(In)Security of Medical Devices by Florian Grunow - CODE BLUE 2015
-
Upload
code-blue -
Category
Devices & Hardware
-
view
215 -
download
0
Transcript of (In)Security of Medical Devices by Florian Grunow - CODE BLUE 2015
www.ernw.de
(In)Security of Medical Devices Security in the Most Critical Infrastructure
www.ernw.de
Code Blue ¬ In Medicine:
Sometimes used as indicator for critical event
Usually means patient with cardio-respiratory arrest
Patient requires resuscitation
10/16/2015 #2
www.ernw.de
Florian Grunow - @0x79
¬ ERNW GmbH in Heidelberg, Germany
¬ Senior Security Analyst
¬ Team Lead: Penetration Testing
¬ Research: Medical Devices
10/16/2015 #3
Blog: Conference:
www.ernw.de
Agenda ¬ Motivation
¬ Publications
¬ The Problem
¬ Targets
¬ Findings so far
¬ Questions
10/16/2015 #4
www.ernw.de
Disclaimer All products, company names, brand names, trademarks and logos are the property of their respective owners!
10/16/2015 #5
www.ernw.de
Motivation Make the world a safer place …
10/16/2015 #6
www.ernw.de
Motivation
¬ Importance We trust these devices
Doctors trust these devices
¬ Technology Rocket science: e.g. MRI
Proprietary protocols
Every device is different
10/16/2015 #7
www.ernw.de
Publications so far … What has been done …
10/16/2015 #8
www.ernw.de 10/16/2015 #9
www.ernw.de 10/16/2015 #10
www.ernw.de 10/16/2015 #11
www.ernw.de 10/16/2015 #12
www.ernw.de 10/16/2015 #13
www.ernw.de 10/16/2015 #14
www.ernw.de 10/16/2015 #15
www.ernw.de 10/16/2015 #16
www.ernw.de
http://arstechnica.com/tech-policy/2014/10/feds-examining-medical-devices-for-fatal-cybersecurity-flaws/
10/16/2015 #17
www.ernw.de
The Problem Anamnesis …
10/16/2015 #18
www.ernw.de
Siemens Sirecust BS1
In the old days …
10/16/2015 #19
www.ernw.de
Siemens Sirecust BS1
In the old days …
10/16/2015 #20
www.ernw.de
Nihon Kohden Neurofax EEG
In the old days …
10/16/2015 #21
www.ernw.de
They Discovered
10/16/2015 #22
www.ernw.de
The Change
¬ Optimization of processes Good or bad?
¬ New com options available Lowering costs
¬ Especially on Intensive Care Units (ICUs)
¬ Interoperability E-Health records
PACS
Personal E-Health
10/16/2015 #23
www.ernw.de
Are we Ready?
¬ What about IT in hospitals? Resources / Know-how
Different types of networks Doctors
Patients
Devices
Guests
Research
“Semi-New” technologies on the rise -> No experience
Remote maintenance (non-optional?)
10/16/2015 #25
www.ernw.de
Are we Ready?
¬ What about home monitoring? Devices for personal health
Transmitting wireless / Upload to provider
Need to be integrated without hassle
What could possibly go wrong?
Think pre-calculated encryption keys in home routers
Must not be expensive
Privacy?
10/16/2015 #26
www.ernw.de
The Scale
Home Monitoring
www.ernw.de
Privacy?
10/16/2015 #28
HTTP!
www.ernw.de
Privacy?
10/16/2015 #29
HTTP!
WiFi PSK! omfgstfu
www.ernw.de
Are they Ready?
¬ What about the vendors? Same mistakes again?
Learning curve
WiFi
Car keys
Exploiting like in the old days?
“We are not really using this port, the board came with it!“
“We are fine, we have two network interfaces (trusted/untrusted)!”
10/16/2015 #30
www.ernw.de
What is Important for Compliance?
¬ Focus is on safety not security Especially important in Germany We do not even have these words … Safety mostly works
Still have bugs like: “Device showing asystole alarm when patient is fine”
Does security? “We only need to make sure that there are proper authorization mechanisms …” “A hacker will always find a way …” “510(k) assumes there is no hostile environment, doctor will not harm patient,
patient will not harm himself or doctor”
Certification Focus on safety, too
10/16/2015 #31
www.ernw.de
Problem Summary
¬ Little resources on customer‘s side
¬ Little experience with incidents on vendor/hospital side
¬ Safety vs. Security
This could kill you!
