Insecure medical equipment protocols let attackers spoof diagnostic information

Douglas McKee of McAffee presented his research into the security of medical diagnostic equipment at last week's Defcon conference in Las Vegas.


McKee presented a variety of techniques for intercepting and altering medical diagnostic information as it was transmitted to the hospital's (Windows XP or Windows 7-based!) central monitoring system. The most difficult attacks required physical access to the bedside equipment in a patient's room, but McKee also presented a devastating man-in-the-middle attack that could by launched by attackers on the same LAN as the patient — say, an attacker who cracked an insecure wifi password or plugged a laptop into a hospital Ethernet port.

The LAN-based attack takes advantage of the insecure Rwhat protocol, which uses unencrypted UDP packets to stream realtime data from diagnostic equipment to monitoring stations. Through well-understood ARP spoofing techniques, an attacker could trick bedside equipment into sending diagnostic information to their own computer, then pass altered information on to the real monitoring station. By subtly and credibly altering these streams, attackers could mislead doctors about a patient's status, causing them to miss symptoms or prescribe potentially harmful substances.


These would likely be targeted attacks, aimed at high-value targets in the hospital; I've recently been told some hair-raising stories about the lax information security at one of the hospitals designated to receive the President should they be injured while in town. This is pretty hair-raising in light of those discussions.

"Any modifications made to patient data would need to be believable to medical professionals for there to be any impact," McKee said, while also clarifying that the actual patient monitoring device near the patient's bed will not be affected by this attack and continue to display actual readings.

But in cases where medical staff take decisions based on the readings received via central monitoring systems —which also provide historical views of past readings— the attack has high chances of fooling medical professionals.

McKee did not reveal the make and model of the medical equipment he used for his tests, as he is still working with the vendor to patch the discovered issues.

Hackers Can Falsify Patient Vitals [Catalin Cimpanu/Bleeping Computer]


(via /.)