It’s been about 3 months since I shared my research at DefCon surrounded by fellow white hat hackers, representatives from the device manufacturers, FDA and yes, Department of Homeland Security. The presentation was a culmination of research that started months before DefCon and culminated with the recent update of ICS-CERT detailing the vulnerability. Although there has been numerous articles written about it and even a full video recording of the session available, I often get asked about this presentation. I wanted to touch on some of the most commonly asked question in this blog.
How did this research start? And why IV pump?
Why IV pump? It’s probably the most frequently asked question. It’s should be no surprised to anyone that healthcare industry is under attack. Whether its hackers attempting to steal PHIs without being detected or ransomware broadcasting its control over your data, the healthcare industry is under seize. As I looked at this industry with a hacker’s hat, the low hanging fruit became obvious, connected medical devices. Out of the all the devices, IV pump caught my attention since it was abundantly available in any hospital. The large abundance of IV pumps meant that there is a higher chance that organizations did not track or secure these devices. Also, if a hacker can compromise IV pumps, he/she can reuse the same technique over and over again across the industry.
Is it a real hack if you require physical access?
If you have reviewed my presentation in detail, you’ll notice that step one of the hack is to physically open an IV pump and replace the compact flash card with an altered one. Although the whole process takes less than 5 minutes, many comment that this is not a real “hack” since you need physical access to the device. While I understand where they are coming from, the inherent nature of healthcare industry makes this a “real” hack.
Unlike other industries, healthcare organization cannot simply lock devices behind closed doors. IV pumps. X-ray machines, heart rate monitors, etc… must all be readily accessible. Just imagine the critical minutes wasted if these devices were not easily accessible. Due to this reason, connected medical devices are physically accessible to most everyone in the hospital. Can a malicious hacker have 5 minutes alone with one of many IV pumps at a hospital? I would say Yes.
Hacking a single IV pump seems like a plot from a movie. How likely is it?
Despite the larger scope of this vulnerability, many still think this is a hack of a single IV pump. Yes, the pump can be hacked to dispense incorrect or even lethal dose of medication. It could easily be an assassination plot in a movie. However, compromising the single device revealed credentials that enabled access to the server that the pumps connect to as well as the WiFi network and encryption key to protect the data in transit. Not only can hackers now target hundreds or even thousands of devices, they can also steal PHI and other confidential information from the pump server.
What responsibilities do security vendors have in releasing such (potentially dangerous) vulnerability details?
This question is something all white hackers and security vendors get asked so I won’t dwell on it. Suffice to say that prior to my presentation at DefCon, I shared the details of my findings with the device manufacturer. I also participated in follow up call with the device manufacturer, the FDA, ICS-CERT and Department of Homeland Security to assist in the clarification of the device vulnerabilities. I have to say that it has been refreshing to be able to collaborate with the device manufacturer and the various government agencies who all have a common goal.
I think this research has enabled important collaboration between security vendors and device manufacturers. The updated ICS-CERT is just one example of such collaboration. If interested, you can find the recording of my Def-Con presentation here.