Slide 1

Slide 1 text

The Autopsy of the PHOENIX X36 Hemodialysis System Veronica Schmitt @Po1Zon_P1x13 [email protected]

Slide 2

Slide 2 text

No content

Slide 3

Slide 3 text

Disclaimer: All the views/ research done and presented is my own and does not reflect the view of my employer / former employer(s) or anyone else. Do not try this at home or anywhere else. This can harm someone.

Slide 4

Slide 4 text

Please do not!

Slide 5

Slide 5 text

WhoAmI ! DEF CON Goon ! DC2751 Founder ! Medical Device Security Research ! Medical Device Incident Response ! DFIR Lethal Forensicator ! Cyborg

Slide 6

Slide 6 text

I am the Cavalry Our Message: We believe that our dependance on computer technology is increasing faster than our ability to safeguard ourselves. As the question around technology is less-and-less “can we do this” we must more-and-more be asking “should we do this.”

Slide 7

Slide 7 text

I am the Cavalry Our aims are: ! To selectively improve visibility and awareness of these issues while preserving trust. ! To inform decision-makers in public policy, manufacturing, oversight and customer organizations so they take smart risks. ! To collaborate among all stakeholders, deal with concerns and find a common way forward where everyone wins. ! To catalyze, amplify and demonstrate public good done by security research of consequence. ! To promote systems thinking that examines interdependencies and externalities, not just pieces of the whole.

Slide 8

Slide 8 text

Introduction ! Medical Devices are integral to longer term survival of certain patients. ! Bridges the divide between physical and virtual. ! Medical Device security is behind on the fight against vulnerabilities. ! Devices are designed for usability vs security.

Slide 9

Slide 9 text

CIA for Medical Devices ! Confidentiality Is patient data stored securely and transmitted securely? ! Integrity Ensuring that building for security does not undermine the integrity of the device ! Accessibility To ensure that the devices remain secure and accessible.

Slide 10

Slide 10 text

Hemodialysis ! A medical procedure to remove fluid and waste products from the blood and to correct electrolyte imbalances. ! This is accomplished using a machine and a dialyzer, also referred to as an "artificial kidney." ! Hemodialysis is used to treat both acute (temporary) and chronic (permanent) kidney failure.

Slide 11

Slide 11 text

! The PHOENIX X36 Hemodialysis Delivery System is designed to be an easy-to-use device. ! Its flexibility allows it to reliably provide effective, high-flux and low-flux hemodialysis, hemofiltration and ultrafiltration on patients weighing 15 kg or more. ! In addition to its “ease-of-use features,” such as real-time Kt/V monitoring and Compensated Blood Flow (via the DIASCAN Monitoring System), a full-color touch screen, and Sodium and UF profiling, the PHOENIX X36 System offers built-in connectivity to EMR and patient prescription downloads using the EXALIS Dialysis Management Tool.

Slide 12

Slide 12 text

When in doubt read the Manual: IT Connectivity ! Standard Ethernet network connection ! Connects to electronic medical record network ! Integrates with patient prescription ! Uses the EXALIS Dialysis Management Tool protocols

Slide 13

Slide 13 text

More information …. Password : 65505

Slide 14

Slide 14 text

More information …. Hard-Coded IP Address:

Slide 15

Slide 15 text

No content

Slide 16

Slide 16 text

No content

Slide 17

Slide 17 text

NMAP Scan of Communication

Slide 18

Slide 18 text

Hacking the HL7 Communication Protocol “HL7’s Version 2.x (V2) messaging standard is the workhorse of electronic data exchange in the clinical domain and arguably the most widely implemented standard for healthcare in the world. This messaging standard allows the exchange of clinical data between systems. It is designed to support a central patient care system as well as a more distributed environment where data resides in departmental systems.” --Source:

Slide 19

Slide 19 text

DICOM servers ! Most medical devices will communicate to a DICOM server. ! These servers are notoriously vulnerable. ! They contain personal identifiable information related to medical results and medical patient data.

Slide 20

Slide 20 text

No content

Slide 21

Slide 21 text

No content

Slide 22

Slide 22 text

No content

Slide 23

Slide 23 text

No content

Slide 24

Slide 24 text

No content

Slide 25

Slide 25 text

Medical IR and Triage ! Say What???? ! It does not really exist. ! Do Logs Exist? ! What data is on the devices? ! What file system is on there? ! What Operating System? ! So many questions and no answers ! So how Fu*@3d are we?

Slide 26

Slide 26 text


Slide 27

Slide 27 text

Partitioning Schema

Slide 28

Slide 28 text

Partitioning Schema

Slide 29

Slide 29 text

Partitioning Schema

Slide 30

Slide 30 text

Partitioning Schema

Slide 31

Slide 31 text

VXWorks Medical Devices on the Internet

Slide 32

Slide 32 text

VXWorks RTOS Embedded OS

Slide 33

Slide 33 text

VXWorks RTOS Embedded OS

Slide 34

Slide 34 text

Recent Vulnerabilities VXWorks

Slide 35

Slide 35 text

No content

Slide 36

Slide 36 text

Data Artefacts

Slide 37

Slide 37 text

Artefacts - How was it calibrated?

Slide 38

Slide 38 text

Artefacts - Clinical Data

Slide 39

Slide 39 text

Network Configurations

Slide 40

Slide 40 text

Network Configurations

Slide 41

Slide 41 text

Screen Display Configuration

Slide 42

Slide 42 text

Retained Patient Data

Slide 43

Slide 43 text

Retained Patient Data

Slide 44

Slide 44 text

Logging Medical device logs are normally used for supporting hindsight analysis of incidents. Logging and analysing device interactions would give manufacturers insights into how devices are used in practice and how to improve their products. Moreover, keeping good logs of events would be useful for medical practitioners to learn from the mistake of other medical practitioners. To do this, investigations of incidents that did not lead to fatalities have to be carried out on a regular basis. Doing so would also ensure that the logging system works as intended.

Slide 45

Slide 45 text

Shortcomings ● Well many. ● Devices have no logs. ● There is no connection history. ● There is no logon history. ● Devices do not have unique GUIDs so cannot be uniquely identified. ● No logs on changes or commands received.

Slide 46

Slide 46 text

Shortcomings ● Well many. ● Devices have no logs. ● There is no connection history. ● There is no logon history. ● Devices do not have unique GUIDs so cannot be uniquely identified. ● No logs on changes or commands received. No LOGS just no LOGS.

Slide 47

Slide 47 text

So what now? ! Ensure that targeted logging is built in. ! Ensure that each device that connects is uniquely identified. ! Log all IP address that connect to the device. ! Identify artefacts that normally appear on devices and build a base line. ! Provide secure syslog capabilities. ! Use those logs for monitoring and alerting (MSEIM).

Slide 48

Slide 48 text


Slide 49

Slide 49 text

Special Thanks: Jay Radcliffe for being my dealer in Medical Devices and generally being an inspiration and all round amazing human being. References: ! ! Phoenix_X36_Hemodialysis_System.pdf ! ! !