BSidesPGH 2024 Track 2 Deral Heiland A Journey Into Medical Device Security Research

can you hear me now all right I hope you don't mind I don't stand on stage I'm scared of heights so my name is Daryl Highland uh I work at rapid 7 uh my job role is doing research in iot technology embeded technology been doing that for about eight years I've been in either it or security for about about 30 years now U so the the research that I do the cool thing at rapid 7 I'm I'm pretty independent I get a chance to do almost any kind of research associated with embedded technology that that I want to do and the cool thing is I get to share it so everything I do gets published in

some form or fashion speaking of conferences papers things like that uh This research project here we publish a paper at the end of it which we'll kind of talk toward the end of it because there some really cool findings so we have do we have anyone here works in the medical industry hospitals things like that oh yes you'll like what I'm about ready to say at the end of this talk or probably not the odds are probably not so let's go ahead and I've already introduced myself uh shout out to a couple people I worked with over the last several years that kind of helped on this project uh Dr dth out of San Diego uh Chris who actually helped me uh

co-write the paper that we put out and then Baxter healthc Care Corporation a brilliant organization uh that I worked with closely as we published uh four vulnerabilities they are great to work with we actually presented the whole disclosure process at Cyber conference in San Diego to really talk about how disclosures should be done done right so I built a really good working relationship with them in the process which I think is very important for anyone doing research that we we work with the vendors appropriately and help them solve their issues for the products so we can make the world secure for everyone that's the ultimate goal so let's go ahead and get started so uh

project scope so why did I do this project so I'm always doing embedded Tech and up to a couple years ago I had not really focused on medical technology at all so I really didn't have that mindset what does that mean from The Real World from a medical Tech so I wretch out to BD I'm like hey guys talk to their team I'm like I want to do a research project on medical technology and we're thinking maybe infusion pumps Medical Hospital infusion pumps what does that mean and they're like go away evil person no they didn't do that so BD actually hooked me up with uh Christian dth who does cyber security stuff he is

emergency room doctor is really heavy on cyber security type stuff and I worked with him and got access to a lot of interesting things and other hospitals and stuff like that it was kind of cool uh so the research Target of the overall project had three products in it the Baxter the Allis and then also hpera now uh medical technology is very much similar to what we think of OT technology you don't buy something and three years later replace it it's around for a while and when the technology is finished up in larger organizations often that technology is resold the smaller organizations that are lower cost so the technology can stay around for 10 15 years or even longer so these

devices I looked at were basically an end of life but yet you could probably go into half of the hospitals in United States or more and find all of these products still in use so they carry on for a number of years so when I'm doing any kind of research the first thing I want to do is uh I want to understand how everything works before we get into the tear down I had the opportunity I wanted this to be more than Daryl hacking on Hardware okay we needed to go a little further even though we ended up Daryl hacking on Hardware we also wanted to figure out what does this mean and I actually got

access to several hospitals and I was able to go into their biomed organizations that manage and control all the biomedical technology in those organizations and I went through a couple of these different pumps they showed me how to set them up how to configure them how to calibrate them I talked to their security teams on what are their concerns what is the risk to them when they think about biometal technology and it was a great learning opportunity and it's a learning opportunity I get a chance to bring back to Rapid 7 I bring back to our iot pin testing team's knowledge and I also get a chance to share that to the community at whole so it makes it for a lot of fun

so one of the things I like to do is tear things apart let's figure how they work you know when you're that kid and you like to take stuff apart and put it back together the cool thing with this is you just buy enough devices you don't have to put them back together you just tear them apart throw them in the trash when you're done so we start off doing that so what am I looking for we're looking for design and operation how to get data out of the devices how to interact with the devices how do they communicate and the best way to start with that is besides listening to them or scanning them with end map and stuff

like that is literally take them apart how are they constructed where are the CPUs the processors the memory The Flash the communication channels going in and out or on the circuit board so I've done a lot of research on like interchip communication so I got in a real habit of looking at devices and how they communicate maybe communicate to another piece of Hardware or something's attached to it so I get into list to those Comm lines and see what kind of data is on those so we started off with the Laris pump so let me step back here because I have a pointer so when I had theis pump one of the things I wanted to

