Health Platform Pwnage - You Are Now Diabetic

okay is it to me issues have security I'm talking about sorry actually a little bit today about both platform owners so I'm just going to ask my team that's all good all right so greetings everybody names basil and the title looks a little different it's medical exploitation that's actually titled a blog but it's not here at the right talk or health platform college so this talks about a recent project that we did at depth and basically we were able to exploit a glucometer which is a device that measures your blood sugar level you poke yourself in the finger measures your blood sugar then it synchronizes with a mobile device and then that synchronizes up to

the cloud great so a little bit about me I'm a penetration tester and I do some security research my interests are in red teaming intelligent was a reverse engineering and binary exploitation so I like these are not things that I'm great at always trying to improve in and then when I'm 40 and retired this will make sense in a bit I'd like to look into sentient intelligence and like the primal cerebral connection in the brain so it's not just doing algorithm type stuff I'd like my fridge to talk back to me and call me out on my crap so something else that I like this combat sports and music so if you'd like to come talk to me let's think about that

so look at a back story about the actual project our CTO and accurate chief Jake Reynolds wanted to come up with some research projects for us to do and one idea he had was this blue comedy and that black glucan device thing in the middle that's the actual hardware device that I was talking about just earlier and we thought it would be impactful research because if there are some security flaws on this it would affect the health industry and we'd like to contribute to that in some way impossible so the attack vectors for the glucometer obviously are how the Bluetooth device you know the actual hardware device synchronizes to the cell phone so that's one thing we could look

at and Bluetooth always found super sexy it's like wow let's do some Bluetooth happening or there's also the WebEx point mobile exploitation aspect which is like how does how securely does the mobile device the data to the file so the summary here is that through five low or medium some very vulnerable these we were able to compromise every single users data and modify any users data on the platform that includes their glucose level readings and but they require the daily insulin dosage so this is where we start getting a little more technically this is the first of all her ability so the way the device talks to the back end right the first thing we had to bike

mats was certificate pinning so there was certificate pinning implemented what that means is this in order for us to look at the requests that they're happening from the cell phone device back to though the backend server we need to proxy through some sort of program you know like a bird or something now the program will actually check to see if it's talking to the right things the right server the right back end before the models before actually sends any requests so we need to buy myself there are a couple ways to do that sometimes if the certificate is placed in a predictable location somewhere in the root directory or something like that then we're able to

change it and have the program actually utilize this certificate there's also runs I'm looking using a tool like Frieda and I highly recommend you guys James Kennedy's talk a little bit to the mobile stuff in a lot more detail than I will be I believe that's at 4:15 the way that we did it was using the Burke mobile assistant and this is a tool that basically is the easy button where you're able to inject into an app of your choosing and then that can bite my certificate pinning and you can look at any requests happening from the cell phone device of the bank so I know I know the post requests the good requests any what

request that's happening I can look at that pretty easily great now the second the vulnerability is a pretty common web application vulnerability its ID or or insecure direct optic references and basically when you're logged in as one user I have an ID and that typically correlates the user that I'm looking at that's not a web page boards but we were able to change that user ID to any other number and that returned the different users information but there was a catch the information that came back was encrypted and that means that the chunks of encryption looked different from user to user it wasn't straight up that information interests get back information and here's a little bit of a

screen shot of how clear it is but the error that points the top there that's basically a request response repeater per tab thing but you change the user ID at the top you get a different encrypted blob at the bottom so by changing the user ID you get a different encrypted block so that's the good hypothesis at this point that hey this might be somebody else's David great so we need to dig deeper right so the third one we're building now by digging deeper we need to break the encryption so in order to do so we need to start reverse engineering the mobile application of course all of this was on a jailbroken iPhone or Android which

is a prerequisite in order to do the cooking stuff learning about fun stuff I talked about earlier a reversing options are you know there's the iOS application and the Android application we could either work with the IPA and the IPA is basically going to entail reversing a arm assembly and that's a little more sophisticated and that's not the simplest route to go about in this reversing is fun but I don't really want to do more work than I have to clear the simple way so the other way is reversing the android apk and this is where the Wii confiscation come there are ways that you can obfuscate your app that makes it really really difficult for

reverse engineer to try to figure out what's going on but I thought was getting quotes because as you can see this is a sample you can look at the log messages here they basically explain what every method does I don't even have to figure out I don't have to go any deeper this is literally it this is an encrypted this is a decoder and then also it's telling me the sacrum instance that I need to use so that the encryption type great so the descriptive log messages kind of render any obfuscation useless so even if the variable names are different you know the method names don't mean anything well I know exactly what they're doing

