Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Fingerprinting and Attacking a Healthcare Infrastructure

508 views

Published on

Anirudh Duggal

Published in: Technology
  • Be the first to comment

Fingerprinting and Attacking a Healthcare Infrastructure

  1. 1. Fingerprinting Healthcare Institutions - Anirudh Duggal Disclaimer: All the views / data presented are my own and do not reflect the opinions of my employer.
  2. 2. #whoAmI • Work with Philips healthcare • Hack anything • Sustainability enthusiast • Research on healthcare security – protocols, devices, infrastructure • Play guitar in free time • Hospitalsecurityproject.com
  3. 3. Agenda • Why healthcare? • Beyond phishing – targeted attacks • How to fingerprint? • EMR fingerprinting • Fingerprinting beyond servers • HL7 attacks (if time permits) • Q&A
  4. 4. Why healthcare? • Easy targets • High payoff • Still to mature on terms of security • Less awareness
  5. 5. Posted on 13th Feb 2016
  6. 6. Overall • Healthcare institutions are easy to fingerprint • They are “considerably less protected” • Many entry points • Quite many targets
  7. 7. What to expect?
  8. 8. And…
  9. 9. Inside a hospital
  10. 10. Text • Text • Text • Text Text • Text • Text • Text Network 1 Network 2 Healthcare centers and hospitals – ideal situation HVAC system Lighting system Hospital servers Waste management systems Medical devices Monitoring devices Computers, phones, tablets Water controls NAT / Bridged network with an IDS / IPS Other hospitals Vendor servers “service portals” Vendor servers Intranet Internet Encrypted communication Encrypted communication Encrypted communication Computers , phones, tablets
  11. 11. Text • Text • Text • Text Text • Text • Text • Text But what do we get? HVAC system Lighting system Hospital servers Waste management systems Medical devices Hospital computers Monitoring devices Tablets / phones Water controls “service portals” Security systems guests Internet
  12. 12. Basics of fingerprinting • Find unique but common headers • Be consistent • Use multiple tools – shodan, censys, matego • Verify manually • Use google
  13. 13. So what can you fingerprint? • Medical devices • Routers • Data center • EMR software • HVAC controls • Lighting controls
  14. 14. Finding hospitals • Generic searches • Name searches • Hospital name searches • Sometimes the name is too generic • Narrow down search parameters
  15. 15. Generic hospital searches • Hospital • Hospital* • Healthcare • Healthcare* • <name of the hospital> • <name of the software / protocol>
  16. 16. Generic searches
  17. 17. Narrowing the searches to regions • Narrow down searches by • Country • Technology (HTTP(S), NetBIOS ) • Type of infrastructure (VPN, cloud)
  18. 18. Healthcare “chains”
  19. 19. Narrowing down • Narrow down to FTP servers ;) • Port 80 will show interesting results
  20. 20. But… • Sometimes the names are too generic • Narrow down technology • Look at other parameters – don’t fall into honeypots • Use google - Search for address and verify
  21. 21. EMR solutions • “goldmine” for attackers • Easy to attack • High point of impact • Ransomware attacks
  22. 22. A typical hospital scenario EMR (electronic medical record)Patient monitors / healthcare devices LAN / WIFI/ Bluetooth/ Doctor's PC / Secretary PC Doctor's Mobile/ Nurse mobile Other hospitals
  23. 23. Fingerprinting EMR solutions • Use shodan / censys / maltego • Searches vary on what you're trying to find • How I started • Create a list of 200 popular EMR solutions • Start searching by name • Look for characteristics – deployment scenario, url constructs, technology • Look for manuals • Change language – Chinese, Russian • Find bugs ;)
  24. 24. Shodan • Can search using name • Less false positives • Shows ready exploits for OS
  25. 25. Search by exploring EMR structures • Look at unique parameters • Filter by name
  26. 26. Problem • Results not constant • Need more access to data • You can’t find some systems
  27. 27. Thinking beyond Shodan • Shodan (Shodan.io) • Easiest deep web tools • Cache information • Due to the paid nature, results may vary • Lacks multi lingual capabilities • Censys (censys.io) • Provides raw data for research • Support Regex and can concatenate different parameters • Maltego (thick client) • For advanced recon • Can fingerprint infrastructure
  28. 28. Searching by names
  29. 29. Multi – lingual search -Russian
  30. 30. Multi – lingual search -Chinese
  31. 31. Multi – lingual search - Arabic
  32. 32. Using censys efficiently
  33. 33. Combining searches with google results • Google gives better results with specific headers
  34. 34. Running Maltego
  35. 35. When everything fails • Some systems could not be found at all • Find the manual!
