Anatomy of a Cyber Murder

Picture this scene and if you are a Major Crimes or Law & Order fan, or lucky enough to remember Colombo then it should be easy.

The year is 2017 and two detectives arrive at a house after an earlier emergency services call – the regular house cleaner has found a body lying in a small pool of blood, no signs of a struggle, and a mobile phone on the bench.

Detectives are trained to take a holistic view of the scene that confronts them and to not jump to conclusions. In the world of criminal forensic analysis, there are a multitude of tools of the trade to assist the detective – finger print analysis, meta data of communications, DNA analysis of the victim and any foreign material, real time video capture cameras and in 2017 no doubt all of this capability is deployed as on-site sensors, drones and terrabytes of cloud information and smart apps available 24×7.

There are not too many causes of death – the primary challenge is to determine WHAT, HOW, WHY and WHO.

The Colombo type detective has a minimum of 15 years’ experience and learning, not just about the scene that confronts them, but how to use tools and methods and then how to interpret the results. Their most important ability is to think like a murderer.

Back to the scene. The injury to the body which apparently may have killed the person is a knock to the head from the edge of the kitchen bench. But how was this injury sustained? Further investigation of the corpse indicates that the victim has a “PumpIn” automated insulin pump attached to their body. [Google informed me that the term “PumpIn” is available – use it if you would like to].

Could a mal-function of this pump have caused the victim to pass-out, or die from an overdose? Could the overdose be intentional or accidental?

“An excess of insulin in the bloodstream causes cells in your body to absorb more sugar (glucose) from your blood. The liver also produces less glucose. These two things work together to create dangerously low glucose levels in your blood. This condition is also called hypoglycemia.” “More severe symptoms of hypoglycemia, sometimes referred to as diabetic shock or insulin shock, include: concentration problems, seizures, unconsciousness, death”

What do the detectives do now? What further evidence can be gleaned and what tools does they use to determine his hypotheses?

Another clue is a smart phone on the kitchen the bench. One of the detectives activates the phone, luckily no password, and reviews the APPS that are open. The PumpIn App is not in the foreground but a quick view via Setup indicates it is “running”. The blue tooth connection is open and a quick check shows Paired device “PumpIn – v2” is a known device.

Later that day, one of the detectives is working through the operation of the APP, careful to take screen shots of existing profiles and recent activities. At the same time, an autopsy is been performed by the medical forensic pathologist and confirms that the level of insulin in the body is at detrimental levels and quite possibly could have caused the victim to become unconscious hence sustaining the physical injury.

So, now the detectives are certain about WHAT the cause of death is. Now to the HOW, WHY and WHO.

What tools do the detectives now need to work through these questions? Fortunately, in 2017, one of the attending detectives has been trained in IT and Cyber Security and she comes to the fore. Could the APP have mal-functioned and instructed the pump to “keep pumping”, was the pump itself malfunctioning?

The forensic pathologist has removed the PumpIn and the “IT Detective” now has the smart phone and PumpIn in the lab. The other detective is establishing the background of the victim – who was he, where did he work, was it possible that someone wanted him dead – standard detective work. They now focus on using their respective skills to solve the death – or murder!

The PumpIn company has been requested to supply an identical insulin pump and the PumpIn device source-code to the IT Detective so both the victims pump and supplied pump can be tested. Both perform exactly the same – delivering the correct dose based on the smart phone calculations. A quick check of the Smart phone APP showed that it was updated to the latest version. Could the victim have accidentally mishandled the APP – the PumpIn company says “no – it is impossible – it has been trialed extensively in the lab”

So, is this a dead-end, dry creek, for the detective? Not yet.

The IT detective, with many years of software development, a keen understanding of the development life cycle, management oversight of IT budgets, and deadlines to bring products to market (at this time, reader, suspend your disbelief that such a person could exist!) now moves to a most interesting aspect of the investigation. Having seen that the system of APP and Device works the way it should, could it possible to set it up to work in a completely different or random way?

Being a well-resourced and competent IT forensics specialist, in 2017, she uses software integrity test tools that allows her to think and act like a criminal mind. Firstly, she sets up both the APP and Device to be tested by a protocol fuzzing tool – such a tool quickly determines where a network connected device or app will fail when a protocol is subtly altered – and fail they both do – spectacularly with the PumpIn emptying it insulin supply. The APP and Device connect at the blue-tooth level and she is aware that vulnerabilities exist which – Allows unauthorized disclosure of information; Allows unauthorized modification; and Allows disruption of service – and the particular version of Android on the victims phone is susceptible to this. The tests do not surprise our expert as she is aware of the very poor track record, generally, of application developers in regard to cyber security – even in 2017!

The next test she performs is on the device firmware – a binary code composition analysis. The PumpIn company did not wish to provide the source-code, as requested, of the PumpIn device – and a release warrant would take weeks to execute. The binary code or executable or firmware is the next best thing. The firmware was downloaded from the PumpIn website and matched that of the PumpIn device. The analysis provides a listing of all the known open-sourced and licensed components, embedded URLS, the licensing structure, and, most importantly, the status of the open-source code components and a fully listing of CVEs that relate to those components. CVE is Common Vulnerabilities and Exposures and a full listing (and getting fuller every day) is freely available on NIST(.gov).

On doing the analysis of PumpIn firmware, our detective discovers hundreds of vulnerabilities with a glaringly obvious start point – a 2012 version linux kernel with known vulnerabilities from 2010 – and at least one of the CVEs stands out to her – CVE-2010-2521

Ie. Multiple buffer overflows in fs/nfsd/nfs4xdr.c in the XDR implementation in the NFS server in the Linux kernel before 2.6.34-rc6 allow remote attackers to cause a denial of service (panic) or possibly execute arbitrary code via a crafted NFSv4 compound WRITE request, related to the read_buf and nfsd4_decode_compound functions.

The common theme of the known vulnerabilities found in this device is the ability for remote attackers to effectively take control of the software. And, she also knows that the longer that firmware continues to retain this level of operating code, the more vulnerable it becomes over time. And this version is not even licensed correctly! She shakes her head but not in disbelief, just in exasperation.

To complete this line of investigation, our IT forensic detective accesses the PumpIn registered user website – in a couple of minutes she has easily navigated to a page that contains names, addresses and individual IDs of PumpIn devices for each user. Another shake of the head.

The two detectives come together to discuss the case – the facts

– the victim died either as a direct result of insulin overdose and/or the blow to the head causing excessive bleeding leading to death

– the victim was a registered diabetic and a registered user of PumpIn – v2

– the tests of the PumpIn device showed that it performed according to the specification and the APP history showed no signs of apparent mis-use.

– the software analysis showed that the device had over 400 known vulnerabilities that could be exploited to make the device unstable and operate outside of its specifications and the application of the fuzzing tool proved that to be the case.

– the victim was a wealthy Bank Manager, overseeing the massive reduction of staff, being recently paid an excessive $20M bonus even after being found to have corruptly manipulated profit and earnings figures. He is also a known philanderer and child porn and PCP drug distributor.

It is pretty obvious as to the Motive – WHY he was murdered, beyond a reasonable doubt as to the Means – HOW he was murdered, but the question of WHO had the Opportunity to be the cyber murderer may remain a cold case for many years.

.. more to come ..