Over the years several hacks affecting medical devices have been discovered. Unfortunately the lack of good security practices is a common thing in these type of devices.
This talk will explain the unique security scenario that affect medical devices and will explain an auditing process of an specific medical device. The audited medical device is a portable IoT electrocardiograph and several vulnerabilities and demos affected this devices will be shown during the presentation.
3. Introduction
➔ Critical Infrastructure Cybersecurity
○ Different to traditional company security
■ Specific industrial protocols (e.g,
Modbus, FHIR, HL7)
○ Sensitive nature of these infrastructures
and their peculiarities
○ Repercussions in the event of failure
3
4. Some significant attacks against Health Services
4
1
Wannacry
NHS - United Kingdom
May 2017
2
3
* Lawsuit to prove that a ransomware attack on a hospital was to blame for someone losing their life
Ransomware
Brno - Czech Republic
March 2020
June and July 2018
Data breach - APT
SingHealth - Singapore
Ransomware
Springhill - USA*
July 2019
6
September 2020
Ransomware
Helios - Germany*
Conti
HSE - Ireland
May 2021
7
COVID-19
5
4
Ryuk
Torrejón - Spain
February 2020
8
Clínic - Spain
March 2023
5. Repercussions
➔ Baby’s Death Alleged to Be Linked to Ransomware
➔ 78-year-old woman suffering from an aortic aneurysm
5
https://www.wired.co.uk/article/ransomware-hospital-death-germany
https://threatpost.com/babys-death-linked-ransomware/175232/
6. Medical devices
➔ Health Care centers have traditional IT infraestructures
➔ But also medical devices
○ Medical devices are also computers
■ Most of them are Windows based
○ New devices are constantly appearing
■ IoT medical devices
6
Philips TC30
IntelliVue MX40
KardiaMobile
7. Medical devices
➔ From 2011 cybersecurity problems has been found in medical
devices
○ Barnaby Michael Douglas Jack
■ October 2011 - Wireless hacking of insulin pumps
■ 2012 discovered vulnerabilities in pacemakers
■ Died a week before present at the Black Hat 2013 a
talk about hacking heart implants
7
Medtronic MiniMed 530G
9. Medical Devices Advisory
➔ Known vulnerabilities - ICS MEDICAL ADVISORY
○ Insulin pumps
■ Medtronic NGP 600 Series Insulin Pumps
■ Alert Code: ICSMA-22-263-01
○ Pacemakers
■ Medtronic Conexus Radio Frequency Telemetry Protocol
■ Alert Code: ICSMA-19-080-01
○ Software
■ PACS (Picture archiving and communication system)
● Philips Vue PACS
● Alert Code: ICSMA-21-187-01
9
10. Wireless communication
➔ What happen if you play with a pacemaker?
○ Homeland series season 2 episode 10.
■ December 2, 2012
○ Vice President assination through hacking a pacemaker
10
12. Wireless communication
12
➔ Device implanted in 2007
➔ He had his doctors
disable its wireless
capabilities to prevent
against a possible
assassination attempt
https://abcnews.go.com/US/vice-president-dick-cheney-feared-pacemaker-ha
cking/story?id=20621434
13. What about mobile apps? and IoT?
➔ Monitor and control through your mobile phone
13
Omnipod
DASH Insulin
Management
AZURE XT DR
MRI
SURESCAN
14. What about mobile apps? and IoT?
14
https://pacemate.com/wp-content/uploads/2021/12/MyCareLinkHeart-for-pacer-ICD-overview.pdf
15. Ok but … tell me how
How can I hack a medical device?
15
16. Step 1: Obtain a medical device
16
➔ Option 1: Contact a vendor and buy a device
20. Device to analyze
➔ AliveCor, Kardia Mobile
➔ Pocked-sized ECG - IoT
➔ Less accurate than a normal ECG
➔ Use for patient follow–up
➔ Wireless communications
➔ Mobile App
◆ iOS
◆ Android
20
21. Mobile app
21
➔ You can consent or …
I consent to the collection, processing and
disclosure of my de-identified heart activity
data and related health information by
AliveCor as described in the Privacy Policy
25. Methodology
➔ First Risk Analysis
➔ STRIDE model
◆ Spoofing
◆ Tampering
◆ Repudiation
◆ Information disclosure
◆ Denial of Service
◆ Elevation of Privilege
➔ Microsoft Threat Modeling Tool
25
37. Main risks
37
➔ Lack of encryption and authentication in the communication process
◆ Spoofing / Tampering
■ Very High
◆ Info. disc.
■ Low
◆ Denial of Service
■ High
◆ Repudiation
■ Lawyer things
48. Patch - What patch?
48
➔ 01-08-2022
○ Solutions?
49. Patch - What patch?
49
➔ 01-08-2022
○ Solutions?
50. Patch - What patch?
➔ How to patch a hardware or design
failure?
○ Return the devices?
○ Try to put software mitigations
■ If possible
○ AuthN is inexpensive!
➔ Hardware failures are a problem (e.g.,
checkm8)
50
55. Report
55
1 First contact to Alivecor
Report to CISA
July 2021
2
3
Full disclosure threat
And Alivecor wrapping up
Case created in VINCE
Alivecor appear
March 2022
August 2022
Internal assessment and
“solutions”
4
February 2022
4 June 2022
6
7
FDA clearance
Public disclosure
October 2022
56. Conclusions
56
➔ Safety v. Security
○ Hugo Teso - Profundizando en la seguridad de la aviación [Rooted
CON 2014] [Rooted CON 2015]
➔ Safety - Therac-25 incident
○ Therac-25 was a computer-controlled radiation therapy machine
○ It was involved in at least six accidents between 1985 and 1987,
in which patients were given massive overdoses of radiation
○ Software Engineering - NATO Software Engineering Conferences
57. Lack of regulation
57
➔ FDA 510(k) Clearance Process does not involve
cybersecurity measures
◆ “substantially equivalent” to another already
https://www.drugwatch.com/fda/510k-clearance/
58. Lack of regulation
58
➔ Lack of regulation
○ Regulation (EU) 2017/745 of the European Parliament
and of the Council of 5 April 2017 on medical devices
■ Applicable from May 2021
○ MDCG 2019-16 Guidance on Cybersecurity for medical
devices
59. Medical devices
➔ Medical devices are a black box problem
○ Patching? Updates?
○ AV? EDR?
➔ Medical devices and software must be submitted to a
S-SDLC process
○ Secure by design
○ Pentesting
○ Cybersecurity certifications for healthcare, LINCE?
59
60. Status of Healthcare Security
➔ Precarious and obsolete infrastructures
○ Highly dependant in Internet Explorer
○ Huge technology debt
➔ Lack of personal and budget
○ IT personal? IT security personnel?
➔ SPAIN
○ ESTRATEGIA DE SALUD PÚBLICA 2022
○ Cybersecurity?
60