do was pull data off of it without breaking it first I do break them but it's not up first I usually try to like keep them working for at least a week before I destroy them in this particular case I end up getting my hands on the actual maintenance software little bird gave me for actually configuring the devices doing maintenance on the devices and figuring out how they work so I figured hey what not better way to pull config data password data uh Wi-Fi pre-share Keys all that cool stuff off a device without tearing it apart we can just use the maintenance software so I used the maintenance software pulled all the data off and found out they

encrypted all of the passwords so they encrypted all and saved it I don't know what the key was I'm too lazy to spend weeks trying to reverse engineer that so what I did was the communication to the device from your PC was serial base so it had a USB to serial communication connector you would connect it into the console on this device gave you the ability to access it so all I did was tap into all the serial communication lines and voila none of that data is encrypted it's all done within the software so I was able to pull all the keys passwords all that interesting data off of it so that was one method we did

so tear then we got into tearing it apart let's figure out what's underneath the hood let's look at all the pieces of the device device turns out this thing has this small drive in it okay or not drive it's a it's a Memory okay it's really ancient if you know anything about these look at it says 64 megabyte it's like freaking ancient you plug that in there and that contains all the configurations the firmware the function and it also contain like pre-shared key passwords and all that stuff for the Wi-Fi so uh this product's put out by BD so what they had done it was reported as a vulnerability that these passwords exist on here so what they did is the

next firmware upgrade it removed it off that and put it internal to the device now it was internal to device to start with but it was in both places we see that on a number of different products we'll see another example this on another product where that like Wi-Fi pre-shared keys are held in two different places there the interesting thing is this old Tech right here is does not do level wearing if you know anything about flash memory memory devices level wearing is the process anytime you change something on that device it'll actually put it in a different place and write zeros in the old place and by doing that level wearing the chip in inside lasts

longer have a longer shelf life and can be overwritten and changed more times so I didn't test this because I couldn't get BD to actually give me the latest software to test that transition up to see if it work but I can almost assure you that unless their software overwrote this data I could go ahead and do a forensic on this device and pull those keys and passwords that removed off of it if they're just deleted they're still there unless they've been overwritten by something so it's something to think about based on the memory device that you may be storing data on it just because you say delete doesn't mean it's deleted it's like the old hard drive you

can still recover files a lot of times when you deal with flash memory and things like that if the particular technology doesn't do a load low wearing L low uh the wearing process on it it will still be on that device and you can use forensic to recover that so digging from that we get into tearing out the device and figuring out where things are at so here happens to be a flash memory chip so we can easily put this into an IR oven heat it up pull the chip out drop it into a chip reader pull all the firmware off there all the keys the passwords anything that may exist on there if it's not encrypted it typically

this technology does not encrypt anything where it sits so but there's something else interesting with this board and this is kind of a I don't want to say lesson learned it was an experiment I knew or I had an idea what was going to happen but I wanted to figure it out if it really would that looks like an old style cap capacitor it is not it is a lithium battery soldered onto the circuit board so what happens to lithium batteries when they overheat they go boom so before putting them in the oven I removed them all I I tore up two or three of these devices but I had one left curiosity got the best of me so

I put it in an oven stuck it in the oven run it through it came up the temperature I opened up the oven I pulled the chip off turned the oven off shut the door I set down probably two or three minutes later boom massive detonation in the oven and it was so forceful it blew components off the board and you can see the splash where the whole thing detonated so now I use safety glasses anytime I'm working in an IR oven because you never know there's something on there you're not aware of thermal runaway there's a delay there that thing could easily explode it when it had the oven open without safety glasses on so

kind of Lessons Learned try not to burn your house down of course I have fire extinguishers in my la because I do set things on fire every once in a while as you can see so then we get into the hosp kind of tear it all down so again we start pulling the device apart we didn't see anything externally I didn't have any software attached to these devices so we had to get into a more physical thing and look at this so we came in and I found this header up here so I'm like really curious what is this header for is it a JTAG header easy way tap in the J tag pull firmware do what you need to do the

