Attacking Patient Health: The Anatomy of Hospital Exploitation

the b-sides DC 2016 videos are brought to you by clear jobs net and cyber sex calm tools for your next career move and Antietam technologies focusing on advanced cyber detection analysis and mitigation thanks for coming to my talk my name is Jacob Holcomb principal security analysts at independent security evaluators and today I'm going to be talking to you about Hospital exploitation specifically attacking patient health so really quick as I said my name is Jacob welcome I specialize in application and network security I really love exploit development since 2012 I've disclosed approximately 100 vulnerabilities or I proceeded rather i received a hundred CVS for vulnerabilities that I've publicly disclosed in total over my security I'm a professional security career I've

probably found upwards of about a thousand bugs and why do I do this because security is incredibly important so really quick about is see where a hacking company simply put where computer scientists hackers and just individuals who like to break things so that's what we do on a day-to-day basis our clients are anybody that is in need of protecting assets so if you had a critical asset and it needs to be protected from the bad guys that's what we're here for and the biggest difference between us and a lot of other security companies is our perspective we primarily focus on white box assessments as opposed to the black box testing methodology so really quick some of the

research that we've done in the past it's listed on this slide we've done a lot of work with Soho routers and network storage systems and that gave birth to two very popular events today so hopelessly broken an IOT village which you see here we actually are running the so piously broken CTF contest here at bsides DC so if you haven't checked it out you should go do that okay so to kind of get down to business why hospital security is important security in general is very important but when it comes to hospitals its of greater importance because we start talking about the well-being of individuals and you know people are obviously in a hospital because they're hurt sick

whatever so why this is important is because hospitals are being targeted medical equipment is being exploited and patient health must be protected otherwise it's very likely that a patient could die from a cyberattack so the topics we're going to talk about today are the introduction of the Maya kiss my presentation examines security aspects and then the recommendation the examined security aspects will be topics that will be covered throughout the presentation that are basically a recap of the research that we performed over the past couple of years so introduction I guess the goal of the healthcare research was to demonstrate that an attacker could compromise a patient the health of a patient more specifically we were focused on whether or not it was

feasible for a adversary from a remote perspective to be able to induce harm to a patient as opposed to going after medical records which is a common vector of attack these days this research results from our assessment of 12 health care facilities to healthcare data facilities the assessment of for medical devices as well as the assessment of a couple of web-based applications that were EHR to be specific and then securing patient health very important okay so for the implementation flaws we're going to talk about some implementation issues that arise in some of these devices so they're going to be common application and web application security vulnerabilities then we're going to actually dissect a couple of

real-world attack scenarios these attack scenarios are ways in which remote adversaries are able to break into a hospital and induce patient harm and these aren't theoretical we've actually were able to do these throughout our research with the cooperation of hospitals that participated in our study so that's kind of I guess the meat of the presentation so here are the examined medical devices i mentioned that there were four of them two of them are redacted as we're currently going through responsible disclosure with the manufacturer but we have two devices listed here from G and they happen to be cara cara skate patient monitors there's a be 650 and abby 850 and here is a list of some of

the vulnerabilities that were found in the devices so some pretty common things like the use of outdated software as well as some common web vulnerabilities like cross-site scripting or cross-site request forgery and then you have some more serious issues like command injection or memory corruption which would lead to some form of remote exploit so vulnerability example number one we're going to talk about the use of dynamically constructed database queries so this is really the vulnerability and the attack that is common with this vulnerability a sequel injection and sequel injection vulnerabilities are the direct result of an application taking input supplied by user and then using that in the construction of dynamic queries that are then sent to the

database so it allows an attacker to manipulate you know the underline query structure and you know access parts of the database they shouldn't have access to so as you can see on the slide here we actually have a web portal and we're presented with a login page it's kind of hard for you guys to see but this is the login page to a monitoring system for a hospital and this allows you to monitor patient monitors all the patient monitors that you have deployed I guess in a hospital or on a floor or however your deployment may work and you can't really read that so basically what I'm demonstrating here is that we're attempting to log into this portal with

