www.ernw.de

(In)Security of Medical Devices Security in the Most Critical Infrastructure

www.ernw.de

Code Blue ¬ In Medicine:

Sometimes used as indicator for critical event

Usually means patient with cardio-respiratory arrest

Patient requires resuscitation

10/16/2015 #2

www.ernw.de

Florian Grunow - @0x79

¬ ERNW GmbH in Heidelberg, Germany

¬ Senior Security Analyst

¬ Team Lead: Penetration Testing

¬ Research: Medical Devices

10/16/2015 #3

Blog: Conference:

www.ernw.de

Agenda ¬ Motivation

¬ Publications

¬ The Problem

¬ Targets

¬ Findings so far

¬ Questions

10/16/2015 #4

www.ernw.de

Disclaimer All products, company names, brand names, trademarks and logos are the property of their respective owners!

10/16/2015 #5

www.ernw.de

Motivation Make the world a safer place …

10/16/2015 #6

www.ernw.de

Motivation

¬ Importance We trust these devices

Doctors trust these devices

¬ Technology Rocket science: e.g. MRI

Proprietary protocols

Every device is different

10/16/2015 #7

www.ernw.de

Publications so far … What has been done …

10/16/2015 #8

www.ernw.de 10/16/2015 #9

www.ernw.de 10/16/2015 #10

www.ernw.de 10/16/2015 #11

www.ernw.de 10/16/2015 #12

www.ernw.de 10/16/2015 #13

www.ernw.de 10/16/2015 #14

www.ernw.de 10/16/2015 #15

www.ernw.de 10/16/2015 #16

www.ernw.de

http://arstechnica.com/tech-policy/2014/10/feds-examining-medical-devices-for-fatal-cybersecurity-flaws/

10/16/2015 #17

www.ernw.de

The Problem Anamnesis …

10/16/2015 #18

www.ernw.de

Siemens Sirecust BS1

In the old days …

10/16/2015 #19

www.ernw.de

Siemens Sirecust BS1

In the old days …

10/16/2015 #20

www.ernw.de

Nihon Kohden Neurofax EEG

In the old days …

10/16/2015 #21

www.ernw.de

They Discovered

10/16/2015 #22

www.ernw.de

The Change

¬ Optimization of processes Good or bad?

¬ New com options available Lowering costs

¬ Especially on Intensive Care Units (ICUs)

¬ Interoperability E-Health records

PACS

Personal E-Health

10/16/2015 #23

www.ernw.de

The Gathering

Standard anesthesia devices

www.ernw.de

Are we Ready?

¬ What about IT in hospitals? Resources / Know-how

Different types of networks Doctors

Patients

Devices

Guests

Research

“Semi-New” technologies on the rise -> No experience

Remote maintenance (non-optional?)

10/16/2015 #25

www.ernw.de

Are we Ready?

¬ What about home monitoring? Devices for personal health

Transmitting wireless / Upload to provider

Need to be integrated without hassle

What could possibly go wrong?

Think pre-calculated encryption keys in home routers

Must not be expensive

Privacy?

10/16/2015 #26

www.ernw.de

The Scale

Home Monitoring

www.ernw.de

Privacy?

10/16/2015 #28

HTTP!

www.ernw.de

Privacy?

10/16/2015 #29

HTTP!

WiFi PSK! omfgstfu

www.ernw.de

Are they Ready?

¬ What about the vendors? Same mistakes again?

Learning curve

WiFi

Car keys

Exploiting like in the old days?

“We are not really using this port, the board came with it!“

“We are fine, we have two network interfaces (trusted/untrusted)!”

10/16/2015 #30

www.ernw.de

What is Important for Compliance?

¬ Focus is on safety not security Especially important in Germany We do not even have these words … Safety mostly works

Still have bugs like: “Device showing asystole alarm when patient is fine”

Does security? “We only need to make sure that there are proper authorization mechanisms …” “A hacker will always find a way …” “510(k) assumes there is no hostile environment, doctor will not harm patient,

patient will not harm himself or doctor”

Certification Focus on safety, too

10/16/2015 #31

www.ernw.de

Problem Summary

¬ Little resources on customer‘s side

¬ Little experience with incidents on vendor/hospital side

¬ Safety vs. Security

This could kill you!

