LAS VEGAS – In recent years there has been more attention paid to the security of medical devices; however, there has been little security research done on the unique protocols used by these devices. Many of the insulin pumps, heart monitors and other gadgets found in hospital rooms use aging protocol to communicate with nurses’ stations and doctors; and as such, can be easily subverted.
Case in point is the RWHAT protocol, one of the networking protocols used by medical devices to monitor a patient’s condition and vital signs. Doug McKee, senior security researcher at McAfee’s Advanced Threat Research team, has discovered a weakness that allows data on the patient’s condition to be modified by an attacker in real-time, to provide false information to medical personnel.
The ramifications are profound; false information could lead a doctor to prescribe medication that the patient doesn’t need; or, a patient could be thought to be peacefully resting, when in fact they are under cardiac arrest.
Further, McKee found that a lack of authentication also allows rogue devices to be placed onto the network and mimic patient monitors.
Uncovering a Vulnerability
Medical personnel take advantage of information on heart rate, blood pressure, blood oxygen levels and more to make decisions on patient treatment and other critical care options, fed to central monitoring stations from various devices on the network using uncommon networking protocols.
To examine how secure these systems are, McKee bought a heart monitor off of eBay and spent a couple months fully reverse-engineering RWHAT (the language is so esoteric that he was unable to find any information, let along technical documents, online).
In his research, presented today at DEF CON 2018, he found that RWHAT uses no authentication and no encryption for the data it sends; which, in addition to the vital signs information, also includes some sensitive, HIPAA-regulated patient information, such as name, date of birth, the patient’s bed number and the room number.
Thanks to the gates being wide open, McKee was able to inject information into the protocol to spoof/emulate vital information using a very simple means.
“It’s so easy to do – you just plug in small Raspberry Pi device into a port and you can trick the nurse’s station monitor into thinking it’s communicating with something other than what it is,” McKee explained in an interview. “You’re then in control, and you can modify some of the data in transit in real time.”
The attack could also become a remote attack, if a threat actor were able to take advantage of vulnerabilities in the hospital network.
In the demo, McKee showed how he was able to change a patient’s heart-rate data feed from an 80 to flatline and back to a 120, controlling it at will from a computer.
The potential exploitation scenarios are varied.
In a less likely situation, an attacker can make use of the fact that nursing staff are very rarely in a patient’s room outside of scheduled rounds, unless there’s an alarm. Thus, an attacker bent on physical mayhem can use that to his or her advantage by sending “normal” vital signs to the nurse’s station, even as he or she poisons or otherwise harms the patient.
In a more likely situation, an attacker could connect to the hospital network and emulate data over a period of time in an effort to manipulate medical personnel.
“It’s possible to make small, believable changes very quickly,” McKee explained. “Say a patient is resting, and the heart-rate jumps to 180 for a couple of seconds; that triggers an alert that’s sent to a database log. Nurses are trained to see and pick up on any intermittent change of heart-rate. If it happens once, it may be chalked up to a glitch. But if it were to happen say three or four times over a longer period, say four hours, the nurse would then page a doctor, who will review the log and decide what action to take.”
Steve Povolny, head of advanced threat research at McAfee, explained that the protocol is that if there are intermittent heart changes, medication is required.
“Anytime you’re given meds you don’t need, that’s a bad thing,” he told Threatpost. “And this is a very realistic and dangerous scenario; it’s very trivial to cause reactions in medical personnel to make them make treatment decisions that they wouldn’t make otherwise.”
At the very least, it would trigger additional testing, which runs up hospital bills for the patient and leads to more hospital resource consumption.
The best defense for a hospital is to ensure that its networks are properly set up and isolated, and that devices are patched and that default passwords are changed – this prevents remote access. However, many environments are rife with holes that an enterprising malefactor could easily take advantage of.
“I’ve seen situations where it’s possible to pivot into hospital networks using the public WiFi from the parking lot,” Povolny said. “Or, video game consoles set up for kids at the hospital are usually plugged into the network – and using the touchscreen, you can bring up the admin panel. It takes all of 30 seconds to find the default PIN using a Google search.”
Even with the right mitigations in place to prevent such non-standard pivot points, bad actors can carry out an attack fairly easily.
“At that point, carrying out an attack would require physical access to a network port, or an in-room attack,” Povolny said. “The reality is that these are public places; it’s not hard to walk into a hospital lobby and walk around. You’ll see workstations on wheels – that’s a good vector. The amount of code and effort needed to accomplish this is extremely minimal – you just walk by, plug in a USB, download code and walk away. For a determined attacker, it’s not that hard to pull off.”