I'm Not a Doctor but I Play One on Your Network

Video thumbnail (Frame 0) Video thumbnail (Frame 3480) Video thumbnail (Frame 5204) Video thumbnail (Frame 7700) Video thumbnail (Frame 9053) Video thumbnail (Frame 11138) Video thumbnail (Frame 13606) Video thumbnail (Frame 15526) Video thumbnail (Frame 16765) Video thumbnail (Frame 18354) Video thumbnail (Frame 20140) Video thumbnail (Frame 22369) Video thumbnail (Frame 24255) Video thumbnail (Frame 28113) Video thumbnail (Frame 30718) Video thumbnail (Frame 32858) Video thumbnail (Frame 33697) Video thumbnail (Frame 34877) Video thumbnail (Frame 37932) Video thumbnail (Frame 40241) Video thumbnail (Frame 42024) Video thumbnail (Frame 43906) Video thumbnail (Frame 46832) Video thumbnail (Frame 53188)
Video in TIB AV-Portal: I'm Not a Doctor but I Play One on Your Network

Formal Metadata

I'm Not a Doctor but I Play One on Your Network
Title of Series
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Release Date

Content Metadata

Subject Area
https://www.defcon.org/images/defcon-19/dc-19-presentations/Elrod-Morris/DEFCON-19-Elrod-Morris-Not-a-Doctor.pdf How secure is your Protected Health Information? This talk will expose the world of Health Information Systems with an in depth technical review of their common protocols and technologies. Many of these life-critical systems had once relied on the security provided by air gapped medical networks. Recently, in an effort to realize savings and further share health information, medical systems have moved onto interconnected networks, opening them up to a plethora of attacks. We believe these systems have not had adequate research performed against them due to high cost and relatively low availability. Our talk will not only reveal weaknesses we have discovered in medical protocols but will create a foundation of knowledge for researchers who want to continue investigation of these systems. We will release findings and vulnerabilities that were discovered during the course of this research as well as fuzzers designed to allow penetration testers and researchers to further assess healthcare specific protocols for security vulnerabilities. We will take a look at healthcare specific hardware and discuss vulnerabilities related to these devices including prescription dispensing drug cabinets and the ability to dispense scheduled substances without authentication, authorization, or accounting. Finally, we will discuss how the impact of vulnerabilities on healthcare systems have changed with the introduction of large health information repositories such as the Google Health and Microsoft Health Vault as well as with countless regional and national Health Information Exchanges. Tim Elrod and Stefan Morris have a combined experience of over 10 years works specifically in the healthcare industry assessing health information systems for security vulnerabilities. Together they have audited and discovered vulnerabilities in most major healthcare specific protocols in use by health care providers today.

Related Material

Video is accompanying material for the following resource
Ramification Game controller Identifiability Real number Video game Insertion loss Process capability index Plastikkarte Fitness function Number Computer worm Software testing Medizinische Informatik Information Information security Physical system Condition number Identity management Area Modal logic Pairwise comparison Information Process capability index System programming Normal (geometry) Video game Quicksort Information security Communications protocol Identity management Row (database)
Standard deviation Identifiability Abstract data type Multiplication sign Function (mathematics) Computer programming Field (computer science) Programmer (hardware) Component-based software engineering Different (Kate Ryan album) Energy level Communications protocol Information security Physical system Standard deviation Information IPSec Projective plane Bit Message passing Interface (computing) System programming Right angle Energy level Communications protocol Row (database)
Server (computing) Modal logic View (database) Computer-generated imagery Workstation <Musikinstrument> Virtual machine Heat transfer Rule of inference Number Product (business) Negative Binomialverteilung Information retrieval Medical imaging Centralizer and normalizer Component-based software engineering Telecommunication Internetworking Computer network Core dump Set (mathematics) Row (database) Router (computing) Message passing Physical system Standard deviation Web portal Information File format Content (media) Data storage device Computer Category of being Message passing Information retrieval Telecommunication Computer network System programming File archiver Middleware Communications protocol Physical system Router (computing)
Slide rule Server (computing) Service (economics) Computer file Real number Client (computing) IP address Revision control Internetworking Computer network String (computer science) Computer worm Communications protocol Message passing Dean number Social class Physical system Authentication Service (economics) Mapping Server (computing) Forcing (mathematics) Electronic mailing list Internet service provider Client (computing) Computer network Maxima and minima Cartesian coordinate system Element (mathematics) Open set Connected space File Transfer Protocol Type theory Explosion Internet service provider Order (biology) Data Encryption Standard Social class Communications protocol
Sensitivity analysis Email Parsing TLB <Informatik> File format Length Maxima and minima Bit Sequence Metadata Element (mathematics) Number Software bug Medical imaging Type theory Message passing Crash (computing) Software Computer configuration Kolmogorov complexity Row (database)