devices turned out it wasn't JTAG if we map it down on the circuit board which one of the things I like to do before I just start assuming turns out that particular chip happens to be a rs232 transceiver it's rs232 cereal it's a little different than standard TTL art style cereal so then I went ahead and attached uh connection rs232 reader on it guess what I had root access to the running operating system there's no passwords on it older device not uncommon this type of thing is a common issue when we start looking at technology not everyone's thinking hey Daryl's gonna buy this thing and start tapping into it and doing weird things uh and the risk is fairly low in most

cases at the end of this you'll find out where all this eventually led to uh which is pretty high risk so the next thing is is this is flash memory this contained a lot of interesting data on it the firmware things like at passwords Keys various things like that we were able to get off of it and there was another flash memory down here it contained other data one contained also uh data that drove the uh servos and stuff for the pumps that are in these devices the other one actually contain more configuration data uh that actually turned out to be a JTAG header which I was able to tap into and actually use JTAG to connect into

the processor and also gain access to the operating systems and data so as you can see I'm looking at these devices going okay what are all the ways to interact with these devices how do I physically pull firmware off these devices whether it's serial uh internally serial externally JTAG or physically removing the chips and I did all three of them the goal was to figure out how easy it is to get data off these devices and what that data would possibly be I was looking for Hippa based pii information and also passwords keys and stuff like that the interesting thing on the hosp we we'll add more of that to the end the one that

I actually got I I bought online turned out actually have uh active directory creds stored in it that I was using through EP to actually connect to the WiFi so I was actually able to get active directory creds off the device that I purchased on secondary market so you may see where this is going at the end uh the third device is Baer Sigma this one was a more interesting device it had an actual footprint on the network we were able to interact with it in a number of different ways so we're going to dig into this one also so uh the battery unit so the devices have a where's that at the devices have a

separate battery unit so you have the primary pump and you have the battery unit so the battery unit actually has an operating system this is all the Wi-Fi built into the battery unit gives the ability to upgrade the pump if new Wi-Fi capabilities come out so it's kind of cool feature the cool feature also as we discussed some of this the operating system on here and the operating system on the actual pump for its functionality because this is protecting human life in some cases is separated enough that when you attack the device you're basically attacking the battery vulnerabilities in the battery or exploits in the actual battery and uh if you even crash the battery the battery dies it does not

affect the overall operation of the pump so kind of a really cool design by Baxter that actually loved uh was pretty brilliant so uh again we just started tearing these things apart and looking at them that happens to be the flash memory in the battery easy enough to pull that out drop it into a reader you pull the firmware out that way uh what we also did was we had to trace out JTAG up here so we had the primary CPU up there the Flash memory there and I don't know what that is okay so we're able to uh scrape off these spots put balls on and wire it up so we wired the thing up

and I actually dropped wires out on the outside of the battery so it gave me a a way anytime I did a upgrade or firmare upgrade or alterations to the device versus trying to take the thing apart I could actually tap in the J tag and pull the data out so it made it easier for further testing down the road so I usually rig up devices like that if I need to do further testing uh we also have the MCU The Flash here that one did not contain uh well it actually contained passwords too but a lot of it was Servo driving firmware stuff to drive the server or the medical it contained things like the

drug library that a drug library on these devices the purpose of it isn't to prevent the nurse from like killing you but it's a set guard rails okay so we know we know if you're you're going to administer fentanyl or something like that there is a Max minimum dose type thing so it'll set guard rails that prevent you from doing that and we'll discuss this a little later uh as we show some of the vulnerabilities uh this one happens to be the flash memory chip so all of these devices medical devices have a conformant cating on the circuit boards this is to present prevent moisture damage shorting out if water or fluid would get inside

the pump it's basically a plastic coating it goes everything so if you want to tap into the board or you want to pull a chip you have to be able to remove all of this stuff you can see it's kind of melted there so in this particular case was fairly easy I could just melt it around it and scrape it off heat it up and remove it well they came out with some new batteries that I end up getting later on turned out that they used a completely different conformant coating that still have a bunch of chemicals at home I plan on doing some research into the different conformant Coatings but it turned out when you put

it in an oven all the conformant coating would contract and when it did it would literally pull components off the board so if you ran through the oven you could never recover the board you totally destroyed it it would actually squirt solder out through the holes in the conforming coating make a total mess out of the thing and of course I gave Baxter a hard time over doing that to me uh they thought it was funny but so uh analyzing the backer pump so like I said this one had some interesting things it had a footprint you could scan it it had various Services open onto it and you can connect to it so in this case we want it