  36. 36. Easy way - visit the vendor website site ;)
  37. 37. Logging on the PACS system
  38. 38. Cloud based EMR • Easy to find • “scalable and reliable” • Many entry points – web, mobile, IOT devices • Google is very effective in searching such solutions
  39. 39. In a nutshell • Finding EMR is easy • Your EMR might be secure, other infrastructure might be not • Attacks go beyond your audits and process
  40. 40. Besides servers
  41. 41. Routers and internet access points
  42. 42. Cams – smile ;)
  43. 43. HVAC controls!
  44. 44. Insider attacks • Generic system attacks – MITM , BSOD , Network exploits • HL7 exploits
  45. 45. Potential entry points • Hardware • Wifi / Lan • Serial ports • USB - Firmware • The sensors • Keyboard / mouse • Firewire • Software –Protocols and OS
  46. 46. What is HL7? • Health level standards • Most popular in healthcare devices (HL7 2.x) • Quite old – designed in 1989 • FHIR is the next gen
  47. 47. HL7 2.x • Most popular HL7 version • New messages / fields added
  48. 48. HL7 2.x HL7
  49. 49. Things to know • || is a delimiter / field • MSH – message header segment • The standards define the messages – not the implementation
  50. 50. An HL7 message MSH|^~&||STI SQESERV3|||||ORU^R01|HP1304538180456|P|2.3||||||8859/1 PID|||MRN-3M31^^^^MR~Encounter-3M31FF^^^^VN~AlternatiFF-3M31^^^^U||3M31LastUpdate^Test-FirstUpdate^Middle-Update||19330808|F PV1||I|OR^^OR9&0&0||||||||||||||||Encounter-3M31FF OBR|||||||20110504154300 OBX||TX|6^Soft Inop^MDIL-ALERT|1|ALL ARRH ALRMS OFF||||||F OBX||ST|0002-d006^EctSta^MDIL|0|""||||||F OBX||ST|0002-d007^RhySta^MDIL|0|SV Rhythm||||||F OBX||NM|0002-4bb8^SpO2^MDIL|0|100|0004-0220^%^MDIL|||||F OBX||NM|0002-0302^ST-II^MDIL|0|-1.0|0004-0512^mm^MDIL|||||F OBX||NM|0002-0304^ST-V2^MDIL|0|0.6|0004-0512^mm^MDIL|||||F OBX||NM|0002-f125^pNN50^MDIL|0|0.00|0004-0220^%^MDIL|||||F OBX||NM|0002-4182^HR^MDIL|0|80|0004-0aa0^bpm^MDIL|||||F OBX||NM|0002-4a15^ABPs^MDIL|0|120|0004-0f20^mmHg^MDIL|||||F OBX||NM|0002-4a16^ABPd^MDIL|0|70|0004-0f20^mmHg^MDIL|||||F OBX||NM|0002-4a17^ABPm^MDIL|0|91|0004-0f20^mmHg^MDIL|||||F OBX||NM|0002-4261^PVC^MDIL|0|0|0004-0aa0^bpm^MDIL|||||F OBX||NM|0002-5012^awRR^MDIL|0|25|0004-0ae0^rpm^MDIL|||||F OBX||NM|0002-e014^Tblood^MDIL|0|37.0|0004-17a0^°C^MDIL|||||F OBX||NM|0002-4822^Pulse^MDIL|0|60|0004-0aa0^bpm^MDIL|||||F OBX||NM|0002-50b0^etCO2^MDIL|0|40|0004-0f20^mmHg^MDIL|||||F OBX||NM|0002-50ba^imCO2^MDIL|0|0|0004-0f20^mmHg^MDIL|||||F OBX||NM|0002-f0c7^T1^MDIL|0|40.0|0004-17a0^°C^MDIL|||||F OBX||NM|0002-f081^SD NN^MDIL|0|0.00|0004-0aa0^bpm^MDIL|||||F OBX||NM|0002-f03d^STindx^MDIL|0|3.5|0004-0512^mm^MDIL|||||F
