Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

NanoSec Conference 2019: Attacking and Securing HealthCare Standards & Pentest Medcial Devices - Ajay Pratap Singh

20 views

Published on

Talk was presented by Ajay Pratap Singh at NanoSec Conference 2019, InterContinental Hotel Kuala Lumpur on the 9th of October 2019.

Published in: Healthcare
  • Be the first to comment

  • Be the first to like this

NanoSec Conference 2019: Attacking and Securing HealthCare Standards & Pentest Medcial Devices - Ajay Pratap Singh

  1. 1. Attacking & Securing HealthCare Standards & Pentest Medical Devices Ajay Pratap Singh This presentation does not reflect opinions of my employer and all the data or views are my OWN.
  2. 2. • Security professional with 6+ years of industry experience. • Associate Architect – Product security, Dover Corporation • Speaker at HiTB, COSAC, ISC2, Nullcon, c0c0n etc. • Not a hacker, just a bug hunter • Like to play cricket • @ajayps29 #WHOAMI
  3. 3. • HealthCare security • Healthcare standards • HL7 2.X • FHIR • DICOM • Healthcare standards workflow • Healthcare standards attacks • Methodology to pentest medical devices / systems • Securing standards & medical devices / systems Agenda
  4. 4. What do you think of Healthcare Security? Why is Security important in Healthcare? Source: https://www2.deloitte.com/us/en/pages/life-sciences-and-health-care/articles/us-and-global-health-care-industry-trends-outlook.html https://en.wikipedia.org/wiki/Health_care_in_the_United_States Healthcare Security • Healthcare Industry : ~$11 Trillion by 2022 • Healthcare technology sector : ~$280 billon by 2021 • USA GDP percentage on healthcare : 17.9% in 2019 Identity Theft Patient life Financial fraud Access to unauthorized medicines
  5. 5. Healthcare Standards (HL7) • HL7 and its members provide a framework (and related standards) for the exchange, integration, sharing, and retrieval of electronic health information. • HL7’s Version 2.x (V2) messaging standard is the workhorse of electronic data exchange in the clinical domain and arguably the most widely implemented standard for healthcare in the world. This messaging standard allows the exchange of clinical data between systems. HL7 2.x • 95% of US healthcare organizations use HL7 V2.x • More than 35 countries have HL7 V2.x implementations • Uses MLLP (Minimum Lower Layer Protocol) FHIR • Fast Healthcare Interoperability Resources • It’s a draft standard for the exchange of resources • Other standards are version 3.x, CDA, CCD, SPL etc. Source: http://www.hl7.org
  6. 6. DICOM Healthcare Standard • DICOM (Digital Imaging and communication in Medicine) is the international standard to transmit, store, retrieve, print, process, and display medical imaging information. • DICOM makes medical imaging information interoperable • DICOM networking Protocol is used in communication between medical devices. Modality PACS Server DICOM networking protocol Source: www.dicomstandard.org https://github.com/d00rt/pedicom/blob/master/doc/Attacking_Digital_Imaging_and_Communication_in_Medicine_(DICOM)_file_format_standard_- _Markel_Picado_Ortiz_(d00rt).pdf
  7. 7. HL7-ORM Order Scheduling (Doctor) RIS (Modality Scheduling) Modality (CT,X-ray etc.) (Technician) EMR (Doctor) PATIENT QUERY EMR – Electronic Medical Records | RIS – Radiology Information System | PACS – Picture Archiving and communication system HL7 – health level seven | FHIR - Fast Healthcare Interoperability Resources | DICOM – Digital Imaging & communications in Medicine HealthCare standards (workflow ) PACS Server HL7-ADT HL7-ORM
  8. 8. Message Header Information Patient Information Next of kin Info Patient visit Information | - Field delimiter (pipe) ^ - Sub-field delimiter (caret) ~ - Repeating Filed delimiter (tilde) - Escape Character (backslash) & - sub-sub-file delimiter (ampersand) HL7 2.x message
  9. 9. • ADT – Admission, discharge, transfer • ORM – Order Message • ORU – Observation Results • DFT – Detailed Financial transactions etc.. HL7 2.x message - Types
  10. 10. ADT-A01 – patient admit ADT-A02 – patient transfer ADT-A03 – patient discharge ADT-A04 – patient registration ADT-A05 – patient pre-admission etc.. HL7 2.x message - ADT
  11. 11. • Plain Text – MiTM • Injection Attacks • Data Modification • Denial of Service attacks • Client side attacks HL7 2.x message - Attacks
  12. 12. FHIR aims to simplify implementation without sacrificing information integrity. It leverages existing logical and theoretical models to provide a consistent, easy to implement, and rigorous mechanism for exchanging data between healthcare applications. • Makes use of web and exchange data in XML & JSON format. • Latest HL7 standard. FHIR (Fast HealthCare Interoperability Resources)
  13. 13. http://www.hl7.org/implement/standards/fhir/message-request-link.xml.html http://www.hl7.org/implement/standards/fhir/message-response-link.xml.html FHIR message
  14. 14. • All web based attacks are applicable. • JSON injection • XML injection • XSS • SQL injection etc… • Violating access control • Privilege Escalation FHIR- Attacks
  15. 15. DICOM Usage & File View • DICOM is used in Imaging device like CT, X-ray etc. and workstations. • Files with .dcm extensions. • Modalities (based on the type of query) needs to be pre-configured with servers & clients IP addresses, Port number and AE title.
  16. 16. DICOM Network / communication Model SCU (service class user) SCP (service class provider) Association request / response Actual data transfer AE title, IP Address, Port
  17. 17. DICOM Network Services Composite services • Services • Verification • Storage • Query/Retrieve • Modality Worklist • C-ECHO, C-FIND, C-STORE, C-MOVE, C-GET Normalized services • Services • Storage Commitment • Print Management • N-GET, N-SET, N-EVENT- REPORT, N- ACTION, N- CREATE, N-DELETE
  18. 18. C-FIND
  19. 19. • IP Address • PORT • AE (Application Entity) title (used to identify a DICOM application to other DICOM applications on the network) DICOM Attack Vectors
  20. 20. • MiTM – Sniffing • PE/DICOM attack – by Markel Picardo Ortiz from Cylera Labs • PACS server flooding • Modification in .dcm file – Exposure to Radiation DICOM Attacks https://github.com/d00rt/pedicom/blob/master/doc/Attacking_Digital_Imaging_and_Communication_in_Medicine_(DICOM)_file_format_standard_- _Markel_Picado_Ortiz_(d00rt).pdf
  21. 21. Medical devices / systems
  22. 22. • Gather Publicly available information • Full understanding of workflow / deployment of system • Threat Modeling • Specific test cases for devices • Risk based pentesting • Risk analysis document Methodology to Pentest Medical devicesMethodology to Pentest Secured Medical Devices / Systems
  23. 23. • User Roles • Access to file system • Sticky keys • Hyperlinks • Monkey testing etc. • Look for writable directory • Full understanding of workflow of the application • Command Injection • USB – configuration update • Custom Services • Cloud Pentest Medical Devices / Systems
  24. 24. • Encryption (Data at rest & in transit) • DICOM: Remove the header before processing the image • Authentication • Authorization • Upgradation • Software patching • No hardcoded secrets • Input validation • SSH tunneling Securing HealthCare Standards & Devices / Systems
  25. 25. Thank you 
  26. 26. Hospital Attack News

×