McAfee’s security researchers announced at the Defcon hacker event in Las Vegas this week that they were able to hack into a medical network and falsify a patient’s vital signs.
Exposing this weakness is the first step in fixing security for the networking protocol used by medical devices, known as RWHAT. But it’s certainly scary to learn that hackers have yet another way to compromise security in life-or-death situations. This kind of warning is par for the course at Defcon, where federal security officials and black hat and white hat security experts mingle on neutral turf. Earlier at the event, McAfee released a report on North Korean malware, which is aimed at corporate security professionals.
The protocol is used in some of the most critical systems in hospitals, wrote McAfee researcher Douglas McKee. Even more concerning, McAfee was able to modify the vital sign data in real time, providing false information to medical personnel to make it look like a patient was flatlining. They were able to switch the display of a patient’s heartbeat from 80 beats a second to zero within five seconds. It goes without saying that the ultimate aim is to improve the security of the devices, not to give bad hackers something new to attack.
McKee said that lack of proper authentication also allows rogue devices to be placed onto the network and mimic patient monitors. The researchers were focused on the general lack of security mitigations in the medical devices field, the risks these threats pose, and techniques to address them.
“In recent years, there has been more attention paid to the security of medical devices; however, there has been little research done on the unique protocols used by these devices,” McKee wrote in a paper for the talk, “ … health care systems medical personnel take advantage of to make decisions on patient treatment and other critical care use central monitoring stations. This information is gathered from many devices on the network using uncommon networking protocols. What if this information wasn’t accurate when a doctor prescribed medication? What if a patient was thought to be peacefully resting, when in fact they are under cardiac arrest?”
McAfee’s Advanced Threat Research team and Shaun Nordeck, a medical doctor, studied the weakness in the RWHAT protocol, which is one of the networking protocols used by medical devices to monitor a patient’s condition. They described the security problems in the relatively unknown protocol, and they showed a real-world attack scenario in which they were able to modify the communications in-transit to directly influence the receiving devices.
Some medical devices, like pacemakers and insulin pumps, have already been examined for security problems at past Black Hat and Defcon events. To get a better understanding of the devices, McAfee’s researchers got a download from Nordeck, who told them how integral vital sign monitors are to making decisions about patients in clinics.
McKee said most patient-monitoring systems comprise at minimum of two basic components: a bedside monitor and a central monitoring station. These devices are wired or wirelessly networked over TCP/IP (internet protocol). The central monitoring station collects vitals from multiple bedside monitors so that a single medical professional can observe multiple patients.
The researchers bought some patient monitors on eBay and dissected them. The central monitoring station ran Windows XP Embedded, with two Ethernet ports, and ran in a limited kiosk mode at startup. Both units were produced around 2004; several local hospitals confirmed that these models are still in use.
The team found there were multiple ways to hack the two devices. The central monitoring station operates fundamentally like a desktop computer running Windows XP, which has been extensively researched by the security community. That older software has multiple vulnerabilities, but the monitor’s firmware is hard to exploit. The team focused on the communication between the two devices, as that could enable a remote attack. They were able to readily observe the communications between the devices using a tool dubbed Wireshark. The patient data was passed along in clear text, meaning it wasn’t encrypted. That’s a big no-no for security, at least in modern devices.
The team then figured out how the devices authenticate each other, or do a “handshake.” The researchers found that if they saw a certain electrocardiogram pattern, they could play it back to the central monitoring station without having a patient monitor on the network. That is, they could send fake data to the central station without being discovered, using a Raspberry Pi computer in place of the patient monitor.
“Although we have not yet reached our goal of real-time modification, we must consider the implications of this type of attack,” McKee said. “If someone were to unplug the monitor of a stable patient and replace it with a device that continued to report the same stable vitals, would that cause any harm? Probably not immediately. But what if the stable patient suddenly became unstable?”
The central station would normally sound an alarm to alert medical personal, who could take appropriate action. However, if the monitor had been replaced, would anyone know help was needed?
“In hospitals, nurses and other personal generally make periodic checks even of stable patients,” McKee said. “So any deception might not last long, but it might not need to. What if someone were trying to kidnap a patient? A kidnapper would alert fewer people than would be expected.” Nordeck said a momentary loss of ECG data, during a switch between a real and a fake patient monitor, would likely go undetected.
But McKee said that the team also figured out how to do the attack in real time by attacking the other device. They did that by spoofing or tricking the patient monitor rather than the central monitoring station.
“This step would allow the attacker to determine which ports are in use and stop the patient monitor’s data from getting to the central monitoring station,” McKee said. “Because we have already shown that emulation works, the attacker simply has to send replacement data to the central station while appearing as the patient monitor.”
Nordeck said that faking cardiac vital signs could have severe implications, resulting in incorrect medical treatment.
“Both product vendors and medical facilities can take measures to drastically reduce the threat of this type of attack,” McKee said. “Vendors can encrypt network traffic between the devices and add authentication. These two steps would drastically increase the difficulty of this type of attack.”