10/16/2015 #32
www.ernw.de
Targets What are we looking at?
10/16/2015 #33
www.ernw.de 10/16/2015 #34
www.ernw.de
Targets
¬ Medical devices with enabled com Com is in places you would never suspect
¬ “Severity Rating”: Low: Monitoring stuff
Medium: Diagnostic systems
High: Feedback to patient
10/16/2015 #35
www.ernw.de
Monitoring
10/16/2015 #36
www.ernw.de
Diagnostic
10/16/2015 #37
www.ernw.de
Feedback
10/16/2015 #38
www.ernw.de
Targets
¬ Hard to get hands on devices
¬ Vendors have little interest? Lack of experience?
¬ Expensive
¬ Cooperations What about liability?
Hard to test!
10/16/2015 #39
www.ernw.de
Targets What we looked at so far …
10/16/2015 #40
www.ernw.de
Target Example: EEG
¬ Measures “brain waves”
¬ Used in small/medium sized medical offices
¬ Grey box and software on a host
¬ Communication via LAN Can be deployed in different rooms
¬ Grey box <- UDP -> Host
¬ No auth, no encryption, no security
¬ Full remote control of the box
10/16/2015 #41
www.ernw.de
Off-Topic for a Second …
¬ OpenEEG project
¬ Build your own EEG
¬ Do crazy Biofeedback stuff
¬ Brain-to-computer interface
10/16/2015 #43
www.ernw.de
DIY: EEG
OpenEEG Project
www.ernw.de
Disclaimer There will be no details yet on how the exploits work as this might pose a threat to life or the physical condition of patients!
10/16/2015 #45
www.ernw.de
Target: Patient Monitor 1
¬ Widely used in hospitals ICU During operation
¬ Monitors critical vital signs SPO2 Blood Pressure ECG Temperature Respiration More …
10/16/2015 #46
www.ernw.de
Target: Patient Monitor 1
Unreasonable Configuration: Heart Rate Alarm Boundaries
10/16/2015 #47
www.ernw.de
Target: MRI
¬ Really cool!
10/16/2015 #48
www.ernw.de
Target: MRI
¬ Consists of: Host System
Windows based PC
Image Processing System
Retrieves the raw data and constructs images
Control System
Controls hardware of the MRI (basically patient table, coils, etc.)
10/16/2015 #49
www.ernw.de
Target: MRI
10/16/2015 #50
www.ernw.de
Target: MRI
¬ Host System
10/16/2015 #51
www.ernw.de
Target: MRI
¬ Host System
¬ Open Ports: 114
10/16/2015 #52
www.ernw.de
Target: MRI
¬ Host System
¬ After Portscan
10/16/2015 #53
www.ernw.de
Target: MRI
10/16/2015 #54
Guest WiFi
www.ernw.de
Target: Syringe Pump Demo: Infusion Override
10/16/2015 #55
www.ernw.de
Target: Anesthesia Device Demo: Denial of Service during Operation
10/16/2015 #56
www.ernw.de
Target: Patient Monitor 2
¬ 2 central elements ARM for peripherals and probably signal processing
Control the pump for blood pressure
Maybe FFT
ARM for user interaction
RX / TX to the peripheral board
ARM926EJ-S @ 400MHz
64MB RAM
10/16/2015 #57
www.ernw.de
Target: Patient Monitor 2
Signal Processing / Frontend
10/16/2015 #58
www.ernw.de
Target: Patient Monitor 2 Demo: Pwning vital signs
10/16/2015 #59
www.ernw.de
Targets
¬ There is more to come! Cooperations with hospitals
¬ Information Gathering reveals promising results Radiology Equipment:
MRIs
X-Rays
Hospital Infrastructure Physical Access Control Systems
Aneasthesia devices
10/16/2015 #60
www.ernw.de
Final Words …
¬ We need to test these devices!
¬ Responsible disclosure process is critical!
¬ Get your hands dirty!
¬ There will be more publications from ERNW!
Stay tuned!
10/16/2015 #61
www.ernw.de
Questions? Twitter: 0x79
10/16/2015 #62
www.ernw.de
Thank you! Please consult your doctor or pharmacist for risks and side effects of this presentation …
10/16/2015 #63