Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hackers Can Falsify Patient Vitals (bleepingcomputer.com)

Posted by msmash on from the security-woes dept.

Hackers can falsify patients' vitals by emulating data sent from medical equipment clients to central monitoring systems, a McAfee security researcher revealed over the weekend at the DEF CON 26 security conference. BleepingComputer: The research, available here, takes advantage of a weak communications protocol used by some patient monitoring equipment to send data to a central monitoring station. McAfee security researcher Douglas McKee says he was able to reverse engineer this protocol, create a device that emulates patients vitals, and send incorrect information to a central monitoring station. This attack required physical access to the patient, as the attacker needed to disconnect the patient monitoring client and replace it with his own device that feeds incorrect patient vitals to the central station monitored by medical professionals. But McKee also devised another method of feeding central monitoring stations without needing to disconnect the patient monitoring client.

26 comments

  1. in other news by zlives · · Score: 1

    mcfuckee reports an analog hacker can write false data on patient chart.

  2. Really bad by 110010001000 · · Score: 3, Funny

    "This attack required physical access to the patient, as the attacker needed to disconnect the patient monitoring client and replace it with his own device that feeds incorrect patient vitals to the central station monitored by medical professionals"

    How do I get a job as a "Security Researcher"?

    1. Re:Really bad by crashumbc · · Score: 1

      I got your research. I hook the leads up to my OWN ARM... Serious crazy hack right there...

    2. Re:Really bad by Anonymous Coward · · Score: 0

      In other news... hacker brings Glock 19 into hospital, blows patients brains out. Huge security hole.

    3. Re:Really bad by SlaveToTheGrind · · Score: 1

      Agree that one's lame, but keep reading:

      A variation of the attack requires the attacker to be on the same network as the patient monitoring client in order to ARP spoof the central monitoring station.

      The attacker can pose as the central monitoring station, capture data sent by the actual patient monitoring equipment, and then send falsified patient data to the real central monitoring station.

      This second attack scenario works in real-time and is feasible because of the insecure design of the Rwhat protocol used by some medical equipment to send data from patient monitors to central stations via WiFi or wired connections —the protocol relying on simple unencrypted UDP packets sent between the client and server, packets that can be easily spoofed and modified.

    4. Re:Really bad by RoccamOccam · · Score: 1

      "But McKee also devised another method of feeding central monitoring stations without needing to disconnect the patient monitoring client.
      A variation of the attack requires the attacker to be on the same network as the patient monitoring client in order to ARP spoof the central monitoring station.
      The attacker can pose as the central monitoring station, capture data sent by the actual patient monitoring equipment, and then send falsified patient data to the real central monitoring station."

    5. Re:Really bad by 110010001000 · · Score: 1

      He "devised" ARP spoofing to attack an insecure protocol? Again, how do I get this job? This is like decades old. There are many protocols in use that aren't secured.

    6. Re:Really bad by Anonymous Coward · · Score: 0

      were they also able to hack the coax cables...

    7. Re:Really bad by pnutjam · · Score: 1

      We know this, but demonstrating it for others in a public forum will force it to be addressed. (theoretically)

      --
      Cheap storage VM.
  3. Seems easier to just..... by pablo_max · · Score: 1

    If you have physical access to the person you want to harm and that person is already in a state where they need life monitoring equipment and can apparently not shout to the nurse or anything... It seems easier to just.. you know... harm them.
    Shoot some Drano on the IV drip or what ever.
    Seems pretty convoluted and slower to rig up some hack.

    1. Re:Seems easier to just..... by Lab+Rat+Jason · · Score: 1

      I think you're ignoring a whole other angle here. What if you want to break someone out of the hospital: fake BETTER vital signs so they'll let you leave, or fake constant vital signs so you can unhook them, get them dressed and walk out while the nurse still sees a consistent signal from the monitors. What if you want not to kill them, but keep them in the hospital longer: fake only slightly worse vital signs. Lots of room to play here.

      Also, if this can be done with vital signs, then how secure is the other monitoring equipment... morphine drips, etc. I think what they're pointing to is the potential.

      --
      Which has more power: the hammer, or the anvil?
    2. Re:Seems easier to just..... by arth1 · · Score: 1

      It might be beneficial for an assassin to be able to walk out of the hospital, because the monitoring still shows plausible values despite the target being dead.
      Or even abduct the patient.
      Or fake half a dozen emergencies, so staff all mill around and don't notice who walks off with all the morphine.
      Or play mind games with a staff member you hate, causing him or her to rush back and forth to patients all night.

      The possibilities will include many other scenarios - you just have to think of them.

    3. Re: Seems easier to just..... by Anonymous Coward · · Score: 0

      But once they start experiencing the effect, it will be reflected in their vitals, which are remotely monitored, and they may be able to help the patient in time. If it all happened quick enough, they may even be able to catch the assailant before he gets out of the hospital. On the other hand, if you know it will be 30+ minutes before the nurse pops in next, and you can mask the vitals to make the patient appear healthy, that gives plenty of time for the patient to die and for the assailant to get away unnoticed.