Point (geometry) Pixel Computer file Length File format Online help Mereology Disk read-and-write head Computer Metadata Element (mathematics) Software bug Sequence Medical imaging Computer configuration Touch typing Kolmogorov complexity Codierung <Programmierung> Communications protocol Pixel Physical system File format Computer file Metadata Field (computer science) Bit Element (mathematics) Frame problem Similarity (geometry) Computer configuration Computer network Revision control Software framework Fuzzy logic Quicksort Communications protocol
Scheduling (computing) Morphing Decision tree learning Computer file Mereology Centralizer and normalizer Propagator Different (Kate Ryan album) Repository (publishing) Reduction of order Row (database) Medizinische Informatik Information Physical system Self-organization Dialect Variety (linguistics) Data recovery Shared memory Computer Instance (computer science) Uniform resource locator Data management Message passing Repository (publishing) System programming Interface (computing) Inference Row (database)
Scheduling (computing) Structural load Multiplication sign Web 2.0 Data management Medical imaging Different (Kate Ryan album) Electronic meeting system Office suite Local ring Information security Physical system Area Web portal File format Software developer Fitness function Data storage device Bit Hand fan Degree (graph theory) Software development kit Vector space Interface (computing) output Right angle Whiteboard Quicksort Freeware Row (database) Spacetime Asynchronous Transfer Mode Web portal Asynchronous Transfer Mode Game controller Content management system Computer file Simultaneous localization and mapping Computer Number Goodness of fit Operator (mathematics) Energy level output Information Validity (statistics) Correlation and dependence Database Cartesian coordinate system SI-Einheiten Error message Software Normed vector space Computer network Canadian Mathematical Society
Web portal Computer file Sequel Modal logic Simultaneous localization and mapping Data storage device Web 2.0 Medical imaging Hooking Vector graphics Cuboid output Router (computing) Local ring Physical system Injektivität Web portal Interactive television Database Bit Instance (computer science) Connected space Data management Function (mathematics) File viewer Scheduling (computing) Resultant Row (database) Spacetime
Web page Injektivität Proof theory Presentation of a group Hooking Cuboid Bit Data storage device Software bug
Web page Multiplication sign Modal logic Directory service Mereology Software bug Mathematics Bit rate Intrusion detection system Computer hardware Physical system Vulnerability (computing) God Information File format Physical law Bit Database Cartesian coordinate system Data management Personal digital assistant Computer hardware Computer network Right angle Freeware Pressure Pole (complex analysis) Row (database) Spacetime
Personal identification number Slide rule Greatest element Server (computing) Computer file Directory service Line (geometry) Cartesian coordinate system Host Identity Protocol Product (business) Connected space Number Web 2.0 Web application Uniform resource locator Software Bit rate Hacker (term) Pauli exclusion principle Configuration space Cuboid Software testing Traffic reporting
Multiplication sign 1 (number) Numbering scheme Port scanner Mereology Public key certificate Web 2.0 Medical imaging Different (Kate Ryan album) Computer network Cuboid Office suite Information security Physical system Vulnerability (computing) Personal identification number Service Pack Computer Bit Instance (computer science) Numbering scheme Process (computing) System programming File viewer Remote procedure call Physical system Laptop Row (database) Authentication Computer-generated imagery Virtual machine Device driver Mass Staff (military) Computer Regular graph Operator (mathematics) Gastropod shell Single sign-on Integrated development environment Software testing Authentication Standard deviation Validity (statistics) Cartesian coordinate system Uniform resource locator Thermal radiation Computer network Computing platform Single sign-on Communications protocol Window Äquivalenzprinzip <Physik>
Email Radio-frequency identification Fuzzy logic Area
I'm Tim Elrod this is Stephon Morris we're going to talk to you today about healthcare healthcare protocols healthcare systems a penetration tester for fishnet security but doing healthcare systems and assessing those for about seven years now same here also work at fishnet only four years though so healthcare noob by comparison okay so
why would it attack her care about about healthcare systems well you know obviously they're full of personal identifiable information so identity theft medical identity theft protected health information so that's going to be any diagnosis any medical records food allergies drug allergies things like that obviously normal identity theft is always a concern but medical identity theft especially with legislation recently that says you have to have health care medical identity theft is becoming bigger and bigger also there are some political and social ramifications of disclosure of pH I for example from a political standpoint McCain in 08 if you recall there are questions about would he be healthy enough would he be fit to serve in the presidency not all those records were disclosed publicly some were but if they all were maybe that would have been worse also just embarrassing or compromising conditions for normal people or people of Fame whether that be something unfortunate like STDs or a mental health condition these things still have real social ramifications in our society also you see for real loss of life and limb some of these systems out there are exceedingly important that they just remain active that they do not break go down or are otherwise interrupted at all during treatment or during monitoring of a patient and you will also see you know blame PCI for any number of things and its ineffectiveness in any number of areas but it is prescriptive it is prescriptive from a technology standpoint and we do not have that in healthcare HIPAA does not have any sort of prescriptive guidance when it comes implementing controls so there's a lot of failure from any kind of legislation there so some of the technologies we're
