to Beijing for trial on those charges. Murphy was in Singapore to meet with local customers when he was arrested at his hotel.

Nelson T. Johnson a Department spokesperson told reporters that an Embassy representative has spoken with Murphy and there have been no complaints about mistreatment or violations of human rights. “Murphy has engaged a local defense team to represent him in these proceedings and the Legal Attaché will be present at the hearing to represent the interests of the United States and insure that Murphy gets a fair hearing,” Johnson told reporters.

A statement released by the Chinese embassy in San Francisco states that Murphy is being charged under Chinese computer fraud statutes that are very similar to 18 USC 1030, the United States computer fraud statute. Prosecutors in Guangzhou, China provided evidence to the local People’s Tribunal related to a cyber intrusion conducted by Dade Murphy and people under his control into a computer server located in local company in that city. According to the resulting indictment, Murphy or people under his supervision, stole data from that server, modified data for financial gain and have publicly exposed personally identifiable information obtained from that server. If convicted on all of the charges Murphy could face 20 years in a Chinese prison.

A spokesman for Dragonfire Cyber told reporters that the company has been in touch with Dade and he is in high spirits and expects this issue to be resolved shortly. The spokesman said: “The company is not prepared at this time to discuss the charges for which Murphy was arrested.”

A person at Dragonfire not authorized to talk to reporters told me that the charges are apparently related to the release of a recent report published by the Company about recent attacks by the NoReturn group operating out of China. The report provided detailed information about the server which was being used by the NoReturn group in their attacks on American companies seeking to return manufacturing operations to the United States. Computers attached to that server were used both for command and control purposes as well as the source for a variety of phishing emails used to initiate their attacks.

CAUTIONARY NOTE: This is a future news story –