A Radiography of the InSecurity of PACS and DICOM Systems

well getting friends can whatever begets or sister

[Music]

hello everyone welcome to besides San Antonio 2019 we like to thank a few sponsors st. Mary's University USA a Trend Micro digital Defense Texas cyber summit San Antonio AFCEA chapter at the end of the day stick around there's going to be prizes for our next speaker this is Carlos Davila and you'll be talking about radiography and security attacks and DICOM systems thank you hi everyone good morning this is my first time at beat size and Texas to take butter yes okay this is my first and Texas - I'm very excited super excited to be here and thank you for being here is my first presentation in English and so be patient please I I come from far away okay

unfortunately after my talk comes lunch okay my name is Carlos Davila I'm from why a key liquid or do you might have heard about my country by places such as Amazon rainforest of the middle of the world or beautiful Galapagos Islands and I'm working at the 11-part it's a cyber security unit a telefónica it's a company from a sprain okay this will be the agenda I will we will review a quick introduction about packs to interaction with DICOM protocol I talked about some key concepts and basic scheme um architecture say the idea of the talk is not to see in details how the DICOM or pads works but to review in a general way how they work and above all

to focus on the vulnerabilities that I have discovered in differing scenarios and after that I talk about four topics for field research some other ideas in mind that I or that me or you could develop after this talk finally recommendations or basin or on my experience and conclusions on the right side of the presentation we see the first x-ray machine created by mr. right ten something like that around 1895 and we also observe in the second image how this type of exam was in this in the past through multiple devices several people manual operations and tasks and to make it more complex this scenario all Rio logical images store we are stored in a rooms and we're they

usually they deteriorate or get burned and these away loss in precious information today the environment change it you can see a integrate into instrumentation automatic procedures and store digital information in a packs servers in a most cases we began to see how this type of platform became vulnerable to attack vectors such as ransomware attacks IOT devices attacked and data leakage from sensitive information from daily to daily diseases from like HIV for example it's very dangerous like to investigation of malware infection through daikon files for example this last research it's very interesting among others so why this research like this person and that image around for years I experienced this type of exam and I where I had several x-ray images taken

to my monitor my health at the moment I think I asked myself about the functioning of the software behind these devices for example what type of protocols do they use or what kind of software or program exists and how are they developed but before I start let me explain to a little bit what is past what is DICOM some key concepts PAC server is a system for digital storage transmissions and retrieval ray logical images modalities is a type of example type of medical imaging for example City is a computed tomography of us is ultrasound or MRI is a map I'm sorry as a magnetic resonance imagine I'm not a doctor but I learned researching DICOM

message it's a attribute for for communication with a patch server with the other artifacts in healthcare facilities and web access to DICOM objects is a standard to expose images reports over web similar to libraries or coding for create a web application for healthcare industry or packs applications other stuff is electronic and metal medical records Hospital information systems and radiological information systems so and in the real life the pack server will look like this is a is a computer it's a server ID server with high storage and computing power and DICOM is in the other hand it's a standard or protocol for the communication with this type of devices for transmit imagines imagines and services etc all these through

services it's executed through different comments for example a storage query print modalities etc you can see that in the in the others as life this is like show a traditional schemes how how pack system work through DICOM protocol and packs basically DICOM protocols allowed diagnostic devices interact with a pack servers with modalities for example CT scan MRI or others these are the the artifacts on in the helical facility this imaging modalities to share information with the patch server and at the same time with a pack server with allow to share information with other programs for example daikon viewer in the desktop or application mobile mobile applications or in and parts workstation or other external programs or web

services for example also daikon protocol is very old it is still operating in different companies premises around the world and for example you can see sites for services on internet such as chaton senses hunter io etcetera and this in this case in the United States a little over 530 only insulin how did it start this research another way I was able to collect information was through searching Jade techniques like dorks so in the other cases before when I cry you could you could find shared folders a lot of shell folders directly connected to internet sharing information as you can see in the in that image on their website for example pal packs archive to share information

by share folder and the other example is here in the red line plankings for example other type of vendors we can find a lot of applications that are available by the hospitals clinics healthcare industry in general in fact you can see in the on on internet today vendors offering to access try impossible client possible access to their mobile applications for example here this represents another vector attack die I would ideally like speak about later let's continue this is live show my first post where I explain in a simple way in a simple way an attacker through a a tools icon client can get remote information from pack servers without any authentication and authorization most of the times depends