going to talk about today we're going to start with to health care protocols hl7 and dicom we're going to talk kind of basically these protocols are based on a history of non-standard standards meaning that every doctor kind of insists on documenting and doing things their own way so these standards are formed by committees and as we all know standard by committee is kind of a bad thing so these standards aren't aren't very standardized they're very open a lot of unstructured data and a lot of room to make mistakes for for programmers that program these systems also you'll see that a lot of the protocols and standards were initially dreamt up during the 70's and 80's people didn't have as many off-the-shelf components for which to make pretty robust systems and so they well they were inventing wheels or reinventing wheels they did not know about so dreamt up in committees and also engineered in garages that's something we like to say because you'll see even big players today came from a not-so-distant past maybe 5-10 years ago when this was a garage project and now they are central to IT healthcare so let's talk about hl7
a little bit hl7 or health level 7 protocols and standards are basically the glue that holds a hospital healthcare system together so in a hospital you're going to have a lot of different systems that are disparate and normally wouldn't talk to each other these may be at mitten systems or billing systems or radiology systems hl7 is the glue that holds all those together it's a clear text protocol there is no security behind it when you look at the standard when it comes down to security they recommend implementing IPSec because they just don't want to write it hl7 segments are delimited by just a carriage return they're clear text segments like we said we'll go ahead and show this always start with a three letter a three-letter identifier so this msh record is basically a record of a start of an hl7 message it tells it that in the ninth normally the ninth character-filled you'll see it says adt carrot a 04 so this is an ADT message which is an admittance message that just shows basically the information of a patient so each one of these fields are pipe delimited and then the subfields or carrot delimited which makes it very very easy to fuzz very easy to write buzzers for these if you have the time to put into all the all the different fields and while we're not showing it VIII's just XML so that's really easy right so this is a v2 example v3 is just an xml output they've changed a lot but it hasn't been implemented hardly anywhere yet so so at
the core of these hl7 systems at hl7 routers these are very critical middleware to the hospitals in that they pass everything through them so if I get admitted to a hospital when I come in they're going to take all my information they're going to send it through the hl7 router to maybe a radiology machine if I have to have an x-ray over to the pharmacy machine if I have to have some medications to the billing department to bill me all of that goes through the central hl7 router so the hl7 router will take in hl7 messages and parse them based on their content and then send them off based on the rules to where it thinks they need to go these hl7 messages normally come from like EMRs and medical systems but as will look at later they can also come from malicious attackers from the internet all right
another key system that you'll see in any healthcare network is a PAC system or picture archiving and communication so these are for centralized archiving retrieval of medical images they will have various components you'll have servers for centralizing archiving and routing packs images much like hl7 sometimes they don't end up at that server they end up passed along somewhere else you'll have modalities which are just medical systems x-ray CTS MRIs they also all fall into that category and they'll communicate directly with your pack system and dumped information in there and can retrieve information and so forth while retrieval viewing is usually left up to workstations for viewing these things it can also be done over the internet with any number of portals so they've really liked to have gone web portal capable recently that's it's very new for healthcare though so often it's very messed up also mobile so take a look at those components of these systems because they are very new let's see and it is the standard format for medical image storage and transfer so at dicom is excuse me and that's what's used by these pack systems that means it is a network product protocol as well as a file format so as far as the network
protocol goes it's really easy to find it can run over TCP UDP ports 104 and 1 11 12 there's also an authenticated encrypted version that you can find on 2761 which does a maximum of des CDC and 2762 which will actually do TLS chances of finding these in the wild though is pretty low this is almost always clear text in dicom parlance client is just a SCU or service class user and a server is a service class provider or an SCP so when you see those that's all they're talking about to make a connection successfully to dicom server you're going to just need the IP port and the AE or application into the title which is just a unique string often the host name of the system now the server usually requires that the AE type that you know it's AE title in order to connect that's an almost always thing and sometimes it will verify the client's AE title and make sure it's on a list also this is sometimes restricted by IP address but those are your only protections here so no real authentication dicom as a network protocol has any number of commands it's not like FTP unlike ftp in many ways you can store where things get them move things around on the server find them check to see if the systems up with an echo command and so on and so forth it's actually pretty easy to understand and just if you're
