Protecting software secrets in medical systems

Health information is among the most attacked types of data by hackers. Due to its privacy and personal nature, health information can be sold for high prices by malicious actors. Therefore, it is important that software which stores and/or processes this information practices robust cybersecurity to keep these secrets, well, secret.

Unfortunately, that is not often the case, found a research team affiliated with Carnegie Mellon University’s Upanzi Network. The team includes Upanzi Network researchers Theoneste Byagutangaza and Junias Bonou and CMU-Africa student Emmanuel Hirwa. They investigated 36 digital square global goods such as open-source apps, software development kits, desktop apps, and web apps which are used in the health sector, and they found that 83 percent of these goods included passwords, private keys, authentication tokens, and other secrets that were at risk of being exposed.

The research group's goal is to advocate that software developers practice better cybersecurity, which can be accomplished by making the products secure by design. Security by design is an approach in which software is created from the beginning of the design process to withstand attacks, and advocating for it is a key part of the Upanzi Network's mission to contribute to the open-source community.

A report on best practices for security by design published by a collective of major cybersecurity agencies explicitly recommended eliminating the practice of having default value for passwords because those "continue to be implicated as the cause of many attacks every year." To this end, the team has run a host of similar projects, such as a recent one in which they partnered with the mobile security provider Approov to study the presence of secrets in financial apps.

Bonou explained secrets with a metaphor. It is as if every smartphone came with a default password, such as 1234—it is unlikely that all users would change that password, so if a hacker tried to access a phone, they would be likely to succeed. "The problem in this case is that the default key is known and is a fixed value," he explains. "And the first thing anybody else wants to do when they find the phone is to try the passcode. If it's the default password, they get access." The principle is the same for software which uses open-source code, as the repositories containing the code are public. If the users don't change the defaults, they risk exposing access to the software's data.

The project with Approov helped the team develop the methodology they used for this study, as well as determine how to identify secrets. They divided the secrets into three categories: high severity if they were directly dangerous if exposed, such as passwords; medium severity if they were sensitive data that could compromise confidentiality; and low severity if they merited attention but offered no immediate security risks. In the end, the team classified 87.1 percent of the secrets as high severity.

The team was surprised at how many secrets were available for them to find. Byagutangaza says, "Before, I thought that because open-source projects are being worked on by many people, the security patterns really were taken care of. But when it comes to security, the developers don't pay much attention."

They plan on sharing the results of this project with key stakeholders in the health sector, and they intend to conduct more studies to discover exposed secrets in other sectors. They have just started a new project assessing the security of government-owned e-services in Africa.