to break in we wanted to do check TCP udb ports communication General operations of the device turns out these are actually the ports that are available in the device we have uh we have a TCP they have t CP ports that are actually on the device that's listening to One so you can log in telnet one23 was tnet available on these you can log on to it had these other ones that used for backing communication to and from the electronical medical riter system was never able to figure what these are uh we also had UDP so we still had backing Communications with UDP so you could do the same Communications TCP or UDP by default the pump did most TCP

Communications but it would still take similar functionality via UDP if you send it in and of course you had the sigma backend management Gateway which is Port 51244 which would be the medical record system is what you would have in reality on these particular devices so we started listening to the traffic from this device this particular one we can see this command going from the pump back to the medical record system so the red is the pump that I had out of the box it was configured and started communicating back had some still had some settings in it so this is basically status or updates or or config how the pump set up and as you can see

it's actually set up for fentol uh the caregiver patient IDs all of this stuff typically took a number not a name so it was a medical record system number so Hippa based data was not violated on these devices uh which is a good thing but at the bottom that's what you should expect coming from the backend medical recordes it's just an acknowledgement so 11's just an acknowledgement packet so I had some data given to me up front because I didn't have a backend medical Rec record system so somebody gave me uh some capture data that they had done on a live system didn't have much data on it and the only thing I got from the

backend medical record system was that response so what I did was if I want to get this pump to actually start acting somewhat normal for me I needed some kind of response system so I actually wrote my own myself a python driven uh uh server that any time it received a request from the pump it would acknowledge back with the right structure and everything and that way the pump just wasn't pounding noise constantly but it was some Rhyme or Reason behind it uh it made it a little easier so we had that data what do we do from there so we know that's a three we know that's 11 is there kind of any other stuff so we come up here and this

is uh basically a config data and it would actually give us the config data from the pump so if I acted like the a medical record system send a request to it with that two in it it would respond back with this data here and then the medical record system would send an actual 11 down at the bottom so respond back with four the actual data this contains pump configs version numbers software version numbers dates associated with the configuration and firmware on the actual device and of course Lev in the backend medical record system we respond back with the acknowledgement so we're starting to build an idea of how this pump is communicating and working so we went

ahead and wrote I went ahead and wrote a script let's go through all the possible numbers that it would respond to and this is kind of the enough data we got from the response messages which were all error messages of most of them because we didn't format them properly other than the identification number so we get a lot of interesting things pump config data net config data Wi-Fi location RFID config the ones in blue were kind of interesting we ended up playing with those a little more and we're going to show that here in a minute uh so you can see if we send a two we got a four send a 14 we got a 13

those are the ones that responded back with real data versus just some kind of weird acknowledgement so I can't remember what this is so we decided to go ahead and actually start sending commands to this thing so if we go back real quick and we look at 15 that is a set net config so we didn't know how the configurations worked the commands work we're going to go through kind of the a fuzzing process that we used to build the structure of what a structured command should look like so we send a 15 and we end up getting this acknowledgement back which is incomplete it's basically an error message that five at the end is

basically saying it's some kind of error misc config it's incomplete so it wasn't telling us enough data that way so we ended up after taking the devices apart digging through the firm where we found the passwords for tnet go figure so we logged onto the device with telnet and we figured out all the commands on there we found a command called set trace the goal of this exercise was to try to identify proper command structure so we could start actually communicating to device device and making it do stuff we wanted to do so we set trace on and we start getting tons of real data out of set Trace we start getting error messages so we go ahead and we send

another 15 requests and we get this back net config missing data elements okay so we know 15's valid response tell us we're missing data data elements that Define what the set config is so we keep doing this what's this mean after some examination and plan back and forth we find out between header and XML is where those data elements go so you literally start putting zeros in there that's what I did and you C sitting zeros in there until the data element thing fails and you get another err now we know how many data elements that'll take well this one was a little easier to conf figure out because what we found out was there's a

