Modern information technology has already entered the field of medical technology. Few hospitals can operate without power and network connectivity. This is why information security has followed the deployment of hardware and software. Next to the infrastructure present there exists a multitude of communication protocols that increase the attack surface. Hospitals and other medical facilities have to address this issue. News of compromised systems are bad for the administration and the patients.
Securing systems enters a new dimension once you consider equipment such as medical pumps, diagnostic systems and anaesthesia machines which directly interact with the patient. Tampering with the dosage of the medication can result in very serious consequences, regardless if on purpose or by accident. Dick Cheney had the wireless capabilities of his pacemaker disabled in 2007 for fears of attacks against his life. Of course, proximity is required for this kind of attacks, but it’s hard to be completely shielded from wireless data transmissions in our modern society. The late hacker Barnaby Jack did some interesting work with medical devices, so there are bugs to be found.
In his talk at DeepSec 2013 Florian Grunow will explore the attack surface of devices deployed in the real world. The investigated devices are used in German hospitals and in other countries. You will get an overview of what attackers can do, which interfaces and protocols they might abuse, and what the consequences are. Deploying high-tech has benefits, but when it comes to sensitive areas security has to be a concern. While we do not expect random wardriving with lots of casualties near hospital facilities, the capabilities of medical devices must be addressed and investigated – for the same reasons you go to the doctor for medical checks. It’s good to know what the state of your health is, either physically or digitally, or both.
The talk is recommended for anyone developing or using medical devices, for IT staff of medical facilities, for administrators (both system and in general), and for information security experts who’d like to turn themselves into the infosec edition of „House, M.D.“. Prepare for complications.