The Autopsy of the PHOENIX X36 Hemodialysis System

Transcript

1. The Autopsy of the PHOENIX X36 Hemodialysis
   System
   Veronica Schmitt
   @Po1Zon_P1x13
   [email protected]
   

   View Slide

2. View Slide

3. Disclaimer: All the views/ research done and presented is my own and does
   not reflect the view of my employer / former employer(s) or anyone else.
   Do not try this at home or anywhere else.
   This can harm someone.
   

   View Slide

4. Please do not!
   

   View Slide

5. WhoAmI
   ! DEF CON Goon
   ! DC2751 Founder
   ! Medical Device Security Research
   ! Medical Device Incident Response
   ! DFIR Lethal Forensicator
   ! Cyborg
   

   View Slide

6. I am the Cavalry
   Our Message:
   We believe that our dependance on computer technology is increasing faster
   than our ability to safeguard ourselves. As the question around technology is
   less-and-less “can we do this” we must more-and-more be asking “should we
   do this.”
   

   View Slide

7. I am the Cavalry
   Our aims are:
   ! To selectively improve visibility and awareness of these issues while preserving trust.
   ! To inform decision-makers in public policy, manufacturing, oversight and customer
   organizations so they take smart risks.
   ! To collaborate among all stakeholders, deal with concerns and find a common way
   forward where everyone wins.
   ! To catalyze, amplify and demonstrate public good done by security research of
   consequence.
   ! To promote systems thinking that examines interdependencies and externalities, not
   just pieces of the whole.
   

   View Slide

8. Introduction
   ! Medical Devices are integral to longer term survival of certain patients.
   ! Bridges the divide between physical and virtual.
   ! Medical Device security is behind on the fight against vulnerabilities.
   ! Devices are designed for usability vs security.
   

   View Slide

9. CIA for Medical Devices
   ! Confidentiality
   Is patient data stored securely and transmitted securely?
   ! Integrity
   Ensuring that building for security does not undermine the integrity of the
   device
   ! Accessibility
   To ensure that the devices remain secure and accessible.
   

   View Slide

10. Hemodialysis
    ! A medical procedure to remove fluid and waste products from the blood and to
    correct electrolyte imbalances.
    ! This is accomplished using a machine and a dialyzer, also referred to as an
    "artificial kidney."
    ! Hemodialysis is used to treat both acute (temporary) and chronic (permanent)
    kidney failure.
    

    View Slide

11. ! The PHOENIX X36 Hemodialysis Delivery System is
    designed to be an easy-to-use device.
    ! Its flexibility allows it to reliably provide effective, high-flux
    and low-flux hemodialysis, hemofiltration and ultrafiltration
    on patients weighing 15 kg or more.
    ! In addition to its “ease-of-use features,” such as real-time
    Kt/V monitoring and Compensated Blood Flow (via the
    DIASCAN Monitoring System), a full-color touch screen,
    and Sodium and UF profiling, the PHOENIX X36 System
    offers built-in connectivity to EMR and patient prescription
    downloads using the EXALIS Dialysis Management Tool.
    

    View Slide

12. When in doubt read the Manual:
    IT Connectivity
    ! Standard Ethernet network connection
    ! Connects to electronic medical record network
    ! Integrates with patient prescription
    ! Uses the EXALIS Dialysis Management Tool protocols
    

    View Slide

13. More information ….
    Password : 65505
    

    View Slide

14. More information ….
    Hard-Coded IP Address:
    

    View Slide

15. View Slide

16. View Slide

17. NMAP Scan of Communication
    

    View Slide

18. Hacking the HL7 Communication Protocol
    “HL7’s Version 2.x (V2) messaging standard is the workhorse of electronic data
    exchange in the clinical domain and arguably the most widely implemented
    standard for healthcare in the world. This messaging standard allows the
    exchange of clinical data between systems. It is designed to support a central
    patient care system as well as a more distributed environment where data resides
    in departmental systems.”
    --Source: http://www.hl7.org/
    

    View Slide

19. DICOM servers
    ! Most medical devices will communicate to a DICOM server.
    ! These servers are notoriously vulnerable.
    ! They contain personal identifiable information related to medical results and
    medical patient data.
    

    View Slide

20. View Slide

21. View Slide

22. View Slide

23. View Slide

24. View Slide

25. Medical IR and Triage
    ! Say What????
    ! It does not really exist.
    ! Do Logs Exist?
    ! What data is on the devices?
    ! What file system is on there?
    ! What Operating System?
    ! So many questions and no answers
    ! So how Fu*@3d are we?
    

    View Slide

26. Hardware
    

    View Slide

27. Partitioning Schema
    

    View Slide

28. Partitioning Schema
    

    View Slide

29. Partitioning Schema
    

    View Slide

30. Partitioning Schema
    

    View Slide

31. VXWorks Medical Devices on the Internet
    

    View Slide

32. VXWorks RTOS Embedded OS
    

    View Slide

33. VXWorks RTOS Embedded OS
    

    View Slide

34. Recent Vulnerabilities VXWorks
    

    View Slide

35. View Slide

36. Data Artefacts
    

    View Slide

37. Artefacts - How was it calibrated?
    

    View Slide

38. Artefacts - Clinical Data
    

    View Slide

39. Network Configurations
    

    View Slide

40. Network Configurations
    

    View Slide

41. Screen Display Configuration
    

    View Slide

42. Retained Patient Data
    

    View Slide

43. Retained Patient Data
    

    View Slide

44. Logging
    Medical device logs are normally used for supporting hindsight analysis of
    incidents.
    Logging and analysing device interactions would give manufacturers
    insights into how devices are used in practice and how to improve their
    products.
    Moreover, keeping good logs of events would be useful for medical
    practitioners to learn from the mistake of other medical practitioners.
    To do this, investigations of incidents that did not lead to fatalities have to be
    carried out on a regular basis.
    Doing so would also ensure that the logging system works as intended.
    

    View Slide

45. Shortcomings
    ● Well many.
    ● Devices have no logs.
    ● There is no connection history.
    ● There is no logon history.
    ● Devices do not have unique
    GUIDs so cannot be uniquely
    identified.
    ● No logs on changes or
    commands received.
    

    View Slide

46. Shortcomings
    ● Well many.
    ● Devices have no logs.
    ● There is no connection history.
    ● There is no logon history.
    ● Devices do not have unique
    GUIDs so cannot be uniquely
    identified.
    ● No logs on changes or
    commands received.
    No LOGS just no LOGS.
    

    View Slide

47. So what now?
    ! Ensure that targeted logging is built in.
    ! Ensure that each device that connects is uniquely identified.
    ! Log all IP address that connect to the device.
    ! Identify artefacts that normally appear on devices and build a base line.
    ! Provide secure syslog capabilities.
    ! Use those logs for monitoring and alerting (MSEIM).
    

    View Slide

48. Questions?
    

    View Slide

49. Special Thanks:
    Jay Radcliffe for being my dealer in Medical Devices and generally being an
    inspiration and all round amazing human being.
    References:
    ! https://www.windriver.com/news/press/pr.html?ID=1104
    ! https://econnect.baxter.com/assets/downloads/products_expertise/renal_therapies/
    Phoenix_X36_Hemodialysis_System.pdf
    ! http://lup.lub.lu.se/luur/download?func=downloadFile&recordOId=1982371&fileOId=8961306
    ! https://slideplayer.com/slide/11659715/
    ! https://www.va.gov/vdl/documents/Clinical/ClinProc/clinproc1_impg.doc
    

    View Slide