the user name of gimpy and some bunk password and there are some red text at the bottom that says that the password is actually incorrect so we're unable to log in on this slide I'm demonstrating that again we're trying to login except the user name isn't just gimpy it's gimpy and a very very trivial sequel injection payload you know your comment or one equals one to talk and then just a bunk password here it's showing the interception of the requests going from the client to the web server and it happens to be in a binary format in this particular case was a MF and you can actually see the highlighted pelo the gimpy or one equals one payload and

when that was sent to the server we're given this magical response that is different than what we saw when we were unable to login so that's kind of interesting well as soon as our browser receives this response or presented with this lovely page and we're essentially able to bypass authentication by injecting a very trivial payload so the very common example a sequel injection that you may have learned about when you were first you know I don't know curious about what sequel injection is exists in a medical device that is used you know within a hospital so it kind of shows you the state of security of these devices it's it's fairly weak the next attack example we're going to talk about

is insufficient input validation and output sanitization and this refers to a very common web-based attack known as cross-site scripting and again like most vulnerabilities cross-site scripting results from the application taking raw user input and again and then using that without properly validating or sanitizing the output so here this is a less complex example just showing the typical javascript alert box saying let hey medical-device cross-site scripting this isn't the GE care escape monitor as you can see GE healthcare logo on the top right and vulnerability example number three we're going to discuss the failure to canonicalize file paths and this results in a directory traversal attack also known as a dot slash attack again the result of the application

taking input without proper properly validating it it's okay so here we are showing the GE care escape and while we were playing around this device we had noticed that there was some functionality to view log files so we clicked on you know the view blogs button as you can see in the left-hand panel and we were presented with this sub modules for viewing logs well when we clicked on one of these buttons we see that the device issues an API request to the server excuse me that the client our web browser and there is this get request to the view log file dot CGI file and there's an HTTP parameter that is passed called link name and if you

notice the value of link name it's a looks awfully familiar are similar to a file path and sure enough VAR log messages is a directory or is a file that exists on a Linux system and if you were to request this file you're going to get the message as well well we can play around with that again and use the dot dot slash sequence and just back up a little bit and then we're going to go back in you know to you that's you directory and access shadow well as you guys know this attack will would succeed if the application was vulnerable to directory traversal and if we had permission to read the shadow file

that's owned by root hopefully this doesn't work oh crap it works all right so there's there to serious issues here one we've demonstrated that an attacker is able to are identified and is able to exploit a directory traversal vulnerability and we've also demonstrated that the web server that is running this vulnerable application is running with root permissions or at least the code that was accessing that file was privileged so we were able to read files owned by root so essentially any file on the file system we're able to access through this vulnerable application the next vulnerability we're going to discuss is the use of outdated software so in a lot of cases the the severity of this issue could be could be

on opposite ends of the spectrum right you could have in I don't know a simple information disclosure that may be rated as a low severity or you could have a vulnerability that leads to remote code execution that would be rated as a higher critical severity so when you see this classification of use of outdated software the i guess the end result could be disastrous or it could be fairly benign well in this case we're just looking around at the system and we had noticed some interesting files and these interesting files made us look at some you know bugs that have been recently published and a big one is the shellshock quick show of hands who's familiar with the

shell shock or the bash shock bug most of you has you should be awesome so really quick this uh this bug exists in bash and it's the result of improper or inadequate parsing of function definitions so what actually happens is if you have a excuse me if you have an environment variable and that environment variable contains a function definition whether it's correct or not it just has to be syntactically correct any trailing characters are going to be interpreted and actually executed so what you can do is set up an environment variable to contain a bogus function definition and then have whatever attack string that you want to X cube following the definition and bash will go ahead

and incorrectly parse it and execute those commands that's pretty awesome so like I said we're playing around the device and again I mentioned CGI files when we were talking about directory traversal here it is again you've logged at CGI hmm that's pretty interesting given the way that you know CGI files are handled by I don't know certain web servers maybe maybe or not maybe not maybe or maybe not well this thing be vulnerable to so shocked so really quick we knowing that I eat leverages CGI knowing of the existence of shell-shocked we quickly constructed a payload and there's a picture of a of my colleagues terminal here Jake Thompson he's actually sitting in the audience