command called get network config the get network config respond had the exact same meaning of data elements so we figured hey we can send Network config or get network config data elements could be sent back to the device setting that config so then we started looking at this try to figure out are there any vulnerabilities can we change anything on these devices so we're going to go through all the all the vulnerabilities we actually discovered the first one we had had four of them assigned in 22 uh the first one we hooked in the storage the data start looking at that and we're able to pull out of the battery the actual configs so the battery were're able to

pull the config so how's this a risk well I started experimenting so when we start thinking about this the battery that means if I walk into a hospital with one of these and I plug it in and I turn that pump on count the 30 pull the battery out stick it in my pocket and walk out I have the net configs data it's stored on here not a good thing so then we went to the next level how would you as a medical organization make sure when you get rid of that device that that doesn't go out the door because these things get separated to me multiple batteries for this device here well it turns out when the device is

plugged in here there's a procedure that Baxter put out and the procedure is to flush the device of all critical data okay maybe that problem solved maybe this wasn't a vulnerability well it turned out that when you do that Purge process the first step The Purge process does is turn off Wi-Fi and when it turned off Wifi it didn't overwrite the battery Wi-Fi has to be on during The Purge to overwrite the battery so we're able to work with Baxter rewrite the procedures and they change the code in the devices moving forward so that it would Purge the battery before it would turn off Wi-Fi interesting finding also on that I don't think I actually uh put it in the slides let's

find it right here so we know these devices communicate with each other and they do it via serial comps so on the back there's serial comps I actually built a shim out of a flexible circuit board that you can literally drop in here on a device carried in your pocket with a pi device put that in there and then you could hook up right here Power It Up and capture all those uh Keys passwords and data during the power up of the device I thought that was a cool little hack um Baer didn't like it they didn't think it was funny as I did so but that is what it is so let's kind of move on oh so you can see as

we're looking in here we can find the location Alliance that's the SSID and this here is a pre-shared key so interesting thing you'll see this on a lot of better devices when WPA communicates sets up a link secure link it does not actually use the password that you put in there so if you say that I put in a password that's my dog cat dog's name it's it doesn't use that it converts it into a 64 um byte hex string is what it turns it into so every time you go to communicate if it doesn't store that hex string it has to convert it each time and being it's a hospital device they automatically converted it that string

is done through basically a hash that is the SSID and your pass password that you put in there converts that 64 character string so if you're looking for like pre-shared keys in memory think about this it may be something like this and not storing it straight up so the other hack we had was dealing with Git Wi-Fi location so the way the device works or way this function Works they built this thing into called get Wi-Fi location so if you send this 20 request to the actual pump here it'll respond back by cing all the access points in proximity recording the Mac addresses and their actual power levels it's a rudimentary crossfix type thing because these devices move around

the hospital and the concept was we could send a request to the device and it would actually give us back this data here and we can use that to get the reasonable proximity of where that device is what floor is what wing of the building things like that so that was the purpose of it and you can see down here it shows all the SS IDs of all the devices in my lab test one Net One net 4 uh my office Jet all that type of stuff so turns out we had a cool vulnerability a format string flaw so I actually presented at SSID injection at black hat in 2013 where you can use ssids and inject attacks into embedded

devices turned out it worked on this thing so we could technically fire up an SSID with that name in it fire it up send it to that device and it will respond back so we're going to actually see this run I got a video here let's see if it works good so I wrote the program K gety VI location that's basically going to send that 20 request to the device so we're going to log in so you can see it now you don't need to log in the device to trigger this attack we're just doing it so we can see the response that's taking place where the format string flaw actually triggers so uh does anyone here not know what a

format string vulnerability is we got one person okay let's let this go let's let this go for a second we'll get to some point and I'll explain it so you understand it because I think it's important to understand how a format string flaw works so we kicked open the program and we see all this data flowing through here and we can see some cool stuff taking place so boam boom boom Things Are taking place if we go to the next slide we see the data that's in there we see instead of showing my SSID of percent X percent X percent X you see a bunch of numbers so a format string flaw is when in programming like C C++ and it hits

