Medical device security has largely been concerned with attacks that might compromise device safety and effectiveness. An additionally important but under-appreciated issue is device integrity. In situations where devices are expected to provide objective testimony, the integrity of the device and the data it generates is paramount.
You probably don’t know Ross Compton, but last fall the 59-year-old claimed that when he noticed his house was on fire, he hurriedly packed some personal belongings, broke a window with his cane, and rushed out of the house. Police, suspicious of his claims, got a warrant for Compton’s pacemaker data. The data showed that he had not been in a state of activity he described at the time of the fire. That data, plus physical evidence collected by fire investigators, was more than enough to charge Compton with arson and insurance fraud.
Cases like this bring to light the importance of issues related to integrity verification. The value of device logs as an objective record of facts only exists if we can be assured that the ability to generate records, and the records themselves, have not been compromised.
You probably don’t know Ross Compton, but last fall the 59-year-old claimed that when he noticed his house was on fire, he hurriedly packed some personal belongings, broke a window with his cane, and rushed out of the house. Police, suspicious of his claims, got a warrant for Compton’s pacemaker data. The data showed that he had not been in a state of activity he described at the time of the fire. That data, plus physical evidence collected by fire investigators, was more than enough to charge Compton with arson and insurance fraud.
Cases like this bring to light the importance of issues related to integrity verification. The value of device logs as an objective record of facts only exists if we can be assured that the ability to generate records, and the records themselves, have not been compromised.
Overview
Medical devices like pacemakers and drug infusion pumps keep detailed logs of all activity. Due to these logs value in monitoring patient care, device operation, and incident investigation, there is a risk of data modification attacks through physical or remote access.
Consider a generic infusion pump that primarily dispenses pain medication and writes logs to battery-backed RAM. These logs record the dose of drugs as requested and delivered, any program changes, and when infusion starts and stops. If a patient suffered a medical emergency that could be linked to the pump, or anything went awry, investigators would depend on the device logs to tell them the story. But what if those logs didn’t have the whole story, or an accurate one?
Medical devices like pacemakers and drug infusion pumps keep detailed logs of all activity. Due to these logs value in monitoring patient care, device operation, and incident investigation, there is a risk of data modification attacks through physical or remote access.
Consider a generic infusion pump that primarily dispenses pain medication and writes logs to battery-backed RAM. These logs record the dose of drugs as requested and delivered, any program changes, and when infusion starts and stops. If a patient suffered a medical emergency that could be linked to the pump, or anything went awry, investigators would depend on the device logs to tell them the story. But what if those logs didn’t have the whole story, or an accurate one?
Network Attack
Security risks associated with infusers have been well documented and are beginning to be addressed. Based on these issues, altering this generic infuser’s operation would not be difficult, an attacker could easily tamper with the medication dosage settings. Erasing evidence of any alterations, or planting false evidence, would be equally simple.
Our generic infuser has a BusyBox console that is available over telnet. The terminal provides read-write access to the file system, including the device logs. While the console is protected with a password, most hospitals leave the easily obtained factory-set default password in place because they are not prompted to change it by the manufacturer. Most don’t realize that the telnet interface is there at all, as they have no need to use it during normal operations.
Beyond the threat of raising the dosage levels on certain medications, as has been demonstrated in the past, an attacker could erase their footprints after an improper amount of medication is delivered, either by simply erasing the logs or by modifying the logs to reflect that the proper amount of drugs were delivered instead of an overdose.
Security risks associated with infusers have been well documented and are beginning to be addressed. Based on these issues, altering this generic infuser’s operation would not be difficult, an attacker could easily tamper with the medication dosage settings. Erasing evidence of any alterations, or planting false evidence, would be equally simple.
Our generic infuser has a BusyBox console that is available over telnet. The terminal provides read-write access to the file system, including the device logs. While the console is protected with a password, most hospitals leave the easily obtained factory-set default password in place because they are not prompted to change it by the manufacturer. Most don’t realize that the telnet interface is there at all, as they have no need to use it during normal operations.
Beyond the threat of raising the dosage levels on certain medications, as has been demonstrated in the past, an attacker could erase their footprints after an improper amount of medication is delivered, either by simply erasing the logs or by modifying the logs to reflect that the proper amount of drugs were delivered instead of an overdose.
Physical Access Attack
Even if precautionary steps were taken to harden against a network-based attack, an attacker could still change logs by obtaining physical access to the device.
Our infuser has a tubular lock that secures the door to the medication storage area. Before the infuser can even be turned on, the door to the medication storage area must be unlocked. The same lock also secures the infuser to the IV pole, preventing removal without the key, and preventing access to the ethernet port which is blocked by the pole. Not all infusers have this precaution, on many there is no barrier to accessing the ethernet port or removing the infuser from the pole.