over here so hello Jake but as you can see we are using curl actually might be hard for you to see but we're using curl and basically we're going to make a post to this web server and in the user agent we have a function definition which by the way the user agent gets set as a specific environment variable and Nick's based OS is this is part of the reason why that's going to work so we have a we have our function definition and then after it we have a string and attack string starting with the word bash and really what that is is running bash interactive mode and then if you notice the redirection we're going to read in

from / dev as the input to the bash interactive and the / dub is actually going to make a connection to us because we're going to use the TCP device to connect back out to us and then use some input redirection to be able to interact with this shell and interactive mode so we send this to the server and fingers crossed BAM reverse show okay so we were able to compromise device compromised this device without authentication from a remote perspective using a well known vulnerability as you can see we have the shell Who am I route I'm talking really fast all right so now we're going into attack anatomies and yeah really quick we have a list of the excuse me not a

list but we have a picture that has a list of locations of various hospitals that were part of our study so really quick attack Anatomy number one we're going to basically owned a hospital from a remote managed point and how are we going to do that we're going to go in through an external web application so what are the attack steps here well as a remote adversary wanting to break into a hospital I need to figure out how to break the perimeter of the hospital first right so obviously need to circumvent the perimeter once the perimeter has been circumvented and we're inside the network we have to pivot within the hospital and once we are pivoting we have to compromise an

end system and then we hopefully profit okay so how do you circumvent the perimeter well first you have to identify external endpoints and in this case while we were working with the hospital we were looking at their IP range we had found an endpoint that was I was used for I guess data collection um I got to be careful some of the details that I revealed you guys so we used they use this endpoint for data collection it was exposed thought authentication we figured this would be you know a great avenue of attack so we started messing around with the external web server and the application and we attempted to identify and obviously exploit vulnerabilities well

once doing that once we own the web server we had a system on the network we essentially we're in a privileged location and from there we had to I guess go further into the network and how do you do that you're gonna have to map internal systems and then from there you're going to continue to pivot and that's the exploitation of identify systems okay so as you're pivoting through the network you need to have I guess an end goal in mind and our goal our end goal was to find and compromise a medical device that would allow us to induce harm to a patient so here quickly is a demo these demos aren't live demos

but i will talk to you about them as they're going so could somebody kill a patient from another country the answer is yes and what we were able to do is demonstrate that a remote attacker could compromise an external facing web application using sequel injection vulnerabilities and file inclusion vulnerabilities I had to redact that from the presentation sorry guys and then from there they're able to pivot throughout Hospital machines on various Network segments and from there you compromised a vulnerable medical device and you can induce harm to a patient and they they may fall over just like that maybe maybe not so yes from an external perspective you can definitely induce harmful patient and you profit the

profit is harming your patient attacking atopy number two ok so this is kind of interesting I just demonstrated or at least talked about how it's possible for an attacker from a different country or some remote location you know to to harm a patient and this next attack anatomy is remote but argue art it's local but arguably it's remote and what I mean by that is we're going to leverage a guest kiosk and the vantage point is the hospital lobby so again as usual we have to circumvent the perimeter of the hospital network we have to pivot within the network and then we have to compromise an end system and profiting is going to be the harming of

a patient so here is a picture of a hospital one of the hospitals that we've actually attacked and there's an arrow pointing to a guest lobby or guest kiosk excuse me really quick this kiosk was used for like I guess visitor registration you can go up to it it's in a kiosk mode type in some data and it will print out like a banner or a sticker whatever you want to call it okay so circumvent the perimeter well we talked about the hospital kiosk it's in kiosk mode there's you know no you have there's no ability for an attacker to do anything than interface with this kiosk mode so you think well we start thinking