every programming language you can Define what the output of a uh a function is you can say I want the output to be hex I want it to be string data and you do that by defin find in the format string in the code so it takes an argument let's say it takes an argument it says what's your name and you put in Daryl it'll respond back Daryl if it's programmed right it'll do Daryl if it's programmed wrong it'll do Daryl the difference is if I put percent X in there as an example it'll want to return hex data the problem is it evaluates what you put in there not as string data like you put Daryl in it

defines it as code at that point point it says oh I'm supposed to go to the process stack pull data out of there and share it as hex data and it will actually return data from the process stack so all those numbers you see are bytes off the processes running stack but also in this thing we put in Four A's so if we follow the Four A's to the end we can see 414141 so theoretically at this point we would have the ability to read and write arbitrary memory so why don't I have a full functioning exploit unfortunately I ran into some anomalies in the code it turns out to address any of the memory Associated

within this application you have to proceed it with the first two bytes of z0 format strings truncate anytime they're processing a n bite so it won't work the other thing we found out was this would not process anything out the standard aski coach area so if you hit anything that was a non-printable character it would change the number to a 3F versus what you'd want it but theoretically this this will work to let you read and write arbitrary memory using this a percent s would read the arbitrary memory so whatever you put in where a is it would take that the AAR it would take that as a location in memory it would go to that location and it

would read until it hit a n bite if it was a percent in it would go to that location it would take the count of format strings process and write that number into that memory location being able to write arbitrary memory so that was the uh one of the second vulnerabilities that was a second and a third vulnerability turns out turns out we had two vulnerabilities that are both format strings but it was the same vulnerable code construct it was just access to two different places and it happened to be the debug message so if you see debug BSS debug BSS the debug messaging engine was where the vulnerability existed so anything inter that device that would trigger a debug

process or debug message in the system would trigger the format string exploit the last one was unauthenticated network configuration as we mentioned earlier we could send a set net config with a 15 signal as in here we'll see how this one runs this may take a little longer so I just want to show the pump running let's go ahead and do it so what we're going to do here is we're going to set the pump up to connect to our our make believe backend uh record me medical record system and then what we're going to do is we're actually going to set up another machine to act like a medical record system and then we're going to send a packet to the

device a UDP packet and we're actually going to reroute all the communication from this device that was supposed to go to the medical record system to our Target system giving us the ability to get and in the middle to all the communications to the backend medical record

system so I wrote some simple Python scripts to emulate all this type of stuff so if we look at the if we look at the pump oh get it right right here that is Sigma Gateway is a medical record system so it's 4103 so right now the makeb believe medical record system is out there the one it's acting like a real medical record Rec system are trying to so we can see it actually communicating uh all the stuff with the Levens coming back from the device it's acknowledging the device this weird changing stuff at the end is a CRC so we had to build CRC calculators into this thing to CRC all the message structure to make sure it

stayed legitimate and didn't fail so as this thing going anyone have any questions yes sir what's

that anytime I look at a device that actually processes form or SSI oh he one to know why did I put percent x's in the SSID so I did a research project many years ago okay wait a second we're still thinking about it okay I did a project many years ago where I was looking at any ways to inject data from machine to machine SSID is overly trusted so I did uh a project looking at how do embedded devices handle SS IDs and we found out that a number had flaws where we could actually inject everything from format strings buffer overflows trigger buffer over you can do that with format strings and also uh cross site scripting cross

site request forgeries we had a Ruba wi see where we actually able to fire up a rogue access point within close proximity within you know 300 yards of somebody running a Aruba wi SE and we're able to get it to reconfigure The Wil SE and give us an admin account on the Aruba wireless land controller as an example and we put that out in 2013 so if you were watching this while I was running my mouth uh we sent the command in and the device rerouted the traffic from the primary one to the one that we controlled theoretically controlled meaning if I was in a hospital I can send out massive sweep of UDP and

reroute all the infusion pumps like this through my device and man in the middle so what can you do with that well if you can get man in the middle of this device and I didn't really realize this I thought oh you could screw with the drug libraries you could rewrite to drug libraries if they're triggered and pulled down but it turns out that you could uh a a gentleman at the medical uh um a medical organization one of the government medical organization go darl do you realize that instead of setting electronic medical record systems as something you think would harm somebody you could actually set that drug on all the pumps that be between 0.1 and 0.11