This kind of lock is pickable in seconds with a special lock pick available on Amazon. Once an attacker has used the lock pick to discover the pin pattern and open the lock once, the pick can then be used to close the lock without needing to pick it again. We tried this out ourselves and, with no prior tubular lock picking experience, opened the lock on a popular infuser in less than a minute.
Having opened the lock, an attacker can now remove the infuser from its pole to access the ethernet port, connect a laptop to the infuser, and access the BusyBox console to change the dosage levels and modify the device logs.
Even if precautionary steps were taken to harden against a network-based attack, an attacker could still change logs by obtaining physical access to the device.
Our infuser has a tubular lock that secures the door to the medication storage area. Before the infuser can even be turned on, the door to the medication storage area must be unlocked. The same lock also secures the infuser to the IV pole, preventing removal without the key, and preventing access to the ethernet port which is blocked by the pole. Not all infusers have this precaution, on many there is no barrier to accessing the ethernet port or removing the infuser from the pole.
This kind of lock is pickable in seconds with a special lock pick available on Amazon. Once an attacker has used the lock pick to discover the pin pattern and open the lock once, the pick can then be used to close the lock without needing to pick it again. We tried this out ourselves and, with no prior tubular lock picking experience, opened the lock on a popular infuser in less than a minute.
Having opened the lock, an attacker can now remove the infuser from its pole to access the ethernet port, connect a laptop to the infuser, and access the BusyBox console to change the dosage levels and modify the device logs.
It Gets Worse
An attack doesn’t have to be all that clever to negatively impact the integrity of a device’s data. If so much as the time is wrong on medical device logs, it throws the integrity of the entire report into question. Imagine if Ross Compton had been able to adjust the time on his pacemaker. When the time change became apparent, the lawyers would not have been able to say for certain what his state was at the time of the fire, and he might never have been caught in his lie.
Updating the time on our generic infuser is easily done given physical access through a settings menu available at startup. It’s also available through the BusyBox console over Telnet, with the ’date’ command that allows a user to set the system date and time. Someone who wanted to cover up malicious activity need only set the time incorrectly on our generic infuser and an investigator would no longer have a way to easily verify which doses were given.
Recommendations
After recognizing the value of device integrity to an attacker, we can take the first steps towards protecting it. Manufacturers often leave doors open, like our infuser’s Telnet interface, to retain the ability to debug a faulty unit. However, they have no need to write to log memory from the telnet console. By simply enacting permissions to prevent editing of log files by a telnet user, manufacturers can put up a barrier between attackers and the integrity of their device. To take further steps, the device maker could secure its local storage and implement secure remote logging.
These are simple but only partial solutions. Ideally, in addition to these, infusers would have no external debug interface, not even a well protected console. Manufacturers will need to make compromises to address issues that arise after release. By understanding what aspects of their device are most valuable to attackers, manufacturers can make those compromises more strategically and put layers of security between attackers and what they value.
Conclusion
Threats to medical device data integrity have serious implications for both patient safety and fraud. Devices that do not implement measures to protect logs provide malicious actors with multiple avenues of attack. Had our aforementioned arsonist known a little more about the device implanted in his chest, he could have gotten away with a serious crime. The proliferation of such devices is only going to grow, which makes addressing related problems more pressing than ever.
An attack doesn’t have to be all that clever to negatively impact the integrity of a device’s data. If so much as the time is wrong on medical device logs, it throws the integrity of the entire report into question. Imagine if Ross Compton had been able to adjust the time on his pacemaker. When the time change became apparent, the lawyers would not have been able to say for certain what his state was at the time of the fire, and he might never have been caught in his lie.
Updating the time on our generic infuser is easily done given physical access through a settings menu available at startup. It’s also available through the BusyBox console over Telnet, with the ’date’ command that allows a user to set the system date and time. Someone who wanted to cover up malicious activity need only set the time incorrectly on our generic infuser and an investigator would no longer have a way to easily verify which doses were given.
Recommendations
After recognizing the value of device integrity to an attacker, we can take the first steps towards protecting it. Manufacturers often leave doors open, like our infuser’s Telnet interface, to retain the ability to debug a faulty unit. However, they have no need to write to log memory from the telnet console. By simply enacting permissions to prevent editing of log files by a telnet user, manufacturers can put up a barrier between attackers and the integrity of their device. To take further steps, the device maker could secure its local storage and implement secure remote logging.
These are simple but only partial solutions. Ideally, in addition to these, infusers would have no external debug interface, not even a well protected console. Manufacturers will need to make compromises to address issues that arise after release. By understanding what aspects of their device are most valuable to attackers, manufacturers can make those compromises more strategically and put layers of security between attackers and what they value.
Conclusion
Threats to medical device data integrity have serious implications for both patient safety and fraud. Devices that do not implement measures to protect logs provide malicious actors with multiple avenues of attack. Had our aforementioned arsonist known a little more about the device implanted in his chest, he could have gotten away with a serious crime. The proliferation of such devices is only going to grow, which makes addressing related problems more pressing than ever.
RSS Feed