about I guess okay what is this kiosk well it's obviously computer we see that there aren't any physical connections so it's obviously connected to the network over wireless okay well that's good to know how might these technologies be implemented so you kind of start thinking about I guess what a kiosk is what's involved and how somebody would have implemented it and a common thing that you find these days are a lot of kiosk modes are actually web applications so I got to thinking okay maybe it's a web client let's play around well as we're playing around we had figured out that oh hey there is no windows key there's no way to escape out of this mode but it is a web client what

about right click will you right click sure enough it's a web page and you get this awesome dialog box that says I don't know view source or view page source well you can click on that okay all of a sudden you get a lovely you know developer tool like window that has all of the source code for the Patrian that doesn't sound very useful does it and not in isolation but that window also happens to have a save button okay so go file save what happens you get this nice little you know pop-up dialog you know that's allowing you to browse your file system and choose a location to save a file something you may not

know about windows is in that little safe bot dialogue if you navigate to a file and hit enter the file is going to open well cmd.exe is a file isn't it yes so we did exactly that and this picture shows it we navigated is cmd.exe immediately got a command prompt and behind the command prompt you can actually see the save dialog that i'm referring to so awesome we have a shell sweet what can you do with it well I don't know pivot yeah absolutely so this user or the user on this machine was actually a domain user and this kiosk was connected to a privileged Wi-Fi network so this hospital had a guest Network guess wireless network excuse me

this was an attached to that nope as attached right to the privileged network so immediately had a domain user on the pillage network from here we're able to you know put it so again just showing you a closer or a zoomed in picture of the terminal you there are two arrows the bottom arrow is just showing that hey look at kiosk machine and the second arrow is just pointing to a reflection of me that has my visitor band on and then the next picture here is from our show we're pretty much able to do whatever we want and I'm just demonstrating that we had the ability to you know download and execute code and in this particular example I'm showing

the use of the putty client we downloaded it executed it and from there we were able to you know leverage secure shell to help pivot throughout the network yeah port forwarding is awesome stuff so from there compromised announced a medical device and you just continue pivoting until you find the individual or device that you're after and you're kind of profit so oops sorry another demo so could somebody kill a patient from a hospital lobby well the answer is yes so just kind of recapping what we did broke out of the kiosk mode we've got a command prompts from the command prompt we were able to download code and from there pivot throughout the network we know the video and then as we

pivoted through the network we identify devices compromised the devices and then your ultimate ly able to harm a patient this video is a little different it's showing actual barcode scanner so one of the devices we were able to reach was a medical dispenser or medicine dispenser I forget exactly what they call them but you're able to change the prescription that was administered to a patient so we've now demonstrated that from a remote a remote vantage point whether it's across the street another country wherever and from within the hospital but arguably remote you're able to you know induce harm to patients so the third attack anatomy is strikingly different than the first two but it's probably going to result in the same way

i've noticed i said a result a lot in this presentation by the way anyway so attack anatomy number three social engineering our overview here or objective here is instead of cracking the perimeter like we've done in the past you we're going to crack the health care practitioner how are we going to do that we're going to exploit the human factor ultimately we're prying on in individuals I guess innate ability to trust everybody vantage point who knows I mean you could be anywhere this really depends on the type of attack that you're trying to carry out its really quick social engineering I'm sure most of you are but who is not familiar with social engineering nice awesome okay so

really quick social engineering the use of deception to manipulate individuals so that's kind of a politically correct way to put it but in other words you're lying to people to get them to do what you want so okay how did this attack word well we decided to actually leverage USB devices as opposed to a fishing campaign yeah that's pretty pretty much the main avenue for social engineering so we prepared malware infected USB sticks and we deliver the stick to the hospital and drop them off in various locations we waited for infection and then you profit so preparing malware infected USB sticks here is a picture of one of the USB devices that we actually used they

happen to be rubber duckies you guys familiar with rubber duckies yes cool rubber duckies really quick that's a tool developed by hak5 it's hid device to where there is a ducky scripting language which is ultimately a way to interface with their devices and yeah delivering the malware USB sticks so once we prepare these sticks how did we infect the hospital well we pretty much walk in the hospital just like we did when we access the lobby and we just drop them off in any location that we could access so anywhere from a nurse's station front desk cafeteria you name it any area we were able to access we dropped him off and we dropped about 20

