hacking medical devices - ernw · disclaimer all products, company names, brand names, trademarks...
TRANSCRIPT
www.ernw.de
Hacking Medical Devices Cloud Context
www.ernw.de
Florian Grunow
¬ Security Analyst
¬ ERNW in Heidelberg
¬ Team Lead: Pentest
ERNW Academy
¬ Research: Medical Devices
Connected Cars
6/17/2015 #2
Blog: Conference:
www.ernw.de
Agenda ¬ Motivation
¬ Publications
¬ The Problem
¬ Targets
¬ Wrap Up
¬ Questions
6/17/2015 #3
www.ernw.de
Disclaimer All products, company names, brand names, trademarks and logos are the property of their respective owners!
6/17/2015 #4
www.ernw.de
Motivation Make the world a safer place …
6/17/2015 #5
www.ernw.de
Motivation
¬ Importance We trust these devices
Doctors trust these devices
Cloud will play a major role in the future
¬ Technology Rocket science: e.g. MRI
Proprietary protocols
Every device is different
6/17/2015 #6
www.ernw.de
Publications so far … What has been done …
6/17/2015 #7
www.ernw.de 6/17/2015 #8
www.ernw.de 6/17/2015 #9
www.ernw.de 6/17/2015 #10
www.ernw.de 6/17/2015 #11
www.ernw.de 6/17/2015 #12
www.ernw.de 6/17/2015 #13
www.ernw.de 6/17/2015 #14
www.ernw.de 6/17/2015 #15
www.ernw.de
http://arstechnica.com/tech-policy/2014/10/feds-examining-medical-devices-for-fatal-cybersecurity-flaws/
6/17/2015 #16
www.ernw.de
The Problem Anamnesis …
6/17/2015 #17
www.ernw.de
Siemens Sirecust BS1
In the old days …
6/17/2015 #18
www.ernw.de
Nihon Kohden Neurofax EEG
In the old days …
6/17/2015 #19
www.ernw.de
The Change
¬ New com options available
¬ Optimization of processes
¬ Interoperability E-Health records
PACS
Personal Health
Lowering costs!
Data will be going to the cloud!
6/17/2015 #20
www.ernw.de
Are we Ready?
¬ What about IT in hospitals? Resources / Know-how Different types of networks
Doctors Patients Devices Guests Research
“Semi-New” technologies on the rise -> No experience Remote maintenance (non-optional?)
Cloud seems to solve some of these problems!
6/17/2015 #22
www.ernw.de
Are we Ready?
¬ What about home monitoring? Devices for personal health
Transmitting wireless / Upload to cloud
Need to be integrated without hassle
What could possibly go wrong?
Think pre-calculated encryption keys in home routers
Must not be expensive
Privacy in the cloud?
6/17/2015 #23
www.ernw.de
The Scale
Home Monitoring
www.ernw.de
Privacy?
6/17/2015 #25
www.ernw.de
Privacy?
6/17/2015 #26
HTTP!
omfgstfu
www.ernw.de
Are they Ready?
¬ What about the vendors? Same mistakes again?
Learning curve
WiFi
Car keys
Exploiting like in the old days?
“We are not really using this port, the board came with it!“
“We are fine, we have two network interfaces (trusted/untrusted)!”
6/17/2015 #27
www.ernw.de
What is Important for Compliance?
¬ Focus is on safety not security Especially important in Germany We do not even have these words … Safety mostly works
Still have bugs like: “Device showing asystole alarm when patient is fine”
Does security? “We only need to make sure that there are proper authorization mechanisms …” “A hacker will always find a way …” “510(k) assumes there is no hostile environment, doctor will not harm patient, patient will not harm himself or doctor”
Certification Focus on safety, too
6/17/2015 #28
www.ernw.de
Problem Summary
¬ Little resources on customer‘s side
¬ Little experience with incidents on vendor/hospital side
¬ Lack of awareness on vendor side
¬ Safety vs. Security
This could kill you!
6/17/2015 #29
www.ernw.de
Targets What are we looking at?
6/17/2015 #30
www.ernw.de
Targets
¬ Medical devices with enabled com Com is in places you would never suspect
¬ “Severity Rating”: Low: Monitoring stuff
Medium: Diagnostic systems
High: Feedback to patient
6/17/2015 #31
www.ernw.de
Monitoring
6/17/2015 #32
www.ernw.de
Diagnostic
6/17/2015 #33
www.ernw.de
Feedback
6/17/2015 #34
www.ernw.de
Targets
¬ Hard to get hands on devices
¬ Vendors have little interest? Lack of experience?
¬ Expensive
¬ Cooperations What about liability?
Hard to test!
6/17/2015 #35
www.ernw.de
Targets What we looked at so far …
6/17/2015 #36
www.ernw.de
Disclaimer There will be no details yet on how the exploits work as this might pose a threat to life or the physical condition of patients!
6/17/2015 #37
www.ernw.de
Target: Patient Monitor 1
Unreasonable Configuration
6/17/2015 #38
www.ernw.de
Target: MRI
¬ Really cool!
6/17/2015 #39
www.ernw.de
Target: MRI
¬ Consists of: Host System
Windows based PC
Image Processing System
Retrieves the raw data and constructs images
Control System
Controls hardware of the MRI (basically patient table, coils, etc.)
6/17/2015 #40
www.ernw.de
Target: MRI
6/17/2015 #41
www.ernw.de
Target: MRI
¬ Host System
6/17/2015 #42
www.ernw.de
Target: MRI
¬ Host System
¬ Open Ports: 114
6/17/2015 #43
www.ernw.de
Target: MRI
¬ Host System
¬ After portscan
6/17/2015 #44
www.ernw.de
Target: MRI
6/17/2015 #45
Guest WiFi
www.ernw.de
Target: Syringe Pump Demo: Infusion Override
6/17/2015 #46
www.ernw.de
Target: Patient Monitor 2
Signal Processing / Frontend
6/17/2015 #47
www.ernw.de
Target: Patient Monitor 2 Demo: Pwning vital signs
6/17/2015 #48
www.ernw.de
Cloudification
¬ How do we authenticate? Devices not adequately capable
Violation of best practices
¬ Secure the weakest link! Not necessarily the cloud but the “Things”
Hospital environment
¬ Data privacy? Especially in Germany hot topic
6/17/2015 #49
www.ernw.de
Final Words …
¬ We need to test these devices!
¬ There will be more publications from ERNW!
¬ For the Cloud:
Consider the IoT (”Internet of Threats”)!
6/17/2015 #50
www.ernw.de
Questions?
6/17/2015 #51
www.ernw.de
Thank you! Please consult your doctor or pharmacist for risks and side effects of this presentation …
6/17/2015 #52