      That said, the "hackers" bit is sort if pushing it. Sneaking into the hospital room and hooking up a simulation device for a patient isn't hacking territory. This is more professional hitman territory

    4. Re:Seems easier to just..... by Anonymous Coward · · Score: 0

      Or fake half a dozen emergencies, so staff all mill around and don't notice who walks off with all the morphine.

      No need for hacking equipment to walk off with morphine. (Those people usually aren't hackers anyway)

      Fake emergencies: just yank some patient sensor cables out from the monitoring equipment. Instant alarms. Or press the room's alarm button. Wear a white coat (or whatever that hospital uses) so they think you're staff. Trigger the fire alarm. Now walk off with the morphine.

  4. Hackers can also dupe stories on /. by mandark1967 · · Score: 1

    But they need editor acce...err...nm

    --
    Sig Follows: "Suppose you were an idiot. And suppose you were a member of Congress. But I repeat myself." -- Mark Twain
  5. I think I'll be able to avoid panic over this by ValentineMSmith · · Score: 2

    And this, kids, is why no network admin with the brains G_d gave your average cockroach allows unauthenticated computers on a network. Granted, some of these older units still use serial connections up to an aggregator, but TFA mentioned ARP spoofing. I accidentally shut down half a basement at a hospital at one point by plugging my laptop into a port in the training room. The ports on that network switch were locked to specific MAC addresses, and would actually shut down if a network adapter with any other MAC address than the designated one were plugged in. It was somewhat embarrassing.

    And it's also one of the reasons why every reasonable EMR requires that human eyes look at the data before adding it to the database. Yes, you could fudge factor vitals readings to a certain extent, but the human body is a collection of systems that have really nice feedback loops to maintain equilibrium. If you see a change in one measurement, there will almost always be a corresponding change in one or more others. So, it's not enough to change an SpO2 reading. You not only need to know what the clinically valid ranges are for an SpO2 reading, but what changing SpO2 will do for respiration and pulse rate. And then you get to add additional factors (like COPD) into the mix.

    So, all in all, this would take someone with some level of medical training, a specific goal in mind, an almost criminally stupid network admin, and active cooperation from the patient to make it work.

    --
    Karma: Chameleon - mostly influenced by bad '80s New Wave music
    1. Re:I think I'll be able to avoid panic over this by Cro+Magnon · · Score: 1

      So, all in all, this would take someone with some level of medical training, a specific goal in mind, an almost criminally stupid network admin, and active cooperation from the patient to make it work.

      Well, they probably have a goal or they wouldn't be in there, and the next one is practically a given. That just leaves your first and last conditions.

      --
      Slow down, cowboy! It has been 4 hours since you last posted. You must wait another few hours.
    2. Re:I think I'll be able to avoid panic over this by Anonymous Coward · · Score: 0

      Or you could just hook up the patient leads to a simulator (an electronic device that simulates the electrical stimuli to make a monitor see a specific heart rate, SpO2, BP, etc). Or put them on a different patient.

      Some manufacturers are putting encryption into their devices (Draeger, e.g.) but it's not yet clear whether that's worth the hassle. The risk of a rogue patient monitoring device on your network is probably a lot lower than the risk of the thing not working due to an expired cert or key exchange problem!

      dom

  6. Not a real problem by Gravis+Zero · · Score: 1

    This attack required physical access to the patient

    If you have physical access to a patient that has one of these machines hooked up to them then you could just as easily inject something into their IV line because they are definitely going to have one. A simple bacteria or viral load would be far easier and make their death look natural. Faking their vitals and hoping they die from their existing injuries is just a stupid plan.

    --
    Anons need not reply. Questions end with a question mark.
  7. Before The Devil Knows Your Dead by Baby+Duck · · Score: 1

    "Before The Devil Knows Your Dead" showed you don't need hax0r skillz at all to pull this off.

    --

    "Love heals scars love left." -- Henry Rollins

  8. Misleading article by Anonymous Coward · · Score: 0

    This is an extremely misleading article. There is no facts presented and no proof of any of claims. As usual with mainstream media these are quick to be funded by Clinton Foundation to spread anti-Russia propaganda to hurt our president.

    1. Re:Misleading article by Anonymous Coward · · Score: 0

      As someone who has personally done something similar (intercept only, no falsification) on in-use hospital equipment, I would be very comfortable in believing their claims based on my experience.

  9. Test leads and cables unshielded by Doomwookie · · Score: 1

    Test leads and a lot of medical cabling is very cheaply made and unshielded. It is very easy to use induction to modify the reading the equipment is getting from the test leads without disconnecting anything. Disconnecting things would trigger alarms on the stuff sending data to the central monitoring station. Of course, you still need access to the patient.

  10. Orf, you know. Buy a patient simulator... by Anonymous Coward · · Score: 0

    The kind that is used when developing monitoring equipment...