devices off so now we have to wait this is the boring part but it always ends with smiley faces so you're right somebody else may be smiling but yeah so we keep waiting wait wait wait wait wait and all of a sudden thing we caught our first fish so within 24 hours somebody had plugged in a drive and it's ultimately game over wow what just happened okay so another demo for you so could a USB flash drive kill a patient the short answer yes so as I said we prepared these malicious USB sticks we dropped him off in various locations in the hospital some unsuspecting users picked these flash drives up and in some cases plug them in one or more times and

from there it's exactly as I said once they plug in that drive we have access to a machine pivot the network you find a medical device or the patient you're after and it's game over and I'm sorry to say but score bad guys three score hospital 0 or negative 3 I guess so yeah you profit okay examined security aspects now we're going to talk about the human factor this is interesting so I just talked about the social engineering attacking out of me and how you can leverage a malicious flash drive to compromise a hospital and ultimately induce harm to a patient now we're going to actually talk about a more benign payload that was leveraged

in these devices and this was used for data aggregation so basically we conducted a separate USB experiment we wanted to know how many people would plug these devices in and what types of individuals and when I when I say what types of individuals I'm referring specifically to their role within the hospital would it just be you know healthcare protection practitioners such as nurses or doctors or where we start seeing help desk and maybe you know higher level not technical engineers plugging these devices in as well these flash drives consisted of a PowerShell pelo this was the meat of I guess the attack and it required a logging server which I wrote in PHP just essentially a

very small concise server that leverages a couple of API calls the log data and we're going to gather information about the victim the IP address the username computer name and device ID so here's a picture of the flash drives of the of a rubber ducky those beautiful hie devices there's so much fun here is the attack payload that was used very hard for you guys to read I apologize but it's just a ducky script what's important is the highlighted part here which you may or may not be able to read but really all that we're doing here is invoking an instance of the PowerShell web client class and then calling the download string method on that objects and what

that's going to do is just issue or a web request and it's going to call my API with the data that we gathered and here is the table of results so on this table it's hard for you guys to read we we call it several fish we had several nurses plug in these devices we've had network engineers plug in these devices so some of their core administrators that we actually worked with throughout the course of our research yet they plugged in these devices as well as some hospital executives so we pretty much compromised all layers of a hospital pretty much any department you would want to have access to yeah we definitely gained access to

it yeah the Lenovo pcs yeah it division of responsibilities so this is kind of a unique thing in that not every hospital is in this has this predicament but while we were while we were working with some of the engineers in the hospital they've actually oftentimes were heavily distracted doing I guess out of them I don't want to call them meaningless but less important tasks such as resetting a user's password so you have individuals who are combating malware infected machines who are then interrupted to go and Risa you know Joe schmo's password so there's definitely a discrepancy between what responsibility what is the responsibility and whose role is responsible for the responsibility okay so examine security aspects we had the

use of outdated software systems with known malware infections missing or unenforced security policies undocumented systems and unregulated vendors all of which led to disastrous things that we'll talk about so the use of outdated software within the hospital we found a large number of windows XP machines as well as windows server 2003 we all know that server 2003 and XP are no longer supported and pretty much I don't want to say okay lots of servers and workstations are missing security patches that's a very polite way to say it so really quick we I mentioned in Windows XP server 2003 that's pretty terrible as attackers we get really happy when we see those types of things this has nothing to do with

the hospital but it could you could arguably make a point that maybe hospitals are a little more secure than I don't know other industries such as airlines I was boarding an aircraft and happened to notice a windows 98 computer booting up yes that's reassuring you know knowing that the 747 47 that I'm flying on is you know operating on windows 98 it's pretty cool so if that's not frightening I don't I honestly don't know what is we are i mentioned systems with known malware infections so i have a screenshot here that's actually showing an antivirus engine and it detected some web-based exploit and there are quite a few files that are infected according to the AV engine well