  51. 51. MSH|^~&||STI SQESERV3|||||ORU^R01|HP1304538180456|P|2.3||||||8859/1 PID|||MRN-3M31^^^^MR~Encounter-3M31FF^^^^VN~AlternatiFF-3M31^^^^U||3M31LastUpdate^Test- FirstUpdate^Middle-Update||19330808|F PV1||I|OR^^OR9&0&0||||||||||||||||Encounter-3M31FF OBR|||||||20110504154300 OBX||TX|6^Soft Inop^MDIL-ALERT|1|ALL ARRH ALRMS OFF||||||F OBX||ST|0002-d006^EctSta^MDIL|0|""||||||F OBX||ST|0002-d007^RhySta^MDIL|0|SV Rhythm||||||F OBX||NM|0002-4bb8^SpO2^MDIL|0|100|0004-0220^%^MDIL|||||F OBX||NM|0002-0302^ST-II^MDIL|0|-1.0|0004-0512^mm^MDIL|||||F OBX||NM|0002-0304^ST-V2^MDIL|0|0.6|0004-0512^mm^MDIL|||||F OBX||NM|0002-f125^pNN50^MDIL|0|0.00|0004-0220^%^MDIL|||||F OBX||NM|0002-4182^HR^MDIL|0|80|0004-0aa0^bpm^MDIL|||||F OBX||NM|0002-4a15^ABPs^MDIL|0|120|0004-0f20^mmHg^MDIL|||||F OBX||NM|0002-4a16^ABPd^MDIL|0|70|0004-0f20^mmHg^MDIL|||||F OBX||NM|0002-4a17^ABPm^MDIL|0|91|0004-0f20^mmHg^MDIL|||||F OBX||NM|0002-4261^PVC^MDIL|0|0|0004-0aa0^bpm^MDIL|||||F OBX||NM|0002-5012^awRR^MDIL|0|25|0004-0ae0^rpm^MDIL|||||F OBX||NM|0002-e014^Tblood^MDIL|0|37.0|0004-17a0^°C^MDIL|||||F OBX||NM|0002-4822^Pulse^MDIL|0|60|0004-0aa0^bpm^MDIL|||||F OBX||NM|0002-50b0^etCO2^MDIL|0|40|0004-0f20^mmHg^MDIL|||||F OBX||NM|0002-50ba^imCO2^MDIL|0|0|0004-0f20^mmHg^MDIL|||||F OBX||NM|0002-f0c7^T1^MDIL|0|40.0|0004-17a0^°C^MDIL|||||F OBX||NM|0002-f081^SD NN^MDIL|0|0.00|0004-0aa0^bpm^MDIL|||||F OBX||NM|0002-f03d^STindx^MDIL|0|3.5|0004-0512^mm^MDIL|||||F
  52. 52. MSH|^~&||STI SQESERV3|||||ORU^R01|HP1304538180456|P|2.3||||||8859/1 PID|||MRN-3M31^^^^MR~Encounter-3M31FF^^^^VN~AlternatiFF-3M31^^^^U||3M31LastUpdate^Test- FirstUpdate^Middle-Update||19330808|F PV1||I|OR^^OR9&0&0||||||||||||||||Encounter-3M31FF OBR|||||||20110504154300 OBX||TX|6^Soft Inop^MDIL-ALERT|1|ALL ARRH ALRMS OFF||||||F OBX||ST|0002-d006^EctSta^MDIL|0|""||||||F OBX||ST|0002-d007^RhySta^MDIL|0|SV Rhythm||||||F OBX||NM|0002-4bb8^SpO2^MDIL|0|100|0004-0220^%^MDIL|||||F OBX||NM|0002-0302^ST-II^MDIL|0|-1.0|0004-0512^mm^MDIL|||||F OBX||NM|0002-0304^ST-V2^MDIL|0|0.6|0004-0512^mm^MDIL|||||F