The Way from App to Brain: Attack Surface of Smart Medical Infrastructure

Transcript

1. Denis Makrushin makrushin.com twitter.com/makrushind THE WAY FROM APP TO BRAIN:

   ATTACK SURFACES OF SMART MEDICAL INFRASTRUCTURE

2. HOW MANY PEOPLE DIE DUE TO MEDICAL ERRORS? DEATHS ANNUALLY

   IN THE UNITED STATES* LEADING CAUSE OF DEATH IN THE U.S. CONSTANTLY GROWING WORLDWIDE ↑↑↑ 3rd 251454 *HTTP://EDITION.CNN.COM/2016/05/03/HEALTH/MEDICAL-ERROR-A-LEADING-CAUSE-OF-DEATH/

3. WHAT ARE THE CAUSES? DIAGNOSTICS THERAPEUTIC AND TACTICAL QUALIFICATION 1

   3 2

4. MEDICINE IS LEAKING

5. 5

6. CONNECTED MEDICINE Diagnostic Device #2 (CT) Diagnostic Device #1 (MR)

   Diagnostic Device #3 (Cardiograph) DICOM DICOM DICOM

7. “DICOM PORT:104” SHOW ME

8. “DICOM PORT:104” RETURNED 1,344 RESULTS

9. INFORMATION FOR TARGETED ATTACKS

10. DOCTORS ALSO PLAY COMPUTER GAMES

11. HOW DO THEY APPEAR?

12. ENTRY POINTS? NOPE. OPENED DOORS! *medic* *clinic* *hospit* *surgery* *healthcare*

13. KNOCK KNOCK! WHO’S THERE? 18,723 live hosts 27,716 opened ports

    0 2000 4000 6000 8000 10000 12000 14000 16000 1900 7547 2323 47808 1911 8888 143 995 110 587 993 23 445 21 22 8080 53 25 80 443 HOSTS PORTS

14. TOP OF SERVICES Tags Hosts, % http/https 87,1 smtp 2,8

    dns 2,4 ssh 2,1 ftp 1,3 embedded 1,1 smb 0,9 routers 0,8 telnet 0,6 Tags Hosts, % ssh 13.87 infrastructure router 10.29 http 9.86 network 6.07 telnet 5.96 dns 1.52 building automation 0.98 scada 0.98 ftp 0.98 printer 0.98 smb 0.65 nas 0.54 DSL/cable modem 0.33 heartbleed 0.33 camera 0.22 dhe-export 0.22 smtp 0.22

15. BUILDING AUTOMATION SYSTEM

16. DON’T PRINT NO MORE!

17. SMART COFFEE IS HARMFUL FOR HEART PERIMETER

18. PORTABLE MEDICAL DEVICES: THE STORY OF ELECTRORETINOGRAPH, CORAL! 18 Security

    Analyst Summit 2018

19. SPIROMETER, BLOOD PRESSURE… IN MORGUE

20. PORTALS TO MEDICAL DATA It shouldn’t be online but: 1)

    It is 2) It has public vulnerabilities 3) It’s open for everyone

21. THEY ARE IN. WHAT’S NEXT?

22. *zdnet.com, beckershospitalreview.com, forbes.com RANSOMWARE 10% 13% 0% 2% 4% 6%

    8% 10% 12% 14% Medical Pharmaceutical Attacked Organizations - last stage with actual ransomware *Kaspersky Security Network Data, 2017. More than 1500 companies and 70000 devices

23. * SAY HELLO TO PENTESTING TOOLS 8% 29% 10% 12%

    0% 5% 10% 15% 20% 25% 30% 35% Devices Companies Hacktools: powerpreter, meterpreter, remote admin and etc. Medical Pharmaceutical

24. *Kaspersky Security Network Data, 2017. More than 1500 companies and

    70000 devices 31% 13% 22% 72% 57% 62% 0% 10% 20% 30% 40% 50% 60% 70% 80% All attacked Internet/Mail Something on a drive (network share/usb/local) Attacks Detected in Medical Organizations Devices Companies

25. * *Kaspersky Security Network Data, 2017. More than 1500 companies

    and 70000 devices 64% 56% 50% 47% 44% 42% 41% 38% 38% 36% 31% 31% 29% 29% 0% 10% 20% 30% 40% 50% 60% 70% philippines venezuela thailand paraguay united arab em irates iran islam ic republic of turkey brazil india australia colom bia japan saudi arabia m exico TOP 15 Countries - Attacked Devices in Medical Organizations

26. * *Kaspersky Security Network Data, 2017. More than 1500 companies

    and 70000 devices 63% 62% 60% 58% 58% 54% 51% 50% 49% 48% 45% 43% 39% 37% 35% 0% 10% 20% 30% 40% 50% 60% 70% bangladesh indonesia m orocco sri lanka india egypt korea iran kenya m exico m alaysia philippines bulgaria taiwan austria TOP 15 Countries - Attacked Devices in Pharmaceutical Organizations

27. 27 TARGETED ATTACKS VS. PHARMA Few, but they exist …

    South-East Asia: Bangladesh and Vietnam Initial infection vector: most likely vulnerable windows servers Targets: servers of pharm companies

28. 28 TARGETED ATTACKS VS. PHARMA rsenal: • Common “made in

    China” PlugX • Meterpreter, Powerpreter and etc. • In-memory of the servers What they are after? • IP – formulas and research results • Business Plans

29. HOW TO DEAL WITH IT • REMOVE ALL NODES THAT

    PROCESS MEDICAL DATA FROM PUBLIC • PERIODICALLY UPDATE YOUR INSTALLED SOFTWARE AND REMOVE UNWANTED APPLICATIONS • REFRAIN FROM CONNECTING EXPENSIVE EQUIPMENT TO THE MAIN LAN OF YOUR ORGANIZATION MORE RECOMMENDATIONS: https://makrushin.com/connected-medicine/

30. THE FUTURE HAS COME

31. “Human SCADA” infrastructure today Patient data stored in hospital E-mails

    data (logs) Clinical programmers (iOS or Android devices loaded with specific software) Implant Implant Implant Implant Implant Every implant has a patient’s controller (iOS or Android) to check the telemetry and choose pre- programmed options) Data transfer manually / by e-mail Data transfer by RF – Bluetooth

32. ELECTRONIC MEDICAL RECORD (EMR/EHR) SYSTEMS *Electronic Health Records (EHR) Market

    Analysis By Product (Client Server-based, Web-based), By Type (Acute, Ambulatory, Post-Acute) By End-use (Hospitals, Ambulatory Care), And Segment Forecasts, 2018 - 2025

33. OPEN SOURCE IN MEDICINE IS A PANACEA

34. OpenEMR, OpenMRS – good object of the research

35. THREAT LANDSCAPE: % OF OPENEMR SYSTEMS

36. OPENEMR: STORED XSS

37. WE STILL HAVE A “HUMAN FACTOR”

38. THANK YOU! [email protected] twitter.com/makrushind