this is a hospital computer more importantly this is a computer that's actually running a pharmacy within a hospital and it has no malware infection I also think the people responsible for running this machine are avid shoppers as they have multiple instances of coupon printer service Exe running and listening on various network ports they just must be looking for some great deals I I don't know or maybe they're just handing out free shells to everybody either way it's no bueno ok so I'm missing and unenforceable see hospitals appear to have very little I guess secure computing policies there really isn't a whole lot of I guess training that goes into informing staff what they should and shouldn't do in a

computer an example would be every individual that you know picked up and plugged in one of our flash drives they're obviously haven't been you know clearly instructed on common techniques of comments social engineering techniques a lot of this stuff is exemplified by earlier topics of discussion the use of outdated saw where you have a bunch of systems that are running out data software you probably don't have a policy that is for you know patching your systems systems with no malware infections again if you are aware of a system of the malware infection you should have some protocol for handling said system if they're just running rampant on your network and you're not really doing anything to

remove them from your network it's indicative of a of a lacking or absent policy and then I already mentioned the using untrusted peripherals but that's a really big one don't plug in flash drives you find on the ground I I don't know what else to say so undocumented systems this is great so we're actually in the net in the hospital we were performing a port scan we identified some outdated I believe those like davian six or something some really old machine and we actually inquired with the hospital one of their engineers and we asked them you know what was the purpose of this machine and where was it located well unfortunately they didn't know the answer to either of those

questions so this is exactly what happened they they couldn't find the machine so they had to literally trace ethernet cables from their server room to patch panels to you know to the room where the server ultimately resided funny stuff so unregulated vendors what do I mean by that well something I didn't know until I actually got into I guess hospital security i'll call it was that in a hot within a hospital network there are several different departments an example all uses the pharmacy the pharmacy from the hospitals that we looked at wasn't directly affiliated with the hospital they're kind of like a contractor so to speak so what happens is these external contractors i'll call

them comes into the hospital the hospital engineering team kind of sets them up with an environment to deploy their computer systems and then they're left unchecked so to degree you could think of the hospital acting as an ISP but what ends up happening is that the vendors end up dictating to the hospital engineers how the network should be arc heck did you know what types of systems and data should be permitted through a firewall or through other network segments and it ends up leading to a very insecure environment for the hospital as a whole and I guess it what boils what happens next what am I trying to say of the security issues okay so

yeah with the with these environments the that are deployed by vendors excuse me I lost my train of thought these in these vendors deployed these environments the hospital takes a very hands-off approach once it's up and running they don't question anything and because of that the systems that reside on these networks end up becoming I guess subject to attack and in some cases compromised as I demonstrated with the malware infections and the IT staff just ignores them their hands off approach it's not their problem so what do we do to kind of address these issues emphasis needs to be put on the fact that patient health is more important than patient health records okay so

that's a big thing on a lot of cases today you'll hear hospitals or manufacturers of medical devices talking about HIPAA and you know other compliance standards that I guess are their core focus well I can tell you in most cases none of these standards state that you know the health or the well-being of an individual is a concern there more or less concerned with the with the confidential confidentiality of data talking about the patient right so the health of the patient is irrelevant the information about the patient's health is relevant so they're kind of needs to be like a paradigm shift as to what is the focus or what should be the focus of security hospital i key they

need to take control of their networks from device vendors it should really be the opposite way around are the reciprocal of what I said can somebody tell me when was the last time you dictated to your ISP you know what your bill should be a or you know how much bandwidth you should have probably that's probably never happened and in this case you know vendors shouldn't be dictating to hospital IT staff how their network should be ran and operated threat modeling threat modeling is very important ultimately it there we go with the ultimately it allows you to quantify the risk quantify the risk posed to an organization by identifying all the possible threat threat actors your

assets and vulnerabilities with the pop with a proper threat model you're not going to prevent the ability to I guess you're not you're not going to be invulnerable to attack but you're definitely going to limit the damages should you be attacked and actually compromised and then finally FDA regulations are way too strict hardware and software certification specifically some medical devices they have to be certified and once they're certified if any change is made to the device that entire certification process has to be gone through again and that's very costly to manufacture so in a lot of often times they decide to ignore security issues or ignore other types of issues unless they're forced to address

