Over the years several hacks affecting medical devices have been discovered. Unfortunately the lack of good security practices is a common thing in these type of devices. This talk will explain the unique security scenario that affect medical devices and will explain an auditing process of an specific medical device. The audited medical device is a portable IoT electrocardiograph and several vulnerabilities and demos affected this devices will be shown during the presentation.

1. Hacking medical devices
Don’t go breaking my heart:
Information Security
Research Lab UAH

2. $ whoami
2
Carlos Cilleruelo Rodríguez
Cybersecurity researcher carlos.cilleruelo@byronlabs.io
@carloslannister
/in/carlos-cilleruelo
Javier Junquera Sánchez
Cybersecurity researcher & lecturer
javier.junquera@uah.es
@junquera
/in/junquera

3. Introduction
➔ Critical Infrastructure Cybersecurity
○ Different to traditional company security
■ Specific industrial protocols (e.g,
Modbus, FHIR, HL7)
○ Sensitive nature of these infrastructures
and their peculiarities
○ Repercussions in the event of failure
3

4. Some significant attacks against Health Services
4
1
Wannacry
NHS - United Kingdom
May 2017
2
3
* Lawsuit to prove that a ransomware attack on a hospital was to blame for someone losing their life
Ransomware
Brno - Czech Republic
March 2020
June and July 2018
Data breach - APT
SingHealth - Singapore
Ransomware
Springhill - USA*
July 2019
6
September 2020
Ransomware
Helios - Germany*
Conti
HSE - Ireland
May 2021
7
COVID-19
5
4
Ryuk
Torrejón - Spain
February 2020
8
Clínic - Spain
March 2023

5. Repercussions
➔ Baby’s Death Alleged to Be Linked to Ransomware
➔ 78-year-old woman suffering from an aortic aneurysm
5
https://www.wired.co.uk/article/ransomware-hospital-death-germany
https://threatpost.com/babys-death-linked-ransomware/175232/

6. Medical devices
➔ Health Care centers have traditional IT infraestructures
➔ But also medical devices
○ Medical devices are also computers
■ Most of them are Windows based
○ New devices are constantly appearing
■ IoT medical devices
6
Philips TC30
IntelliVue MX40
KardiaMobile

7. Medical devices
➔ From 2011 cybersecurity problems has been found in medical
devices
○ Barnaby Michael Douglas Jack
■ October 2011 - Wireless hacking of insulin pumps
■ 2012 discovered vulnerabilities in pacemakers
■ Died a week before present at the Black Hat 2013 a
talk about hacking heart implants
7
Medtronic MiniMed 530G

8. Wireless communication
8
Naya Med Product Brochure - 2012

9. Medical Devices Advisory
➔ Known vulnerabilities - ICS MEDICAL ADVISORY
○ Insulin pumps
■ Medtronic NGP 600 Series Insulin Pumps
■ Alert Code: ICSMA-22-263-01
○ Pacemakers
■ Medtronic Conexus Radio Frequency Telemetry Protocol
■ Alert Code: ICSMA-19-080-01
○ Software
■ PACS (Picture archiving and communication system)
● Philips Vue PACS
● Alert Code: ICSMA-21-187-01
9

10. Wireless communication
➔ What happen if you play with a pacemaker?
○ Homeland series season 2 episode 10.
■ December 2, 2012
○ Vice President assination through hacking a pacemaker
10

11. Wireless communication
➔ Reality?
11
https://web.archive.org/web/20130731101632/http://blog.io
active.com/2013/02/broken-hearts-how-plausible-was.html
Marin, E., Singelée, D., Garcia, F. D., Chothia, T., Willems, R., &
Preneel, B. (2016, December). On the (in) security of the latest
generation implantable cardiac defibrillators and how to secure
them. In Proceedings of the 32nd annual conference on
computer security applications (pp. 226-236).

12. Wireless communication
12
➔ Device implanted in 2007
➔ He had his doctors
disable its wireless
capabilities to prevent
against a possible
assassination attempt
https://abcnews.go.com/US/vice-president-dick-cheney-feared-pacemaker-ha
cking/story?id=20621434

13. What about mobile apps? and IoT?
➔ Monitor and control through your mobile phone
13
Omnipod
DASH Insulin
Management
AZURE XT DR
MRI
SURESCAN

14. What about mobile apps? and IoT?
14
https://pacemate.com/wp-content/uploads/2021/12/MyCareLinkHeart-for-pacer-ICD-overview.pdf

15. Ok but … tell me how
How can I hack a medical device?
15

16. Step 1: Obtain a medical device
16
➔ Option 1: Contact a vendor and buy a device

17. Step 1: Obtain a medical device
17
➔ Option 2: Ebay

18. Step 1: Obtain a medical device
18
➔ Option 3: Amazon

19. Step 2: Gadgets and training
19

20. Device to analyze
➔ AliveCor, Kardia Mobile
➔ Pocked-sized ECG - IoT
➔ Less accurate than a normal ECG
➔ Use for patient follow–up
➔ Wireless communications
➔ Mobile App
◆ iOS
◆ Android
20