wondering if these things are all over the Internet I realized that I had forgotten to take a picture of the slide so for this slide yesterday so I ended up just running another in map for 24 hours all over the internet and I found 875 open ports that are likely to be dicom so brute force opportunities are available so when you get into the file
format the file formats pretty typical of any number of other file formats and this is for medical images so think jpg there's a lot of metadata that can be stuffed beforehand except the amount and the sensitivity is much much higher basically you can stuff an entire medical record in the metadata that is available for any of these dicom images so you'll have a header which is pretty standard and then you'll have data elements and they're broken down and not like a TLB but more like a type with your tag ivr which is another type you're lying and then the actual value so just a little bit of complexity and this normal-looking message which would be just a data element with an explicitly are however the thing about
this file format is that it gets really really crazy and complex and how it likes to mess things and how many options that gives you to represent metadata so you'll see here this is simply an example of a data element with implicitly our defines the sequence of items of undefined length containing two items where one item is of explicit length and the other item is of undefined length and this one's not that bad so when people implement this stuff you'll find that it's almost never implemented correctly and so any dicom parsing software I have seen so far just crashes constantly and they're definitely exploit a bugs so yeah pretty terrible take a look at that and just a couple more
points on it the pixel dated the actual images you can have one or more frames almost like one or more images within it and they'll be encoded in our lead jpg JPEG lossless or the much forgotten about jpeg 2000 so there are opportunities to fuzz those things too that would parse those image formats it doesn't have the full metadata that any of those would have because it usually just strips out the encoding and uses that portion also just so you know about a little bit more the complexity some of those elements can be required conditional optional fixed length undefined length nested which I particularly like big ending in little-endian which can be negotiated before yeah okay so no problems there actually it's a huge problem retired private and a myriad of other options and so as far as some of those options ago you do have like a hundred or a thousand registered be ours for that which are just part of the data elements and there are many many more that are private and unregistered so you know do take a look at this it will fall over so
we decided we're going to do this talk we want to release some some sort of tools to try to help people look at health care systems the fact of the matter is um healthcare vendors in general um are fairly fairly bad about how it's kind of like hacking ten years ago it's pretty bad there's no protections or anything like that and they really hate to patch things and they won't we've tried to disclose bugs and head bugs sit for over a year trying to just get the vendor to acknowledge us that that there's a bug there so we figure the more people looking at this may be the better it'll be so we were going to release some fuzzies we figured we could ride on where we could just do it in peach because Michael wrote it better than us so we decided to release some peach pits you'll be able to pick those up at metaphase com the initial release will be two protocols the hl7 and the dicom both the network and the file feser we're gonna have more coming if anybody's interested in this and wants to get in touch with us and maybe give it some ideas or volunteer to code some up you're more than welcome so we'll talk a little bit
about emrs and EHRs so the EMR or the EHR you hear it kind of both ways depending on the vendor are basically just a central repository for what used to be your paper medical record so back in the day you would go to the doctor you'd have a big thick file that had all your medical records in it all that is now electronic and centrally located in an EMR or an EHR system these systems are required by recent legislation that will talk about here in a minute so they will be at every hospital if they're not now they will be soon because I have a financial interest in making that happen these basically take all the data in from different systems through an hl7 interface and into this this one central location it'll be either be at the hospital a lot of them are remotely hosted as well things like billing systems pack systems practice management systems scheduling systems things like that prescription drug systems will talk about later vital monitoring systems which will also talk about and then business partner systems so this is kind of the something new that's come about and that data is now starting to be shared between hospitals more regularly due to legislation as well so not only does your data get to say this EMR but it'll also get to all the other hospitals around this hospital to get more for instance so obviously this is you know a fairly juicy target for an attacker because all the data is in one location so health information exchanges