OBX||NM|0002-f125^pNN50^MDIL|0|0.00|0004-0220^%^MDIL|||||F OBX||NM|0002-4182^HR^MDIL|0|80|0004-0aa0^bpm^MDIL|||||F OBX||NM|0002-4a15^ABPs^MDIL|0|120|0004-0f20^mmHg^MDIL|||||F OBX||NM|0002-4a16^ABPd^MDIL|0|70|0004-0f20^mmHg^MDIL|||||F OBX||NM|0002-4a17^ABPm^MDIL|0|91|0004-0f20^mmHg^MDIL|||||F OBX||NM|0002-4261^PVC^MDIL|0|0|0004-0aa0^bpm^MDIL|||||F OBX||NM|0002-5012^awRR^MDIL|0|25|0004-0ae0^rpm^MDIL|||||F OBX||NM|0002-e014^Tblood^MDIL|0|37.0|0004-17a0^°C^MDIL|||||F OBX||NM|0002-4822^Pulse^MDIL|0|60|0004-0aa0^bpm^MDIL|||||F OBX||NM|0002-50b0^etCO2^MDIL|0|40|0004-0f20^mmHg^MDIL|||||F OBX||NM|0002-50ba^imCO2^MDIL|0|0|0004-0f20^mmHg^MDIL|||||F OBX||NM|0002-f0c7^T1^MDIL|0|40.0|0004-17a0^°C^MDIL|||||F OBX||NM|0002-f081^SD NN^MDIL|0|0.00|0004-0aa0^bpm^MDIL|||||F OBX||NM|0002-f03d^STindx^MDIL|0|3.5|0004-0512^mm^MDIL|||||F Patient identifier Message type and HL7 identifier Message fields
  53. 53. MSH|^~&||STI SQESERV3|||||ORU^R01|HP1304538180456|P|2.3||||||8859/1 PID|||MRN-3M31^^^^MR~Encounter-3M31FF^^^^VN~AlternatiFF-3M31^^^^U||3M31LastUpdate^Test- FirstUpdate^Middle-Update||19330808|F PV1||I|OR^^OR9&0&0||||||||||||||||Encounter-3M31FF OBR|||||||20110504154300 OBX||TX|6^Soft Inop^MDIL-ALERT|1|ALL ARRH ALRMS OFF||||||F OBX||ST|0002-d006^EctSta^MDIL|0|""||||||F OBX||ST|0002-d007^RhySta^MDIL|0|SV Rhythm||||||F OBX||NM|0002-4bb8^SpO2^MDIL|0|100|0004-0220^%^MDIL|||||F OBX||NM|0002-0302^ST-II^MDIL|0|-1.0|0004-0512^mm^MDIL|||||F OBX||NM|0002-0304^ST-V2^MDIL|0|0.6|0004-0512^mm^MDIL|||||F OBX||NM|0002-f125^pNN50^MDIL|0|0.00|0004-0220^%^MDIL|||||F OBX||NM|0002-4182^HR^MDIL|0|80|0004-0aa0^bpm^MDIL|||||F OBX||NM|0002-4a15^ABPs^MDIL|0|120|0004-0f20^mmHg^MDIL|||||F OBX||NM|0002-4a16^ABPd^MDIL|0|70|0004-0f20^mmHg^MDIL|||||F OBX||NM|0002-4a17^ABPm^MDIL|0|91|0004-0f20^mmHg^MDIL|||||F OBX||NM|0002-4261^PVC^MDIL|0|0|0004-0aa0^bpm^MDIL|||||F OBX||NM|0002-5012^awRR^MDIL|0|25|0004-0ae0^rpm^MDIL|||||F OBX||NM|0002-e014^Tblood^MDIL|0|37.0|0004-17a0^°C^MDIL|||||F OBX||NM|0002-4822^Pulse^MDIL|0|60|0004-0aa0^bpm^MDIL|||||F OBX||NM|0002-50b0^etCO2^MDIL|0|40|0004-0f20^mmHg^MDIL|||||F OBX||NM|0002-50ba^imCO2^MDIL|0|0|0004-0f20^mmHg^MDIL|||||F OBX||NM|0002-f0c7^T1^MDIL|0|40.0|0004-17a0^°C^MDIL|||||F OBX||NM|0002-f081^SD NN^MDIL|0|0.00|0004-0aa0^bpm^MDIL|||||F OBX||NM|0002-f03d^STindx^MDIL|0|3.5|0004-0512^mm^MDIL|||||F Potential Entry Point