21. Mobile app
21
➔ You can consent or …
I consent to the collection, processing and
disclosure of my de-identified heart activity
data and related health information by
AliveCor as described in the Privacy Policy

22. Mobile app
22
➔ You can consent or … consent

23. Choose your experience
23

24. Demo time!
24

25. Methodology
➔ First Risk Analysis
➔ STRIDE model
◆ Spoofing
◆ Tampering
◆ Repudiation
◆ Information disclosure
◆ Denial of Service
◆ Elevation of Privilege
➔ Microsoft Threat Modeling Tool
25

26. Risk Analysis of Kardia Mobile
26

27. Reversing
➔ Laboratory setup
◆ What communication does it use?
27

28. Reversing process
28

29. White noise
29

30. Lab setup
➔ 18€ microphone
➔ Audio Analysis Software
◆ Audacity
◆ Sonic Visualiser
30

31. Data-over-sound
31
➔ Anything over 10 kHz is pretty much inaudible

32. Data-over-sound
➔ Fuzzing
32

33. Data-over-sound
➔ The frequency oscillates over time around 19.200 KHz
33

34. Data-over-sound
34

35. Data-over-sound
35

36. Demo time!
36

37. Main risks
37
➔ Lack of encryption and authentication in the communication process
◆ Spoofing / Tampering
■ Very High
◆ Info. disc.
■ Low
◆ Denial of Service
■ High
◆ Repudiation
■ Lawyer things

38. Report
➔ Responsible disclosure
○ No security.txt [RFC8615]
➔ Email to support - 05/07/2021 and 09/07/2021
38

39. Report
➔ Contact some CERTS and CISA
○ between 7/2021 and 11/2021
39

40. Report
40

41. Report
41
➔ 22-02-2022
○ Case created in VINCE
○ Initial contact with the Vendor

42. Report
42
➔ 25-03-2022
○ Wild Kardia Appeared

43. Report
43
➔ 13-04-2022
○ Working internally to understand the complaint

44. Report
44
➔ 27-06-2022
○ full disclosure?

45. Report
45
➔ 28-06-2022
○ Wild Kardia appeared again!

46. Report
46
➔ 06-07-2022
○ Internal assessments

47. Report
47
➔ 01-08-2022
○ Internal assessments of Kardia released

48. Patch - What patch?
48
➔ 01-08-2022
○ Solutions?

49. Patch - What patch?
49
➔ 01-08-2022
○ Solutions?

50. Patch - What patch?
➔ How to patch a hardware or design
failure?
○ Return the devices?
○ Try to put software mitigations
■ If possible
○ AuthN is inexpensive!
➔ Hardware failures are a problem (e.g.,
checkm8)
50

51. Report
51
➔ 16-08-2022
○ Low impact vulnerabilities are still a vulnerability

52. Report
52
➔ 05-10-2022
○ FDA (Food and Drug Administration) clearance for publishing
➔ 26-10-2022 - Public disclosure!
○

53. ICSMA-22-298-01
53

54. ICSMA-22-298-01
54
➔ Initial pairing in BL and BLE

55. Report
55
1 First contact to Alivecor
Report to CISA
July 2021
2
3
Full disclosure threat
And Alivecor wrapping up
Case created in VINCE
Alivecor appear
March 2022
August 2022
Internal assessment and
“solutions”
4
February 2022
4 June 2022
6
7
FDA clearance
Public disclosure
October 2022

56. Conclusions
56
➔ Safety v. Security
○ Hugo Teso - Profundizando en la seguridad de la aviación [Rooted
CON 2014] [Rooted CON 2015]
➔ Safety - Therac-25 incident
○ Therac-25 was a computer-controlled radiation therapy machine
○ It was involved in at least six accidents between 1985 and 1987,
in which patients were given massive overdoses of radiation
○ Software Engineering - NATO Software Engineering Conferences

57. Lack of regulation
57
➔ FDA 510(k) Clearance Process does not involve
cybersecurity measures
◆ “substantially equivalent” to another already
https://www.drugwatch.com/fda/510k-clearance/

58. Lack of regulation
58
➔ Lack of regulation
○ Regulation (EU) 2017/745 of the European Parliament
and of the Council of 5 April 2017 on medical devices
■ Applicable from May 2021
○ MDCG 2019-16 Guidance on Cybersecurity for medical
devices

59. Medical devices
➔ Medical devices are a black box problem
○ Patching? Updates?
○ AV? EDR?
➔ Medical devices and software must be submitted to a
S-SDLC process
○ Secure by design
○ Pentesting
○ Cybersecurity certifications for healthcare, LINCE?
59

60. Status of Healthcare Security
➔ Precarious and obsolete infrastructures
○ Highly dependant in Internet Explorer
○ Huge technology debt
➔ Lack of personal and budget
○ IT personal? IT security personnel?
➔ SPAIN
○ ESTRATEGIA DE SALUD PÚBLICA 2022
○ Cybersecurity?
60

61. Acknowledgments
61

62. That’s all folks!
carlos.cilleruelo@byronlabs.io
@carloslannister
/in/carlos-cilleruelo/
javier.junquera@uah.es
@junquera
/in/junquera
62