The Autopsy of the PHOENIX X36 Hemodialysis System Veronica Schmitt @Po1Zon_P1x13 [email protected]

No content

Disclaimer: All the views/ research done and presented is my own and does not reflect the view of my employer / former employer(s) or anyone else. Do not try this at home or anywhere else. This can harm someone.

Please do not!

WhoAmI ! DEF CON Goon ! DC2751 Founder ! Medical Device Security Research ! Medical Device Incident Response ! DFIR Lethal Forensicator ! Cyborg

I am the Cavalry Our Message: We believe that our dependance on computer technology is increasing faster than our ability to safeguard ourselves. As the question around technology is less-and-less “can we do this” we must more-and-more be asking “should we do this.”

I am the Cavalry Our aims are: ! To selectively improve visibility and awareness of these issues while preserving trust. ! To inform decision-makers in public policy, manufacturing, oversight and customer organizations so they take smart risks. ! To collaborate among all stakeholders, deal with concerns and find a common way forward where everyone wins. ! To catalyze, amplify and demonstrate public good done by security research of consequence. ! To promote systems thinking that examines interdependencies and externalities, not just pieces of the whole.

Introduction ! Medical Devices are integral to longer term survival of certain patients. ! Bridges the divide between physical and virtual. ! Medical Device security is behind on the fight against vulnerabilities. ! Devices are designed for usability vs security.

CIA for Medical Devices ! Confidentiality Is patient data stored securely and transmitted securely? ! Integrity Ensuring that building for security does not undermine the integrity of the device ! Accessibility To ensure that the devices remain secure and accessible.

Hemodialysis ! A medical procedure to remove fluid and waste products from the blood and to correct electrolyte imbalances. ! This is accomplished using a machine and a dialyzer, also referred to as an "artificial kidney." ! Hemodialysis is used to treat both acute (temporary) and chronic (permanent) kidney failure.

! The PHOENIX X36 Hemodialysis Delivery System is designed to be an easy-to-use device. ! Its flexibility allows it to reliably provide effective, high-flux and low-flux hemodialysis, hemofiltration and ultrafiltration on patients weighing 15 kg or more. ! In addition to its “ease-of-use features,” such as real-time Kt/V monitoring and Compensated Blood Flow (via the DIASCAN Monitoring System), a full-color touch screen, and Sodium and UF profiling, the PHOENIX X36 System offers built-in connectivity to EMR and patient prescription downloads using the EXALIS Dialysis Management Tool.

When in doubt read the Manual: IT Connectivity ! Standard Ethernet network connection ! Connects to electronic medical record network ! Integrates with patient prescription ! Uses the EXALIS Dialysis Management Tool protocols

More information …. Password : 65505

More information …. Hard-Coded IP Address:

No content

No content

NMAP Scan of Communication

Hacking the HL7 Communication Protocol “HL7’s Version 2.x (V2) messaging standard is the workhorse of electronic data exchange in the clinical domain and arguably the most widely implemented standard for healthcare in the world. This messaging standard allows the exchange of clinical data between systems. It is designed to support a central patient care system as well as a more distributed environment where data resides in departmental systems.” --Source: http://www.hl7.org/

DICOM servers ! Most medical devices will communicate to a DICOM server. ! These servers are notoriously vulnerable. ! They contain personal identifiable information related to medical results and medical patient data.

No content

No content

No content

No content

No content

Medical IR and Triage ! Say What???? ! It does not really exist. ! Do Logs Exist? ! What data is on the devices? ! What file system is on there? ! What Operating System? ! So many questions and no answers ! So how Fu*@3d are we?

Hardware

Partitioning Schema

Partitioning Schema

Partitioning Schema

Partitioning Schema

VXWorks Medical Devices on the Internet

VXWorks RTOS Embedded OS

VXWorks RTOS Embedded OS

Recent Vulnerabilities VXWorks

No content

Data Artefacts

Artefacts - How was it calibrated?

Artefacts - Clinical Data

Network Configurations

Network Configurations

Screen Display Configuration

Retained Patient Data

Retained Patient Data

Logging Medical device logs are normally used for supporting hindsight analysis of incidents. Logging and analysing device interactions would give manufacturers insights into how devices are used in practice and how to improve their products. Moreover, keeping good logs of events would be useful for medical practitioners to learn from the mistake of other medical practitioners. To do this, investigations of incidents that did not lead to fatalities have to be carried out on a regular basis. Doing so would also ensure that the logging system works as intended.

Shortcomings ● Well many. ● Devices have no logs. ● There is no connection history. ● There is no logon history. ● Devices do not have unique GUIDs so cannot be uniquely identified. ● No logs on changes or commands received.

Shortcomings ● Well many. ● Devices have no logs. ● There is no connection history. ● There is no logon history. ● Devices do not have unique GUIDs so cannot be uniquely identified. ● No logs on changes or commands received. No LOGS just no LOGS.

So what now? ! Ensure that targeted logging is built in. ! Ensure that each device that connects is uniquely identified. ! Log all IP address that connect to the device. ! Identify artefacts that normally appear on devices and build a base line. ! Provide secure syslog capabilities. ! Use those logs for monitoring and alerting (MSEIM).

Questions?

Special Thanks: Jay Radcliffe for being my dealer in Medical Devices and generally being an inspiration and all round amazing human being. References: ! https://www.windriver.com/news/press/pr.html?ID=1104 ! https://econnect.baxter.com/assets/downloads/products_expertise/renal_therapies/ Phoenix_X36_Hemodialysis_System.pdf ! http://lup.lub.lu.se/luur/download?func=downloadFile&recordOId=1982371&fileOId=8961306 ! https://slideplayer.com/slide/11659715/ ! https://www.va.gov/vdl/documents/Clinical/ClinProc/clinproc1_impg.doc