so I can easily fill in the blanks we know what the encryption scheme is now so the next step we need to figure out is for this specific encryption scheme we need an initialization vector an encryption key okay we need to dig deep so it turns out as we'll see in the next screenshot there that there is a statically coded encryption key which is a vulnerability by itself encryption keys should be come up sometime during runtime that makes it really hard for reverse engineer to figure out what it is even if that algorithm itself comes up with the same key over and over again but it should be really difficult to figure that part out and the second part

was that the initialization vector was also statically coded and IDs should be used as a nuts that is a number that is used once you can't keep that step so after a little bit of more reversing I blurred them out where you can see here the encryption key and then the initialization vector and they're reused throughout the code base and it looks a little funky here because of the reverse engineering tool that I used it's not very straight forward but it gives you a good general idea okay so now we have all the things we need to break the encryption we have access to any users encrypted data we have the encryption scheme we have a encryption key and

initialization vector so let's go ahead and write a little bit of code but there are some challenges so first thing is if you look at the actual program you'll notice that there's some basics before encoding happening so the first thing we need to basics before decoding that we need to interpret the actual decryption key and the right format otherwise if we just plug it in to do our decryption program it's not really going to make much sense so in this case utf-16 LED now the part that took me three days and really amplifies my hatred for Java so more was the fact that I had the wrong Java library installation the wrong version and so I couldn't really decrypt the

message using the healing that I feel like that I had except my coworker Cory Shay who tried pretty much the same exact script on this program and his Java installation was updated and then he was able to break it so that's awesome and then Dan also who's running our CTF he came up with a Python implementation and by the way that's really cool so we have a show on shell every week at depth which is cool because you know we go in and we show off what we did like these are moments and then if we have any problems you know things that we're at roadblocks well to help each other out and we kind

of have this really strong type of minds that are just working together so that's a lot of fun so we have a script let's actually do some proof of concepts the first one is really simple and that's the data retrieval so we can grab some medical data personal information but the question is can we actually modify in a user's data because that's the next step so here's the Python script that's using the encryption key the initialization vector as well as you know the encryption scheme we mentioned earlier you put in that stuff that doesn't make sense and you come up with a JSON object awesome now this is only one request of many so this is showing

the basic profile information like the date of birth the user name all that kind of fun stuff but there are other requests that happen and what they do those make synchronize your those level readings you're you know what basically if you do it 20 times a day or whatever you require to do there's a log of all that that gets pushed to the cloud which may be inspected by a medical professional this is basically just showing that from the same user were logged in we change the user ID we grabbed a different encrypted blob and we decrypted that just as a POC to show that hey we have a different users information I need to point out

though that this is not real user information we created a to test accounts before we started messing with any patients data just so we didn't want to touch any patients data I just wanted to have two test accounts and have faked values so we don't touch any production data great so they had a tampering we're interested in basically if we can change the amount of dosage that you need of insulin what your glucose readings are and there's an interesting account takeover you can do because there's a password reset flag and you can change the email address so if I set the email address of mine and I said that password Yousef like true then I'm gonna get an

email I'm going to change the person's past or hidden how I have access to their account the biggest thing here is that you can modify data over time this could be problematic in an attack scenario that I'm going to show in a bit and could affect the person's medical prognosis so they might come up as you know they might need more insulin than they actually need or or they might be given more insulin they actually need or they might not be given me nothing so so this is a couple of I guess variables in the JSON object that it could change and this is just one request where you got the total daily dosage and then the

inject insulin how much you're supposed to do that and there's also a reminder which is an interesting part basically some elderly people they get a reminder on their phone they remind them 28 times a day to into it well if you set that to zero and elderly an elderly person might not do that so attack scenario grandma is rich and ethically questionable grandkids want some inheritance money to come a little sooner so you basically figure out what grandma's use their ideas and then you have access to all of her glucose readings and how much insulin she needs every day if you do that over time let's say you get a one-month trial you know if you're measuring your blood sugar

level to actually figure out how much insulin you need you can actually affect that so that when they go in for the next appointment they're like well you're actually not that you know you your diabetes or how much insulin you need is not that much so we're going to reduce your required dosage and that could actually cause some power issues recipes grandmas you got recently okay so the timeline for this and a lot of people are underestimate is that these things take like a day or two you know like you find the cool Bo day on Twitter and then you get a lot of credit and Stevie's but it actually takes a long time it takes about six to eight months

because you have to give the company three months of responsible disclosure you know we can't tell anybody and you have to work with them to help remediate it that's a thing that you'd like to do it takes time so I disclosed in 15:50 2018 and we didn't publicly disclose this until February 14th which is pretty recently and that doesn't include any of the research time so one thing that I guess my takeaway for this is none of these vulnerabilities to stand on their own and in fact if he wants to if you did a pen test or a mobile application assessment whatever and you said you know you have these vulnerabilities some people about being