which is theoretically impossible bricking all the infusion pumps they would have to update all of the drug liaries on the pumps and none of them be usable which is bad and I didn't realize how bad that was let's kind of move on so the systemic issue so it's like this I tore these devices apart devices I bought on secondary market and I found out that I could find the wireless land or the WPA keys off these devices I was able to take the ssids were on these and trace it back using wiggle to the hospital that this pump came from in this process I bought 13 pumps all together and I was able to get the

wireless uh access points or the wireless networks password for five major Hospital chains around the country these weren't little mama pop shops these were massive hospitals some of them C covering multiple States so what do we so what what does that tell us tells us a number of things you're shipping your data out the door end of life of Technology you're going hey I'm done with this pump let's get R of it and you do not have an end of life process you do not have a process that's Cradle to grave so we're missing that so no cradle degrave processes this should be planned out before you ever bring a medical device or any embedded device into your

organization what do you do with it at end of life you're going to get rid of it you're going to feed it into a shred Shredder are you leasing it do you have contractual agreements to make sure they're not selling your data out there because I assure you the are you could go out to eBay right now and probably buy 10 pumps from 10 different organizations the best ones are broke because you know they haven't flushed them so buy 10 pumps and I guarantee you're probably going to have a handful if not more of of pre-shared keys that are used one of the pumps actually had active directory creds on it we're were able to pull that way

so what what causes this often we don't have the resources in the Staffing so you know we get the devices in we do we have time to flush these things do we have time to do what's right and often that's driven because we don't have processes in place if you build processes those whole Cradle to grave processes when I purchase a device we know exactly what we're going to do in detail the day we decide to quit using that either we're going to do it or we're going to have contractual agreements to make sure it happens and that's the critical nature of protecting your environment and again this goes beyond medical devices I've lost count of the number of

consumer goods I bought on at at home were off off eBay that were used where I have people's like Amazon passwords and pre-shared key passwords for their Wi-Fi and a whole list of things on these devices there so uh and most organizations are completely unaware of this issue you are not now by so by all means don't go back and go Ah that's work I'm I'm not going to do it because eventually these passwords on these devices if somebody gets them and breaks into your organization they're actually going to be on your biomed Network your Critical Care Network where the most critical people are being treated on your network uh which is not good and

it's not good for you to be breached with something that's simple uh I also have to point out real quick you think well if I buy this off I'm going to have to pull it datea off it then I'm going to have to figure out his and I'm going to have to drive that location and I'm going to have to break into what if I'm in Maine and this place is in California I did a quick look and if you go out and look at a lot of devices once in a while you'll actually find devices that actually have the biomed uh tags on them from the hospital calibrations and they'll often have the hospital's name on them so now I can go

buy a device has the hospital names I know exactly where it's at if it's vulnerable and has data on it I'm running out of time quickly and uh here are some information the backer research uh that we published advisories uh de acquisition of medical device we put out an entire report on this that goes through why this is critical how's it critical and I also give you instructions how to pull all the firmware off these devices and the keys in detail for all of these pumps because I'm a technical guy and I do stuff like that uh practical exp exploitation of SSID that was I did that at at uh black hat Europe in 2013 uh and it's it's a fairly good

presentation some cool stuff in it this attack works I find this attack every year on devices for injecting attacks via ssids and it's probably never going to go away as long as we got people writing programs uh and I assure you AI writing a program is probably not gonna be much better so that kind of finishes my presentation I hope you enjoyed it uh and if you have any questions I don't know if we have time take questions yep yeah let's take questions if anyone has any questions

please could any of these attacks ever be used to conduct like a ransomware attack from a foreign country like would you have to even be in the United States to exploit intact like this like if you're eBay you buy it and ship it to some country they find something and then somehow get it through the network is there anything that's like like that that could be exploited with this I mean any any country any anywhere in the world that you're using infusion pumps this vulnerability exists the stuff goes to the secondary Market it's going to be vulnerable uh the example in the one pump where I actually found uh actor directory creds who knows what they would work on

uh in reality it could they could still work and and when we're talking about the WPA pre-shared keys I don't care how old these devices are you think the hospital goes and changes the SSID and passwords on every medical device in their entire organization just because they're changing one series of devices the answers no so yeah this is an entry point to do bad things once you have a foothold in an organization to be able to Ransom Weare people uh could you ransomware the devices I gave an example where theore Ally could possibly be done I have not tested that uh but if if you had something on the network just screaming and shutting these devices

