1

I recently came across this comment written in a journal article.

Lastly, medical apparatus are expected to use Dynamic Host Configuration Protocol (DHCP) for the allocation of their IP addresses and even worst [sic] use non-standard ports for their communication creating an unstable environment of information that is hard to address

Can some explain why DHCP and non-standard ports are considered so risky?

Marcus Müller
  • 5,843
  • 2
  • 16
  • 27
daikin
  • 999
  • 1
  • 6
  • 8
  • 1
    Context: [Exposure Assessment on Medical Devices in the Netherlands - Christodoulos Tziampazis](https://essay.utwente.nl/78845/1/Tziampazis_BA_EEMCS.pdf) – Sjoerd Dec 30 '19 at 18:01
  • 1
    DHCP is fine, good switches have the ability to only allow the DHCP server to send out DHCP responses to devices. – user Dec 30 '19 at 18:10

2 Answers2

3

Can some explain why DHCP and non-standard ports are considered so risky?

I don't think that this was claimed. I think instead that the quote was taken too much out of context which lead to a misinterpretation. The relevant context for this quote was

Two major factors made the filtering process challenging....

Thus, this paragraph does not talk at all about the security of DHCP or non-standard ports as assumed in the question. Instead it argues that these mechanisms made it harder to collect and filter the information necessary to evaluate the security of the systems: If a device is using typical ports it is easier to use a system like Shodan to find exposed devices than if the device uses atypical and thus unknown ports for the communication. And if it is harder to detect problems it also means that there might be in reality more problems than were detected.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
  • So, is an organisation safer using non-standard ports? – daikin Dec 30 '19 at 20:05
  • 1
    @daikin: *"So, is an organisation safer using non-standard ports?"* - this is actually a follow-up question and should better not be asked as a comment but as a new question. But in short: using obscure ports can improve the security by a tiny bit as part of a defense in depth strategy. But it should never be used as a replacement for security, i.e. one must not count on the attacker not detecting the open port since it is unusual. If you want more details on this please ask a new question. – Steffen Ullrich Dec 30 '19 at 21:23
  • Great. Thanks for your concise answer Steffen. – daikin Dec 30 '19 at 21:47
2

Why DHCP is risky

DHCP by itself is not necessarily risky BUT under some cases it could be a potential hazard (not just for medical devices, but in general). in example: if an attacker connectes a rogue device into the network and immediately gets assigned with a lease from the DHCP server the attacker will get:

  • A valid IP enabling communications within the environment
  • Understanding of the internal IP ranges, gateway, internal DNS, WINS etc.
  • In older environments, the attacker may find public SMB shares and other open services

This is the reason that in the past large organizations have attempted to implement 802.1x to authenticate and authorize any device connecting to the network, and grant DHCP lease solely to authorized devices (needless to say most organizations were not successful in that implementation due to the never ending whitelisting battle and management overhead)

Specifically for medical devices (or other ICT use cases), most of them run very old and vulnerable operating systems (i've seen X-Ray machines running windows95) and in that case giving an attacker an IP and the method to communicate with those devices would be hazardous.

Using non-standards ports

That actually might be a good idea on most use cases. attackers attempt to reduce their network footprint, and conducting a full network sweeping is very noisy. by reducing the scanning ports to those most likely to give value to the attacker (SMB, DNS, HTTP, MSSQL etc.) they may miss non-standard ports. Having said that, this solution has not been considered much more secure over time and cause a bigger hassle to manage, configure and debug.

NaorP
  • 184
  • 3