flying to fix these because they're low severity they're like well we're gonna fix mediums and above but hacking is not necessarily just finding that you know one cool vulnerability and you take it you know this is a critical severity but he fixed it no hacking is an art when you hire a hacker you're hiring an artist and they're chaining exploits together other ability is actually like low severity vulnerabilities to eventually bring down an entire corporation so this is a job for humans and you know this company I talked to the guys they had run they had a reasonable security program but I mean they only use scanners and they didn't really hire legitimate pen testers to do

that so this is an art and it's a job for humans anyway that's all we'll take any questions basil rhymes with basil yes sir [Music]

so risk assessment that's something you should ask for let's see so but I'll ante like us so trying to figure out what's worth what is really hard it's always subjective I mean if you you know what's the value of a human life if you talk to a lawyer right and they'll come up with some value based on the context but the thing that concerns me is that people are taking security like they do people more complacent and people keep saying things like oh well we're commoditizing testing now where we're thinking all these scanners and they're super smart AI machine learning this was a logic that but at the end of the day the more complacent you become the more

the hackers that really know what they're doing you're making them super powerful and that's not something that we want we want to be able to hire people that are really capable on the white and on the white hat side and then say okay show us what you got show us what you can do and you know in terms of cost really depends on context there's no good answer any other questions yes sir so actually the organization was really friendly to work with but in this case we had you know you can count between 2.5 to 5 million records people that you know we have access to all their buco sweetings insulin requirements I don't know what would

that would translate to a per record Maui but let's say that each record you know the government climbed up $10 I mean if you just do the math there I think any seats know is going to be like okay I think it's going to cost a lot cheaper to hire so actual hackers to figure out what's wrong with our stuff so any other yes ma'am [Music]

so when we do research on a device it's usually just that device and how it interacts you know with us around the people or the backend servers anything like that so I I can't say whether other devices are exploitable or not until we do research and try to figure out you know are they actually exploitable but I can tell you right now that I think Leslie mentioned this this morning to is that the the culture right now with IOT and health devices and all that kind of stuff they're trying to push as fast as possible because that's just the start of the push back which fast nobody really thinks twice about security and when the hospital applications are in

the long run and I bet you that at the health industry there are hundreds if not thousands of other devices that are just as vulnerable or even worse because they're probably connected you know like like some like final monitoring system for kids at a hospital you know people probably haven't done much research for that but with the right nation state that's well funded and they really want to do some damage yeah things could be pretty bad so what that's going to the world we look around and I see any other questions so that's not something I did not say that because now these vulnerabilities have been patched now for me myself honestly and even some

co-workers you know I have some co-workers that purchased some camera systems and they've been tested the camera system and they found a way to look at anybody's camera system from anywhere on the internet that was a I believe exploit that we were out recently our vulnerability that we found there's always going to be holes and in these systems but the question is who do you think is going to be targeting you know you for example like are you are you going to if you're a very high profile person using a medical device I would be really worried because some people are actually trying to get you know but if I was just the person that

you know I was a high profile person I wouldn't be as worried because there's there's some risk assessment that goes on at the end of the day I'm I always think twice about any advices that I'm using in my own house I have zero smart devices I don't have any of these lights or any of that they I'm I'm the most analog person you could when it comes to all that stuff just because I don't have to trust the truth of these things because I know

[Music] and recall in

so the verification process for you know figuring out a vulnerability has been passed and also treated because you can technically patch against one attack type you know you might have like a blacklist or something for that kind of attack vector but if you modify it slightly or if you think a little bit more creatively you can bypass it the problem is that or like the mentality behind development itself and the way that vulnerabilities are approached is people are trying to block things that the researcher finds that one specific thing but do I mean there's like a million different ways to do this you know what I mean so for this device specifically the vendor assured us we

didn't do any testing they assured us that the vulnerabilities have been patched and we kind of took their word on it so that's as much as I can do because I don't know anything else

there any other sort of besides just the company itself so as your question was there other people that we needed to reach out to yeah actually we did we reached out to a couple of organizations and I honestly don't mind the acronyms right now but the reason I don't remember is because they didn't respond and I tried reaching out to them a couple of times it's it's really hard to get people to hear you out and even when you have a POC when you're like dude I mean I can read them modify anybody's being on this platform I think the mentality is just think they don't care unless there's direct financial consequence there's a direct

threat their livelihood that oh crap we're going to lose fifteen million dollars let's dump this money into the penetration testing and you know and that's like I said earlier that's the world we live in we have to threaten their livelihood by losing money basically in order for them to invest in these services

anything else all right thank you

[Applause]

you