Hacking Medical Devices



Similar documents
IoT IT Security and Secure Development Life Cycle

Directed Circuits Meet Today s Security Challenges in Enterprise Remote Monitoring. A White Paper from the Experts in Business-Critical Continuity TM

Nokia E90 Communicator Using WLAN

Configuring Wireless Security on ProSafe wireless routers (WEP/WPA/Access list)

8 Steps for Network Security Protection

8 Steps For Network Security Protection

The Network and The Cloud: Addressing Security And Performance. How Your Enterprise is Impacted Today and Tomorrow

What s Wrong with Information Security Today? You are looking in the wrong places for the wrong things.

trends and audit considerations

Cloud Security Fails & How the SDLC could (not?) have prevented them

Enterprise Computing Solutions

It Won t Happen To Me! A Network and PCI Security Webinar Presented By FMS and VendorSafe

The Weakest Link: Ethically Hacking the Connected Building. Paul Ionescu IBM X-Force Ethical Hacking Team

Flow Publisher v1.0 Getting Started Guide. Get started with WhatsUp Flow Publisher.

Data Security: Fight Insider Threats & Protect Your Sensitive Data

Xerox Mobile Print Cloud

Preparing for the HIPAA Security Rule

WISE-4000 Series. WISE IoT Wireless I/O Modules

Information Security Services

Privacy Policy Version 1.0, 1 st of May 2016

Chapter 6: Fundamental Cloud Security

INFORMATION ASSURANCE DIRECTORATE

Oracle. Human Capital Management Cloud Using Workforce Reputation Management. Release 11. This guide also applies to on-premise implementations

WHITE PAPER Security in M2M Communication What is secure enough?

Back to My Mac User s Guide

Network Management System (NMS) FAQ

Cyber Security An Exercise in Predicting the Future

AppPulse Mobile. Whitepaper: Overhead, Privacy, and Security. March 2016

SCADA System Security. ECE 478 Network Security Oregon State University March 7, 2005

docs.rackspace.com/api

How To Protect Your Employees From Being Hacked By A Corporate Firewall

The evolution of data connectivity

The Twelve Most Common Threats to HIPAA Compliance When Providing Remote Access to Systems and Data March 2010

How To Protect Your Data From Being Stolen

ios Security The Never-Ending Story of Malicious Profiles Adi Sharabani Yair Amit CEO & Co-Founder Skycure CTO & Co-Founder

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

PCI DSS 3.1 and the Impact on Wi-Fi Security

Contents. Expertise in access control. SaaS Software as a Service, a comprehensive solution. Megaflex Officeflow

SecurityMetrics Introduction to PCI Compliance

Network Security Policy

THE CHALLENGES OF DATA SECURITY IN THE MODERN OFFICE

The Advantages of a Firewall Over an Interafer

Securing Patient Data in Today s Mobilized Healthcare Industry. A Good Technology Whitepaper

Westpac Merchant. A guide to meeting the new Payment Card Industry Security Standards

Securing the Internet of Things WHITEPAPER

IoT Security: Problems, Challenges and Solutions

Application Security in the Software Development Lifecycle

So happy to be here! Paparazzi over IP. Daniel Mende & Pascal Turbing {dmende pturbing}@ernw.de.

Odessa College Use of Computer Resources Policy Policy Date: November 2010

Interoperability solution for medical devices

INFORMATION TECHNOLOGY. Revised May 07. Home Networking Guide

Security Considerations White Paper for Cisco Smart Storage 1

PePWave Surf Series PePWave Surf Indoor Series: Surf 200, AP 200, AP 400

TOTAL DEFENSE MOBILE SECURITY USER S GUIDE

Meet The Family. Payment Security Standards

The Panoptix Building Efficiency Solution: Ensuring a Secure Delivery of Building Efficiency

UNIVERSITY OF ROCHESTER INFORMATION TECHNOLOGY POLICY

Hedge Funds & the Cloud: The Pros, Cons and Considerations

SIMATIC PCS 7 takes you beyond the limits. SIMATIC PCS 7. Answers for industry.

How To Protect Yourself From A Hacker Attack

PAVING THE PATH TO THE ELIMINATION OF THE TRADITIONAL DMZ

2011 NATIONAL SMALL BUSINESS STUDY

Industrial Communication. Securing Industrial Wireless

Secure File Sync & Share with Acronis Access Advanced Date: July 2015 Author: Kerry Dolan, Lab Analyst

2012 NCSA / Symantec. National Small Business Study

Data Security Incident Response Plan. [Insert Organization Name]

Information Security: A Perspective for Higher Education

DIGIPASS Authentication for Cisco ASA 5500 Series

Who is Watching You? Video Conferencing Security

The Real State of WiFi Security in the Connected Home August 25, 2015

Wireless Network Security

ALTIRIS Deployment Solution 6.8 PXE Overview

Project Title slide Project: PCI. Are You At Risk?