of configuration of the software you can see in that image is the first evidence about that but let me see a demo on that as you can see in in this video I and is a dykon tool called radium viewer you download it it's free and you can configure IP address and poor default port of the daikon services is 104 in this case is a test on a server exposure to own Internet is in Japan an attacker using daikon tool could extract this type of information on a server without any security for example a suited a patient name and date of birth patient IV modality for example type of exam a student scription and other stuff

even the the type of information even the type of Tomoko tomography tomograph sorry and other type of devices and you can get all databases and appear data leaks on on internet other evidence about that in my research I have there are a lot of information out of them these are other servers exposing patient information for example in this case is a test on a server in Bolivia you have 200 studies or records of patients in these cases in Ecuador you can see the names for example the studio names data field type of study the scripture description etc in this case is a 5500 study or records is this in Brazil for example or the other server expose it on

internet and our example is in Japan and do this type of of simple boolean abilities in some countries several companies have been indicted with millions millions of dollars in fines so however my deep interest in this research let me to find a project a project called Paks one server and in the project I found some vulnerabilities in the web application level as you can see in the web page is the most commercially available picture archive bla bla bla packs and all features and these vulnerabilities were reported to the project sponsor and the most important things about this project is the in the core of the application of the web application has been used by other

healthcare facilities on internet and commercial software for example you can see in the in the web page all of the facilities can use packs one server you can see more details in the in that link here are some results Oh at the moment I tried to discover where these applications could be installed on internet here's some results on my research or looking in Internet dissonance is samples the parts one server install it on internet different healthcare facilities or companies around the world this is one vulnerability SQL injection over packs one server that use to obtain obtained patients data from facilities and where to have implemented that a specific version of patched server this is the other evidence but commercial

software InBev parts once part one with some customization with the same vulnerabilities and a potential attacker could be extract all patient information on these servers depending of the configuration this is the other vulnerability on the same software is the local file inclusion typical web a web attack you have you can or you could have control of the server and here's some history a story about my vulnerabilities most of the company quickly fix it flower phones but it was funny in one of company send me I'm offered an offer an offer to this software and but I said I don't wanna buy it I want to fix it I'm sure many of you of you experienced this

other type of vulnerability that if that I found I you can see on the exploit abhi so access the commercial software in healthcare industry it's difficult I wanted to turn my research around I so I try other attack vectors for example this time I I wanted to test mobile applications with interact with packs servers and icon protocols so these are results I analyzed for mobile applications in iOS and Android the prince the principal the main influential features is a Raymond ipil edema images or radiological images medical results and patients data as you can see the results it's not good but you can you can switch and the where access the medical services such as radiological image images medical

results etc through these mobile applications a potential attacker could find flaws that allowed to escalate privilege on the infrastructure carry in infrastructure for example as you can see the results are not good we have found common vulnerabilities for example absolute certificate a sequel injection cross-site scripting hard-coded password etc in this case for this for this test I have used our platform is cold masa is for static a dynamic analysis and many manual test tests as well you can see more details about this research in that link so some cases about that for example hard code data on mobile applications in this case I found her coding sensitive data for example Pascal used to access to application in this

case in main a manifest dot XML in Android application you can see hard code the pass code for access these applications and for example in this case the applications save the SQLite without without library without cipher library for example other cases is in secured traffic for example these appliqués applications send information in the HTTP you can you can see all XML and information with a user passwords etc you can modify this type of information order vector attack may be is a API on the server all the weaknesses shouldn't even exist for example certificate hair coded into the applications excessive permission of the application or for example it's optional HTTP in this type of applications you can see in that one

this one in different applications I see that all that issues for example developers nowadays developers continue to use basics before as a method encryption and other things it's used a obsolete features or deprecated it's as Westview in which allowed cross-site scripting in a within a mobile application to mention other cases for example we found interaction in the mobile application with the rest I a P I or web services that if found typical vulnerabilities in the web application for example SQL injection process scripting in this case SQL injection again allows to access the private information on the server is the commercial software in this case other vulnerabilities and vector attacks that appear on my way here we can see