this is what I was talking about due to the HITECH Act that was just recently passed as part of the stimulus package all hospitals are required to prove what's called meaningful use by 2015 what meaningful use basically states is that you're going to use an EMR you're going to use an EHR and you're going to contribute and participate in what's called a regional health information exchange so these are systems that are set up by these companies to share data between hospitals so I can't go to hospital a and maybe get a script for more and they go to hospital be and say hey my back hurts to get another script for morphine things like that that's what they're what they're trying to accomplish there and reduce fraud and waste what they inadvertently do is they make data travel between all these hospitals so if I were to get an hl7 message perhaps into any amar that hl7 message that may be malicious could propagate not only to this hospital but to hospitals around the country so yeah these can be local state regional or even national and like I said data entered into one will propagate to the others indiscriminately in that brings
us to personal health records this is an interesting idea that a lot of people jumped on board with not too long ago Microsoft Health fault is the big player in the PHR space Google Health you may have heard recently that it's going to be discontinued at the start of next year so good move Google there any Google people in the audience thank you there are big fans of these yeah yeah it's not google it's it's the idea there are various others usually created by an EMR or EHR vendor and sometimes by CMS vendors that build particular CMS's for the medical industry and so you'll see that there too they're just patient facing web portals essentially that allow access to records for patients now typically when you log into one like you can set up a free account with Microsoft Health fault it will be blank and you can input your own information manually you can import it from a file or you can create a trust between you and someone else so other entities such as hospitals doctor offices your pharmacy etc and so forth and these trust can go both ways they can pull data from your PHR and they can push it this can be a one-time operation this can be in any time operation it just kind of depends on the level of control and granularity that you specify and agree to it tends to be however more open than just to let you know so one thing about health care in general is that doctors have very special ways of just kind of writing things down and documenting everything and they don't like to standardize only recently are they starting to be forced to get on board with standardizing just how they document stuff and I think that P hrs and the hrs and EMRs reflect this a lot and so you'll see the text inputs are both structured to some degree but highly unstructured in many many areas where you can input data into these systems also they'll accept nearly arbitrary file uploads not just of images that might be useful but also stuff like PDFs and other formats that we know have all kinds of security problems and would be kind of bad if a doctor inside of a network just opened up also real quick they do allow for automated data upload from medical and fitness devices so that's another way of communicating with them which is kind of interesting so to talk about Microsoft
health fault a little bit first off great documentation SDK development sandbox I love it it's really easy to work with and learn a lot about so props to Microsoft third parties can create all kinds of web and rich applications that interface with the health ball to API and it's not very hard at all data storage for health vault can follow any number of different modes so you can basically have a web portal that you created that stores all of the information in health bulb right and it's just sort of branded with your hospital your institutions name and that's a very common way of doing it or you can have some of that data reside in your local database as well as health bolt and you see that a lot when they're creating functionality that doesn't yet exist in health fault so scheduling often with the internal systems at the hospital is a pretty common reason for doing that and a lot of devices too and it's a software that you might actually install on your computer will have a local database local to your system so that's a good thing to look for if you're trying to pillage data one thing that's you know been hanging up there since i put this light on those that he'll fault doesn't seem to do much in the way of input validation at all they won't reflect bad things back to you they seem to be very good about that but they do end up being a great way to store all kinds of good vectors xss being the really obvious one for whoever might consume that pH are at a later date which brings us to the obvious most
just health records ehrs because we thought there needed to be another acronym in this space so XSS is obvious um and Caesar from that is another great result sequel injection I've seen that be passed on databases being messed with although it's pretty hard because you're a couple layers deep and then of course the file uploads so if you found some bucks with dicom images which they're expecting to see there are some viewers for dicom images that'd be a great way PDFs etc and so forth in this affects mihnea system so practice management systems Amar's EHRs pack systems hl7 routers modalities that eventually view those things or interact with them in another way PHR and other web users so some of the ph RS often have dr. portals to so that's a really easy way to take advantage of that xss for instance because i'm sure that doctor has access to a lot more patient records than you do through the PHR and also business partners and hie connected systems are a possibility we really haven't seen much of that yet but it's just a matter of getting people to let us look a little bit more so I got mad alert box as yo
yeah yeah I said that so once again like I said it's a great stored place for stored XSS Microsoft health fault is and the underachievers are particularly bad so you can just do a script alert great or your beef hook and this will show up in all kinds of be hrs everywhere if you get a little bit more creative and you actually try to bypass the minimal amount of filtering that some of them do you will get a lot more and you know