INFORMATION TECHNOLOGY MANAGEMENT COMMITTEE LIVINGSTON, NJ ITMC TECH TIP ROB COONCE, MARCH 2008

Apple Technical White Paper Best Practices for Deploying Mac with OS X

MTP. MTP AirWatch Integration Guide. Release 1.0

The Benefits of SSL Content Inspection ABSTRACT

WHAT YOU NEED TO KNOW ABOUT CYBER SECURITY

IT Networking and Security

SECURITY CONSIDERATIONS FOR LAW FIRMS

The Shift to Wireless Data Communication

Oracle s Solution for Secure Remote Workers. Providing Protected Access to Enterprise Communications

Reducing Cyber Risk in Your Organization

Health & Life sciences breach security program. David Houlding MSc CISSP CIPP Healthcare Privacy & Security Lead Intel Health and Life Sciences

The Internet of Things: 4 security dimensions of smart devices

genie app and genie mobile app

Network Design Best Practices for Deploying WLAN Switches

The Key to Secure Online Financial Transactions

Transcription:

Hacking Medical Devices Cloud Context

#2 Blog: Florian Grunow Security Analyst ERNW in Heidelberg Team Lead: Pentest ERNW Academy Research: Medical Devices Connected Cars Conference:

#3 Agenda Motivation Publications The Problem Targets Wrap Up Questions

#4 Disclaimer All products, company names, brand names, trademarks and logos are the property of their respective owners!

#5 Motivation Make the world a safer place

Motivation Importance We trust these devices Doctors trust these devices Cloud will play a major role in the future Technology Rocket science: e.g. MRI Proprietary protocols Every device is different 6/17/2015 #6

#7 Publications so far What has been done

#8

#9

#10

#11

#12

#13

#14

#15

#16 http://arstechnica.com/tech-policy/2014/10/feds-examining-medical-devices-for-fatal-cybersecurity-flaws/

#17 The Problem Anamnesis

#18 Siemens Sirecust BS1 In the old days

#19 Nihon Kohden Neurofax EEG In the old days

#20 The Change New com options available Optimization of processes Interoperability E-Health records PACS Personal Health Lowering costs! Data will be going to the cloud!

The Old Cloud! Standard anesthesia devices

#22 Are we Ready? What about IT in hospitals? Resources / Know-how Different types of networks Doctors Patients Devices Guests Research Semi-New technologies on the rise -> No experience Remote maintenance (non-optional?) Cloud seems to solve some of these problems!

Are we Ready? What about home monitoring? Devices for personal health Transmitting wireless / Upload to cloud Need to be integrated without hassle What could possibly go wrong? Think pre-calculated encryption keys in home routers Must not be expensive Privacy in the cloud? 6/17/2015 #23

The Scale Home Monitoring

#25 Privacy?

#26 Privacy? HTTP! omfgstfu

Are they Ready? What about the vendors? Same mistakes again? Learning curve WiFi Car keys Exploiting like in the old days? We are not really using this port, the board came with it! We are fine, we have two network interfaces (trusted/untrusted)! 6/17/2015 #27

#28 What is Important for Compliance? Focus is on safety not security Especially important in Germany We do not even have these words Safety mostly works Still have bugs like: Device showing asystole alarm when patient is fine Does security? We only need to make sure that there are proper authorization mechanisms A hacker will always find a way 510(k) assumes there is no hostile environment, doctor will not harm patient, patient will not harm himself or doctor Certification Focus on safety, too

#29 Problem Summary Little resources on customer s side Little experience with incidents on vendor/hospital side Lack of awareness on vendor side Safety vs. Security This could kill you!

#30 Targets What are we looking at?

Targets Medical devices with enabled com Com is in places you would never suspect Severity Rating : Low: Monitoring stuff Medium: Diagnostic systems High: Feedback to patient 6/17/2015 #31

#32 Monitoring

#33 Diagnostic

#34 Feedback

#35 Targets Hard to get hands on devices Vendors have little interest? Lack of experience? Expensive Cooperations What about liability? Hard to test!

#36 Targets What we looked at so far

#37 Disclaimer There will be no details yet on how the exploits work as this might pose a threat to life or the physical condition of patients!

#38 Target: Patient Monitor 1 Unreasonable Configuration

#39 Target: MRI Really cool!

Target: MRI Consists of: Host System Windows based PC Image Processing System Retrieves the raw data and constructs images Control System Controls hardware of the MRI (basically patient table, coils, etc.) 6/17/2015 #40

#41 Target: MRI

#42 Target: MRI Host System

#43 Target: MRI Host System Open Ports: 114

#44 Target: MRI Host System After portscan

#45 Target: MRI Guest WiFi

#46 Target: Syringe Pump Demo: Infusion Override

#47 Target: Patient Monitor 2 Signal Processing / Frontend

#48 Target: Patient Monitor 2 Demo: Pwning vital signs

Cloudification How do we authenticate? Devices not adequately capable Violation of best practices Secure the weakest link! Not necessarily the cloud but the Things Hospital environment Data privacy? Especially in Germany hot topic 6/17/2015 #49

#50 Final Words We need to test these devices! There will be more publications from ERNW! For the Cloud: Consider the IoT ( Internet of Threats )!

#51 Questions?

#52 Thank you! Please consult your doctor or pharmacist for risks and side effects of this presentation

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information