down uh or put in a permanent place and somehow or the vulnerabilities I found could actually alter the devices to cause uh irreversible damage in some cases um and this is just a small handful of devices there's hundreds and hundreds of different products out there and I wouldn't be surprised if similar issues exist on a large number of them any other question questions um have you been able to replicate this issue on more critical devices such as perfusion pumps or Pacers want to say that again speak up again uh have you been able to replicate this issue on anything such as like perfusion pumps or pacemakers replicate this on uh Fusion pumps or PAC makers yeah or like

something similar so I I'm not a famili I know there's been stuff interesting things on pacemakers uh that's been done in the past I've not had a chance to look at pacemakers uh I did have an interesting conversation slightly slightly off topic where I had a forensic pathologist out of the UK call me wanted to talk about me talk to me about uh pulling uh pacemakers out of dead people uh and who owns them and where should they go and what kind of data they could have that was an interesting conversation but yeah anything that has electrons and computer programs and chips in it is going to potentially be vulnerable uh I'd have to say every device is

vulnerable period uh just because we haven't found it yet doesn't mean it's not vulnerable uh it's just a matter of taking time often these pumps on uh current brand pumps can get quite expensive like six seven 8,000 and up uh I did have Baxter share with me one of their newer pumps purely in a gentleman's agreement where I actually looked at some features on the device and gave them feedback on how to make improvements uh but I don't publish none of that or talk about any of that other than the fact that that working relationship I had with Baxter back when we did that any other questions speak up when you talk into that thing we'll have time for

one more question so we'll take him and then one more thank you um I was just wondering if these devices typically support uh more advanced Wi-Fi authentication like a WPA Enterprise where you present a certificate instead of a psk K uh for authentication I have seen ones that actually had uh certificate capability set on them uh I have these are a little older uh so these are out of production right now so you're not really seeing wpa3 on them but uh I would expect uh just like all manufacturers of Technology as the technology changes they keep up with the industry so I would expect the ones that are in market right now being produced are going to

support better security but then it comes down to are you going to implement that so if I'm a hospital and everything's set up for WPA or WPA 2 am I going to go through setting up devices for wpa3 does my infrastructure support it or am I going to have to wait to some new changes before I can support that and that's probably where the concern is because again these devices uh are on the market 15 plus years in some cases so a lot of organizations that are still using which I wouldn't be surprised there are many out there may have more infrastructure issues with going to newer later versions of Technology at least right now until they get ready to

do that upgrade on a larger scale great one last question and then okay um sorry back to the format string vulnerability uh I might have missed this so forgive me if you said it but was the um was the stack data was that leaked to the client at all or was that only available like you showed it in the log locally no it was it yeah you canot you cannot see it outside of the device so you had to log on the device to see that data now you send like percent s's or percent NS you crashed the device you knew it was triggering but yet to build out an actual functioning exploit you would have to have a valid pump in front

of you right but once you built that exploit then you could blindly send it and it would work without actually getting any data back again that attack triggered on the battery uh to be aware of that so even though you take over the battery it doesn't me necessarily mean you affect the function of the pump which is cool part of their design that I loved gotcha thank you you're welcome all right I wish I had known you seven years ago I had a past maker put in it didn't work for me so they ended up taking it out could have given it to you I take free devices I'll put it in my stack of the

other 3,000 three devices I got to crawl over in my office to work on thank you very much please join us at the bsides after party does John need to take over all right we're we have an announcement you like this hi all right um give me one second um just hang out here I'll be right back uh also if you participated in the CTF especially if you got first one of the first three places come to the front if you were one of the CTF uh organizers as well come on to the front we're going to be closing things up here in a minute so just hang out while I get like 15 different prizes from this back room

all right I see one one CTF organizer do you have friends very Lo that is a very loaded question they should thank you we'll see did you see the people who won the prize yeah perfect all right I'm seeing a couple people load in here all right all right everyone if you want to head to track two we're going to do the closing remarks and the CTF prizes in track two in the event center