Save 37% off PRO during our Black Friday Sale! »

The Autopsy of the PHOENIX X36 Hemodialysis System

The Autopsy of the PHOENIX X36 Hemodialysis System

Medical Device Security is a new buzz word. This is the new kid on the block. Everyone wants to hack a medical device. This talk focuses on another area that has yet to be developed. Digital Forensics and Incident Response is often forgotten when it comes to medical devices. This talk sheds light on research I've done to determine whether DFIR is viable on them currently. By reverse engineering the firmware and system artifacts of the Hemodialysis system, various artifacts have been identified which can be useful to determine whether the device has failed or if it has potentially been tampered with. Let me take you on a journey of a Post-Mortem of a medical device, delve into the hexadecimal world that it is made up of.


Veronica Schmitt

October 05, 2019


  1. The Autopsy of the PHOENIX X36 Hemodialysis System Veronica Schmitt

  2. None
  3. Disclaimer: All the views/ research done and presented is my

    own and does not reflect the view of my employer / former employer(s) or anyone else. Do not try this at home or anywhere else. This can harm someone.
  4. Please do not!

  5. WhoAmI ! DEF CON Goon ! DC2751 Founder ! Medical

    Device Security Research ! Medical Device Incident Response ! DFIR Lethal Forensicator ! Cyborg
  6. I am the Cavalry Our Message: We believe that our

    dependance on computer technology is increasing faster than our ability to safeguard ourselves. As the question around technology is less-and-less “can we do this” we must more-and-more be asking “should we do this.”
  7. I am the Cavalry Our aims are: ! To selectively

    improve visibility and awareness of these issues while preserving trust. ! To inform decision-makers in public policy, manufacturing, oversight and customer organizations so they take smart risks. ! To collaborate among all stakeholders, deal with concerns and find a common way forward where everyone wins. ! To catalyze, amplify and demonstrate public good done by security research of consequence. ! To promote systems thinking that examines interdependencies and externalities, not just pieces of the whole.
  8. Introduction ! Medical Devices are integral to longer term survival

    of certain patients. ! Bridges the divide between physical and virtual. ! Medical Device security is behind on the fight against vulnerabilities. ! Devices are designed for usability vs security.
  9. CIA for Medical Devices ! Confidentiality Is patient data stored

    securely and transmitted securely? ! Integrity Ensuring that building for security does not undermine the integrity of the device ! Accessibility To ensure that the devices remain secure and accessible.
  10. Hemodialysis ! A medical procedure to remove fluid and waste

    products from the blood and to correct electrolyte imbalances. ! This is accomplished using a machine and a dialyzer, also referred to as an "artificial kidney." ! Hemodialysis is used to treat both acute (temporary) and chronic (permanent) kidney failure.
  11. ! The PHOENIX X36 Hemodialysis Delivery System is designed to

    be an easy-to-use device. ! Its flexibility allows it to reliably provide effective, high-flux and low-flux hemodialysis, hemofiltration and ultrafiltration on patients weighing 15 kg or more. ! In addition to its “ease-of-use features,” such as real-time Kt/V monitoring and Compensated Blood Flow (via the DIASCAN Monitoring System), a full-color touch screen, and Sodium and UF profiling, the PHOENIX X36 System offers built-in connectivity to EMR and patient prescription downloads using the EXALIS Dialysis Management Tool.
  12. When in doubt read the Manual: IT Connectivity ! Standard

    Ethernet network connection ! Connects to electronic medical record network ! Integrates with patient prescription ! Uses the EXALIS Dialysis Management Tool protocols
  13. More information …. Password : 65505

  14. More information …. Hard-Coded IP Address:

  15. None
  16. None
  17. NMAP Scan of Communication

  18. Hacking the HL7 Communication Protocol “HL7’s Version 2.x (V2) messaging

    standard is the workhorse of electronic data exchange in the clinical domain and arguably the most widely implemented standard for healthcare in the world. This messaging standard allows the exchange of clinical data between systems. It is designed to support a central patient care system as well as a more distributed environment where data resides in departmental systems.” --Source:
  19. DICOM servers ! Most medical devices will communicate to a

    DICOM server. ! These servers are notoriously vulnerable. ! They contain personal identifiable information related to medical results and medical patient data.
  20. None
  21. None
  22. None
  23. None
  24. None
  25. Medical IR and Triage ! Say What???? ! It does

    not really exist. ! Do Logs Exist? ! What data is on the devices? ! What file system is on there? ! What Operating System? ! So many questions and no answers ! So how Fu*@3d are we?
  26. Hardware

  27. Partitioning Schema

  28. Partitioning Schema

  29. Partitioning Schema

  30. Partitioning Schema

  31. VXWorks Medical Devices on the Internet

  32. VXWorks RTOS Embedded OS

  33. VXWorks RTOS Embedded OS

  34. Recent Vulnerabilities VXWorks

  35. None
  36. Data Artefacts

  37. Artefacts - How was it calibrated?

  38. Artefacts - Clinical Data

  39. Network Configurations

  40. Network Configurations

  41. Screen Display Configuration

  42. Retained Patient Data

  43. Retained Patient Data

  44. Logging Medical device logs are normally used for supporting hindsight

    analysis of incidents. Logging and analysing device interactions would give manufacturers insights into how devices are used in practice and how to improve their products. Moreover, keeping good logs of events would be useful for medical practitioners to learn from the mistake of other medical practitioners. To do this, investigations of incidents that did not lead to fatalities have to be carried out on a regular basis. Doing so would also ensure that the logging system works as intended.
  45. Shortcomings • Well many. • Devices have no logs. •

    There is no connection history. • There is no logon history. • Devices do not have unique GUIDs so cannot be uniquely identified. • No logs on changes or commands received.
  46. Shortcomings • Well many. • Devices have no logs. •

    There is no connection history. • There is no logon history. • Devices do not have unique GUIDs so cannot be uniquely identified. • No logs on changes or commands received. No LOGS just no LOGS.
  47. So what now? ! Ensure that targeted logging is built

    in. ! Ensure that each device that connects is uniquely identified. ! Log all IP address that connect to the device. ! Identify artefacts that normally appear on devices and build a base line. ! Provide secure syslog capabilities. ! Use those logs for monitoring and alerting (MSEIM).
  48. Questions?

  49. Special Thanks: Jay Radcliffe for being my dealer in Medical

    Devices and generally being an inspiration and all round amazing human being. References: ! ! Phoenix_X36_Hemodialysis_System.pdf ! ! !