The Autopsy of the PHOENIX X36 Hemodialysis System

Transcript

1. The Autopsy of the PHOENIX X36 Hemodialysis System Veronica Schmitt

   @Po1Zon_P1x13 [email protected]
2. None

3. Disclaimer: All the views/ research done and presented is my

   own and does not reflect the view of my employer / former employer(s) or anyone else. Do not try this at home or anywhere else. This can harm someone.

4. Please do not!

5. WhoAmI ! DEF CON Goon ! DC2751 Founder ! Medical

   Device Security Research ! Medical Device Incident Response ! DFIR Lethal Forensicator ! Cyborg

6. I am the Cavalry Our Message: We believe that our

   dependance on computer technology is increasing faster than our ability to safeguard ourselves. As the question around technology is less-and-less “can we do this” we must more-and-more be asking “should we do this.”

7. I am the Cavalry Our aims are: ! To selectively

   improve visibility and awareness of these issues while preserving trust. ! To inform decision-makers in public policy, manufacturing, oversight and customer organizations so they take smart risks. ! To collaborate among all stakeholders, deal with concerns and find a common way forward where everyone wins. ! To catalyze, amplify and demonstrate public good done by security research of consequence. ! To promote systems thinking that examines interdependencies and externalities, not just pieces of the whole.

8. Introduction ! Medical Devices are integral to longer term survival

   of certain patients. ! Bridges the divide between physical and virtual. ! Medical Device security is behind on the fight against vulnerabilities. ! Devices are designed for usability vs security.

9. CIA for Medical Devices ! Confidentiality Is patient data stored

   securely and transmitted securely? ! Integrity Ensuring that building for security does not undermine the integrity of the device ! Accessibility To ensure that the devices remain secure and accessible.

10. Hemodialysis ! A medical procedure to remove fluid and waste

    products from the blood and to correct electrolyte imbalances. ! This is accomplished using a machine and a dialyzer, also referred to as an "artificial kidney." ! Hemodialysis is used to treat both acute (temporary) and chronic (permanent) kidney failure.

11. ! The PHOENIX X36 Hemodialysis Delivery System is designed to

    be an easy-to-use device. ! Its flexibility allows it to reliably provide effective, high-flux and low-flux hemodialysis, hemofiltration and ultrafiltration on patients weighing 15 kg or more. ! In addition to its “ease-of-use features,” such as real-time Kt/V monitoring and Compensated Blood Flow (via the DIASCAN Monitoring System), a full-color touch screen, and Sodium and UF profiling, the PHOENIX X36 System offers built-in connectivity to EMR and patient prescription downloads using the EXALIS Dialysis Management Tool.

12. When in doubt read the Manual: IT Connectivity ! Standard

    Ethernet network connection ! Connects to electronic medical record network ! Integrates with patient prescription ! Uses the EXALIS Dialysis Management Tool protocols

13. More information …. Password : 65505

14. More information …. Hard-Coded IP Address:

15. None
16. None

17. NMAP Scan of Communication

18. Hacking the HL7 Communication Protocol “HL7’s Version 2.x (V2) messaging

    standard is the workhorse of electronic data exchange in the clinical domain and arguably the most widely implemented standard for healthcare in the world. This messaging standard allows the exchange of clinical data between systems. It is designed to support a central patient care system as well as a more distributed environment where data resides in departmental systems.” --Source: http://www.hl7.org/

19. DICOM servers ! Most medical devices will communicate to a

    DICOM server. ! These servers are notoriously vulnerable. ! They contain personal identifiable information related to medical results and medical patient data.
20. None
21. None
22. None
23. None
24. None

25. Medical IR and Triage ! Say What???? ! It does

    not really exist. ! Do Logs Exist? ! What data is on the devices? ! What file system is on there? ! What Operating System? ! So many questions and no answers ! So how Fu*@3d are we?

26. Hardware

27. Partitioning Schema

28. Partitioning Schema

29. Partitioning Schema

30. Partitioning Schema

31. VXWorks Medical Devices on the Internet

32. VXWorks RTOS Embedded OS

33. VXWorks RTOS Embedded OS

34. Recent Vulnerabilities VXWorks

35. None

36. Data Artefacts

37. Artefacts - How was it calibrated?

38. Artefacts - Clinical Data

39. Network Configurations

40. Network Configurations

41. Screen Display Configuration

42. Retained Patient Data

43. Retained Patient Data

44. Logging Medical device logs are normally used for supporting hindsight

    analysis of incidents. Logging and analysing device interactions would give manufacturers insights into how devices are used in practice and how to improve their products. Moreover, keeping good logs of events would be useful for medical practitioners to learn from the mistake of other medical practitioners. To do this, investigations of incidents that did not lead to fatalities have to be carried out on a regular basis. Doing so would also ensure that the logging system works as intended.

45. Shortcomings • Well many. • Devices have no logs. •

    There is no connection history. • There is no logon history. • Devices do not have unique GUIDs so cannot be uniquely identified. • No logs on changes or commands received.

46. Shortcomings • Well many. • Devices have no logs. •

    There is no connection history. • There is no logon history. • Devices do not have unique GUIDs so cannot be uniquely identified. • No logs on changes or commands received. No LOGS just no LOGS.

47. So what now? ! Ensure that targeted logging is built

    in. ! Ensure that each device that connects is uniquely identified. ! Log all IP address that connect to the device. ! Identify artefacts that normally appear on devices and build a base line. ! Provide secure syslog capabilities. ! Use those logs for monitoring and alerting (MSEIM).

48. Questions?

49. Special Thanks: Jay Radcliffe for being my dealer in Medical

    Devices and generally being an inspiration and all round amazing human being. References: ! https://www.windriver.com/news/press/pr.html?ID=1104 ! https://econnect.baxter.com/assets/downloads/products_expertise/renal_therapies/ Phoenix_X36_Hemodialysis_System.pdf ! http://lup.lub.lu.se/luur/download?func=downloadFile&recordOId=1982371&fileOId=8961306 ! https://slideplayer.com/slide/11659715/ ! https://www.va.gov/vdl/documents/Clinical/ClinProc/clinproc1_impg.doc