  54. 54. MSH|^~&||STI SQESERV3|||||ORU^R01|HP1304538180456|P|2.3||||||8859/1 PID|||MRN-3M31^^^^MR~Encounter-3M31FF^^^^VN~AlternatiFF-3M31^^^^U||3M31LastUpdate^Test- FirstUpdate^Middle-Update||19330808|F PV1||I|OR^^OR9&0&0||||||||||||||||Encounter-3M31FF OBR|||||||20110504154300 OBX||TX|6^Soft Inop^MDIL-ALERT|1|ALL ARRH ALRMS OFF||||||F OBX||ST|0002-d006^EctSta^MDIL|0|""||||||F OBX||ST|0002-d007^RhySta^MDIL|0|SV Rhythm||||||F OBX||NM|0002-4bb8^SpO2^MDIL|0|100|0004-0220^%^MDIL|||||F OBX||NM|0002-0302^ST-II^MDIL|0|-1.0|0004-0512^mm^MDIL|||||F OBX||NM|0002-0304^ST-V2^MDIL|0|0.6|0004-0512^mm^MDIL|||||F OBX||NM|’;’;’;’;;anisdlasdkals<‘’---’;’;’;’;;anisdlasdkals<‘’---’;’;’;’;;anisdlasdkals<‘’---’;’;’;’;;anisdlasdkals<‘’--- ’;’;’;’;;anisdlasdkals<‘’---||0|0.00|0004-0220^%^MDIL|||||F OBX||NM|0002-4182^HR^MDIL|0|80|0004-0aa0^bpm^MDIL|||||F OBX||NM|0002-4a15^ABPs^MDIL|0|120|0004-0f20^mmHg^MDIL|||||F OBX||NM|0002-4a16^ABPd^MDIL|0|70|0004-0f20^mmHg^MDIL|||||F OBX||NM|0002-4a17^ABPm^MDIL|0|91|0004-0f20^mmHg^MDIL|||||F OBX||NM|0002-4261^PVC^MDIL|0|0|0004-0aa0^bpm^MDIL|||||F OBX||NM|0002-5012^awRR^MDIL|0|25|0004-0ae0^rpm^MDIL|||||F OBX||NM|0002-e014^Tblood^MDIL|0|37.0|0004-17a0^°C^MDIL|||||F OBX||NM|0002-4822^Pulse^MDIL|0|60|0004-0aa0^bpm^MDIL|||||F OBX||NM|0002-50b0^etCO2^MDIL|0|40|0004-0f20^mmHg^MDIL|||||F OBX||NM|0002-50ba^imCO2^MDIL|0|0|0004-0f20^mmHg^MDIL|||||F OBX||NM|0002-f0c7^T1^MDIL|0|40.0|0004-17a0^°C^MDIL|||||F OBX||NM|0002-f081^SD NN^MDIL|0|0.00|0004-0aa0^bpm^MDIL|||||F OBX||NM|0002-f03d^STindx^MDIL|0|3.5|0004-0512^mm^MDIL|||||F
  55. 55. Defending hospitals • Secure networks • Have Public and Private networks • Harden routers and firewalls – have a patching policy • Look out for shodan and censys • Assume the network will be compromised • Isolate high value components • Encrypt and Backup • Know your devices –vendor management
  56. 56. Thank you Minatee Mishra Michael Mc Neil Ben Kokx Jiggyasu Sharma Sanjog Panda Pardhiv Reddy Ajay Pratap Singh Neelesh Swami Archita Aparichita Sagar Popat Narendra Makkena Kartik Lalan Pratap Chandra Ashish Shroff Swaroop Yermalkar
  57. 57. Questions? • anirudhduggal@gmail.com • Anirudh Duggal – facebook • @Duggal_anirudh– twitter ; @secure_hospital • Hospitalsecurityproject.com
  58. 58. Thank you

×