them hi hold on one second and yeah that's pretty much my presentation thank you guys I appreciate it and I spoke incredibly fast so we have more time for QA than I had expected so I guess that's positive thing or negative fun so yeah I guess I open up the floor to questions once line yes so the specifics of the certification process I'm not intimately familiar with but I do know that there you're right right so I know that there is a clause that certain changes are permitted without the device having to go through a recertification but if you were to address a let's say one of those web boner abilities that I had discussed

earlier in the software and it produced a new firmware file I'm pretty sure you're going to have to go through that certification process again what yeah right yeah

right yeah case in point

I'm not not interesting yeah no I'm not familiar with that if you have more information i'm not actually like to talk to you about it so i am not now yep i dunno i am the Calvary yeah okay yep ok cool thanks for tip appreciate it any other questions yes can you repeat your question

yes so they would be one of the vendors and actually I forgot to mention that in this talk but I mentioned no malware infections there was one hospital that had a Starbucks in it as well as some other I guess food whatever and they had a cash register that went down the cash register actual had a bunch of database errors and one of their the engineers received a phone call from an ISP actually and somebody was actually being d dost by this hospital and the hospital found out that they were compromised because somebody called them and told them the hey you're attacking me quit d tossing me so their solution to the problem was to just block the outgoing

ports with that machine they didn't touch the machine I mean forget that you have malware running rampant on your network you know so to answer your question yes yeah

yeah so really most medical devices and i'm going to make it i'm going to make a pointer so most medical devices these days you know are there ip-enabled they have the ability to be controlled over network so to your point yes it's definitely true now the devices that we looked at were passive devices meaning that they were they were monitors I didn't actively you know administer medications although than that one medicine like dispenser thing I talked about so yeah to your question yes there are machines such as insulin pumps and other machine like x-ray machines that are control over the network you could definitely you know actively harm somebody the devices that we looked at

being passive we would I guess manipulate the type of information that was reported to a nurse and the wrong type of medication you know would be administered but yeah any any medical advice you can think of it's ip-enabled any other questions over here yes I have no idea I still don't think they know what it was being used for but at least they found it yeah that's that's what it was it ended up being a vendor yeah okay that's why okay

oh man I don't think any time is spent on security that's just my opinion I can't say that definitively but i would say little to no effort at all any other questions yes oh we're definitely gonna see more of it so like a couple of years ago I mean Soho routers have been known to be vulnerable for a long time right a couple of years ago I had talked about them being incredibly vulnerable so have many other researchers and what ended up happening is we started seeing you know malware targeting these devices there was the the moon worm the moon room compromised a bunch of linksys routers they were using a botnet we recently saw

this you know botnet that was made up of dvrs and a bunch of cameras I mean this is in the news like as of yesterday so to your question yes these devices are going to continue to be compromised hospitals are going to continue to be targeted and in a lot of cases I feel like it's actually going to get worse as the focus has been currently on getting into a hospital or compromising the health records of a patient but not actually killing people like we haven't actually seen in a real world somebody compromised a hospital in an attempt to kill somebody you know when that happens I think people are going to have a rude

awakening you know that this is an issue that needs to be addressed so yeah I definitely think this is going to continue to happen any other questions yes Yeah right

great

yeah I knew it was a multi-month process I thought it was closer to like a six-month window but you said board as well let's Wow yeah so in a lot of cases network segmentation would reduce the impact of an attack right it doesn't make you invulnerable you can make a lot of these systems unaccessible to an attacker but again all I would take with somebody to plug a flash drive into a network segment you know that has a vulnerable device and from there it's game over any other questions yes

yeah it's definitely gonna depend on the hospital right not every hospital is architected in the same way and what I mean by architected I mean the network and the servers but yeah it's gonna depend on the hospital but really what we had found that there wasn't a single hospital that we evaluated that did any type of cross-network accident didn't have any type of cross network access control so once you were on the internal network even though things were properly sub netted you could just pivot between the network's freely so any other questions no well thank you guys for you know coming to my talk I appreciate it