10/16/2015 #32

www.ernw.de

Targets What are we looking at?

10/16/2015 #33

www.ernw.de 10/16/2015 #34

www.ernw.de

Targets

¬ Medical devices with enabled com Com is in places you would never suspect

¬ “Severity Rating”: Low: Monitoring stuff

Medium: Diagnostic systems

High: Feedback to patient

10/16/2015 #35

www.ernw.de

Monitoring

10/16/2015 #36

www.ernw.de

Diagnostic

10/16/2015 #37

www.ernw.de

Feedback

10/16/2015 #38

www.ernw.de

Targets

¬ Hard to get hands on devices

¬ Vendors have little interest? Lack of experience?

¬ Expensive

¬ Cooperations What about liability?

Hard to test!

10/16/2015 #39

www.ernw.de

Targets What we looked at so far …

10/16/2015 #40

www.ernw.de

Target Example: EEG

¬ Measures “brain waves”

¬ Used in small/medium sized medical offices

¬ Grey box and software on a host

¬ Communication via LAN Can be deployed in different rooms

¬ Grey box <- UDP -> Host

¬ No auth, no encryption, no security

¬ Full remote control of the box

10/16/2015 #41

www.ernw.de

Target example: EEG

Box for electrodes

10/16/2015 #42

www.ernw.de

Off-Topic for a Second …

¬ OpenEEG project

¬ Build your own EEG

¬ Do crazy Biofeedback stuff

¬ Brain-to-computer interface

10/16/2015 #43

www.ernw.de

DIY: EEG

OpenEEG Project

www.ernw.de

Disclaimer There will be no details yet on how the exploits work as this might pose a threat to life or the physical condition of patients!

10/16/2015 #45

www.ernw.de

Target: Patient Monitor 1

¬ Widely used in hospitals ICU During operation

¬ Monitors critical vital signs SPO2 Blood Pressure ECG Temperature Respiration More …

10/16/2015 #46

www.ernw.de

Target: Patient Monitor 1

Unreasonable Configuration: Heart Rate Alarm Boundaries

10/16/2015 #47

www.ernw.de

Target: MRI

¬ Really cool!

10/16/2015 #48

www.ernw.de

Target: MRI

¬ Consists of: Host System

Windows based PC

Image Processing System

Retrieves the raw data and constructs images

Control System

Controls hardware of the MRI (basically patient table, coils, etc.)

10/16/2015 #49

www.ernw.de

Target: MRI

10/16/2015 #50

www.ernw.de

Target: MRI

¬ Host System

10/16/2015 #51

www.ernw.de

Target: MRI

¬ Host System

¬ Open Ports: 114

10/16/2015 #52

www.ernw.de

Target: MRI

¬ Host System

¬ After Portscan

10/16/2015 #53

www.ernw.de

Target: MRI

10/16/2015 #54

Guest WiFi

www.ernw.de

Target: Syringe Pump Demo: Infusion Override

10/16/2015 #55

www.ernw.de

Target: Anesthesia Device Demo: Denial of Service during Operation

10/16/2015 #56

www.ernw.de

Target: Patient Monitor 2

¬ 2 central elements ARM for peripherals and probably signal processing

Control the pump for blood pressure

Maybe FFT

ARM for user interaction

RX / TX to the peripheral board

ARM926EJ-S @ 400MHz

64MB RAM

10/16/2015 #57

www.ernw.de

Target: Patient Monitor 2

Signal Processing / Frontend

10/16/2015 #58

www.ernw.de

Target: Patient Monitor 2 Demo: Pwning vital signs

10/16/2015 #59

www.ernw.de

Targets

¬ There is more to come! Cooperations with hospitals

¬ Information Gathering reveals promising results Radiology Equipment:

MRIs

X-Rays

Hospital Infrastructure Physical Access Control Systems

Aneasthesia devices

10/16/2015 #60

www.ernw.de

Final Words …

¬ We need to test these devices!

¬ Responsible disclosure process is critical!

¬ Get your hands dirty!

¬ There will be more publications from ERNW!

Stay tuned!

10/16/2015 #61

www.ernw.de

Questions? Twitter: 0x79

10/16/2015 #62

www.ernw.de

Thank you! Please consult your doctor or pharmacist for risks and side effects of this presentation …

10/16/2015 #63