there's just a tiny bit of proof he'll fault with some with a beef hook in it and some random p hrs that our health vault enabled that popped alert boxes for me but sometimes there are even
worse and more obvious issues so last week i was just gathering some screenshots for this presentation and i was visiting some of these be hrs because the bucks come and go frankly and injector here team inject or they they found this one called spin PHR and it looked like it was probably vulnerable to a drupal bug so i'm glad they just decided to deface the page and tell everyone that hey we have your PHR because there are real consequences to
that compromise of at least every account that was accessed after the attack is trivial basically all you typically need to access a record with healthvault through the api api is a person ID a record ID and the part of the record that you want to see and these are just quits so if you post to the right part of the page with the right format of things but you it's no problem to figure out you will be able to pull back information pretty simply so they would have had access to those and the sessions going on no problem and that would have carried carried on and depending on the design of the application by the attacker they may have had access to every health all account that was still linked and trusted with that particular PHR so what they'll typically do is sometimes you'll see those person ids and record ids are used directly and they'll be leaked all over the page and this can be really easy to grab those but other times they'll actually a peach our Hobbit that uses healthvault will have its own session management and they'll typically hi the person IDs and record IDs somewhere in a database and then use those later to access your account but the thing is there static they don't change that person ID and record ID will always give that PHR access to your account as long as it remains linked that is per PHR and per application but it's bad enough so those guys inject or they had access to some stuff whether they knew it or not but this does bring up a good question though you know health care has significant breach disclosure laws but when it comes to ph ours especially things that are like helpful that are used by other people who exactly is responsible for that and who's disclosing breaches and I don't know like I'm not guessing that this is going to be disclosed at all even though it's pretty public so we did a bit of a
medical hardware review on on just some of the the different medical devices that we'd seen we took a look at a couple of vital monitoring systems these are things that monitor your blood pressure or your your heart rate things like that infusion pumps things that sit on IV poles that control the dosage of medication to you that are connected to a wireless network that can let anybody talk to them because someone thought that was a good idea we also looked at / trick prescription drug cabinets we figured since we were coming to Vegas what better stuff to do than to see how to get free oxy God so we took a look at those basically there are two vendors in that space one called omnicell the other one called Pyxis every hospital will have one of these vendors in their hospital they'll have drawers on every floor this is what the nurses go up to and you when you need a certain prescription for something they'll get it out and bring it to you we found some vulnerabilities in that that we'll talk about here in a second um we also looked at some radiology modalities file format bugs on those are pretty rampant so yeah I mean these things are are are obviously you know controlling not only patient care but but lives in a lot of cases and and they do have a lot of problems so you know we took we thought we'd take a look at him and it is kind of as scary as you would think so so you
know we kind of wrestled with putting stuff out there that wasn't particularly bad when it came to some of these medical devices as he said you know we have things like infusion pumps that are controlling the rate of drugs being put into an ivy that's uh that's something you don't just want to go talking to everyone about but this one seemed relatively harmless and it was actually as we found reported not terribly long ago in a roundabout way not necessarily for this product but the underlying product they use so i'ma sell one of the drug cabinets uses a application called on the Explorer it's war reporting and various other things and he'll just run on the drug cabinets proper its web application and it uses a funny piece of software called west wind web connect I don't know if anyone's run into it on a pin test or anywhere else but it has some problems and it's really easy to miss configure this here is editing a configuration file on west wind web connect and it's it's truly easy enough from here you just modify a couple values namely those and it becomes a
pretty simple thing to do to own it so hacker center alluded to this issue was with web connect in general but didn't say like hey you'll find us on drug cabinets but basically you just need to go to the hostname WC dll sometimes that's off a directory called w connect and just w8 till day edit config they'll pull up the previous slide more or less and you can just add an ini file for the application on the box change a line that says exe file to whatever your executable is update file the location of the new file and then whack that other URL at the bottom on number four and it will actually update that for you and start a new server with that executable so yeah there you go it's also running a system and but afterwards I suggest that you get access to the desktop of whatever is on there because you'll probably see an application running that will allow you to do some more things with the drug cabinet and like I said we we have no problem during this one out there since it's already reported so inevitably when