gulnur abilities that I found a discovered and reported in different commercial software another kind of application that is a quick patch servers is Ray's ray logical information systems in in those cases I found the process creating issues but in the last images in the last image I found the SQL injection of demo app web application web application in that vendor you manipulate the different DICOM images for example as something to relate it to this type of applications I analyzed other type of applications in this case the applications manage different content for example medical results you can see the hard coding password again through mobile applications and patient appointment and exam results this are no development in a secure way and show

other vulnerabilities if for example with a AB Mobile's without office Cade your code in the critical applications and all that stuff for example safe information on as well light in plain text for example use users passwords and type of exams results etc so the entry Healthcare has other issues and I talked about the future research I'm going to show you other interesting topics for future research in this case is protocols and hardware protocols or standard you can do more research on DICOM or older stuff for example hl7 CCDA if I are it's a new one a new one which are XML instructors that you can you could do all the different tests is this other stuff

for example hardware you can do like mark I'm sorry we will start with the other things for example it is a this project it's very interesting is a minute.i compact server you can install in this patch server on a Raspberry Pi for example there are many more applications to investigate for example other so far will interact with back with PAC servers in this case is e eh r or EMR is electronical medical records or Hospital information systems or laboratory information management systems for example here some of that I have discovered some flaws or vulnerabilities in that software this software is a Lim's is basic laboratory information systems this software safe information for example form formulas or

secrets of the come of companies in this case and this type of software connected with with order machines or other artifacts in healthcare industry or health care facility for example in this case you can see coffee configure artifact - connected via area say rs-232 for example or including pads other thing is

p.m. our electronic medical record this project is open EMR it's very interesting in is a lot of use on internet similar to liberal health based on those vectors I have other demo vulnerability I found that I found in EMR project liberal health is a open source software it's a fork or from open EMR liberal used for manage all the information of health care facility or hospitals for example you can manage a patient data inventory of pharmacy or different things financial etc it's similar to so far EP ok in this case you can a user access to the portal patient authenticate for example access to with a patient or like a patient in this case an attacker or malicious user can send

the post request or pelo and read or write arbitrary acts arbitrary file on a server for example in this case I I sent the PHP info for example in this in that parameter is content I I try to write on a server this file in this case is a PHP info let me show you in this case I use board and send the request ok and I'm review write a file on a server this vulnerability and this exploit you can see on the exploit evie all there's other things for example in this case you could load the malicious user or attacker law at a web shell or nice message like that other things or conclusion or comments about

my research and the demos of things or at the end the a scenarios of insecurity in this type of software's so similar to the other industry for example insecure programming in this case in both cases up mobiles and web applications d follow insecure configurations weak or default credentials hard coding prebate data over mobile applications protocols or obsolete products or hardening issues for example you can nowadays you can implement daikon over TLS or SSL for example and all other things is unsupported or abandoned at projects the most of cases is Forks on github for example you can search a lot of vulnerabilities some recommendations in for example first one developers should be development insecure way or secure

design implement security controls in all the stage of development software analyze your platforms or the industry Harrell compliance a regulation which are a lot of documentation or best practice to implemented after that how did your applications internally or out-of-the-box and independence company and other things other techniques you have other techniques for techniques for example to share information with other facilities in healthcare you can use data and limitation techniques or tools and you have a lot of scripts or tools in Internet hardening a secure connection the DICOM or hl7 over SSL or TLS TLS or end-users enable all security mekinese offered by the platform for example to FA login lookout biometric authentication depends of applications and community in the end it's our

medical our medical data and you can contribute when we report a flaw or when implement a new feature over our program this way we we will help a lot I have been a pleasure I have a nice experience to be able to share in for this talk with you thank you very much I'm sorry for all mistakes okay you have questions so you can speak a slow please [Music]

ok I'm not a doctor I self-taught I said stuff in one day they story it's it's it's really one day stay in the exam I was stay in there and think how they're functioning what what's functional this type of environment I was hit by a car years ago it's a long history but I think about that I work in typical pen testing and research and I I don't know the technicals technicals in deep something like that I don't know it's okay my response I'm not a doctor I die I dunno I don't opportunity to go to the healthcare facilities or for example I don't know the artifacts or or the it's difficult for example in my country

difficult to obtain access to the to the machines for example in this case or my wife or for this research this research it's the software it's in this case open-source software [Music] call other question well thank you very much