we're at a bar around here this week we get asked about death packets can you kill somebody with a packet unfortunately the answer is yes death packets do exist and you probably already know about them they're not anything special so these systems are required to stay up for patient care things that do for instance the systems that do things like dose high intensity radiation at cancer patients that if they go down could potentially you know nuke person you know these things are sitting on these networks and they're running systems like Windows XP service pack 1 and there are no they're not patched because the vendor claims that the Food and Drug Administration certification for that device requires it to never be patched which is not true but that's what they they they let these hospitals know and so you have these systems that sit out there for years and years and years and never get patched and if they ever go down could potentially kill somebody and we thought this was was pretty bad so these systems you know are very fragile if you're testing a hospital network please please be careful because I may be there and I don't want to I don't get nuked or something so yeah lack of operation of these systems can be bad there are targeted attacks on things like infusion pumps that could cause physical harm to a person that we've discovered again you know tosses hvac SAR very important to the HVAC systems and most hospitals will sit directly on the network heat in a hospital is bad again everybody probably has loved ones in hospitals so um you know be reasonable about this please don't disclose crazy stuff that'll kill people so right right disclose extremely responsibly uh and
that brings us to various miscellaneous healthcare notes if you're doing a pin test once again medical devices are exceedingly fragile directly affect patient care and can be down with a simple resource exhaustion so even just scans can be you know vulnerability scans can be pretty bad on these devices and can cause something just to go unreported unmonitored or worse also you'll see a one particular funny thing about hospitals and other places is that time to log in for doctors and nurses is of utmost importance this really drives a lotta policy when it comes to security in a lot of different facilities so you'll often find that authentication schemes are exceedingly lacks and this also creates problems where they think the solution is going to be a single sign-on solution or vendor that's going to come in and fix all their problems but often these systems don't work terribly well either if you've tried to wrangle one of them before you probably have a good idea also you'll see a massive amounts of remote access technology used for legacy applications and this is all going to be industry standard common stuff mixed with of course lacks authentication policies often you have the recipe for a remote access nightmare from a security standpoint these systems are typically used both internally and externally to give access to that we had mentioned before the FDA approval process and the misunderstanding of it and the miscommunicating of it by various vendors creates a lot of unpatched boxes so you know forget ms 0806 Evan you're looking at MSO 411 they're going to be out there how can like it's 2004 yeah yeah definitely it is 10 years ago so wireless is also going to be an issue in these locations handheld medical devices that will roam the room the networks are usually stripped-down Linux drivers that will only support things like web so you'll see what networks on these networks that are going to be directly connected to the hospital network because they have to talk and I have to have those to support those older handheld machines again at best maybe you'll see leap maybe peep there's going to be no sir validation or anything like that on these networks so our networks are always going to be bad also I mean these are these are public places you know everybody's usually pretty busy so walking around with antennas on your backpack seems to not get you noticed apparently so you know you can just kind of walk around and look around at those things again these are public places they have to let the public into them so you being there isn't going to go notice necessarily so social engineering in general is a huge huge problem for healthcare it's a really big issue and that the half that of the public come in they have to interact with you because it's their job but then you know bad things can happen from that also due to the lack of standardization of a lot of these protocols that we've been talking about especially dicom it is not uncommon for patients to be given a CD with their medical images on it as part of their own personal health record those medical images will not view in every dicom viewer because everybody's is a slight bit different so you'll have also have like an exe on there that's a special com viewer for those images and doctors regularly will get these CDs from patients and put them into computers and run those exe s and bring it up and look at those images so you can you can litter just take the exe and backdoor it and walk into a doctor's office and say hey my leg kind of hurts here's a picture of my broken leg and you get shells everybody and I'm afraid that's it you
can go find our pits which will be up very soon and Meddy fuzz we thought we were being clever and make it something like metaphors only led to confusion so medi fuzz calm send us an email if you want to get a hold of us and talk more about this or talk to us in QA yeah we'll be in the QA you can buy some beer I'm all it for beer so absolutely especially after this thanks guys thank you very much