Brad Bowers BBowers@digitalintercept.com

Who am I? Brad - Just a Guy that Likes to Play with Technology!

Disclaimer

Everything I say is my personal opinion and not those of my employer!

Some equipment or functionality may be considered “Dual-use munitions” and controlled under ITAR 121.1. Be sure to follow appropriate laws! Education and Entertainment

purposes only!

Above all do no harm!

The goal is to make you think!

All examples were taken with permission!

Agenda

The adoption of security in Health Care

Hospitals – A target rich environments

Low cost Tools for Assessments & Data Exfiltration

Equipment

Testing / Methodology

Analysis

Apply the hacker mindset

What the future holds

Q&A

Health Care is big business $2.6 Trillion in 2010

Ten times what was spent in 1980 - $256 Billion

Heavily driven by legislation and regulatory requirements HIPAA / PSQIA / PHI / etc.

Health Care is complex

Health Care technology has grown complex

Health Care is a highly competitive industry

Health Care Technology Dichotomy

Race to adopt and offer new medical technology

Slow to adopt new information systems technology

Rapid immersion in wireless technology

Large variety of legacy and new wireless technologies used

Significant challenges for Info Sec professionals

Adoption of Security in Health Care

Let’s take a closer look at wireless

802.11(x) is not the only show in town

We have become blinded by all the background noise

Lots of other RF attack vectors & data to pursue

Legacy Technology(Pocsag, Flex, Mobi, etc.)

Current Technology(Zigbee xbee), RF link, etc.)

Emerging Technology (Corporate grade MASINT)

Hospital environments are unique in many ways

How they use these technologies

How they can be tested and exploited

We can build some low cost effective tools for testing!

Hospitals – Target Rich environment

Post Office Code Standardization Advisory Group (POCSAG) Born from British Telcom

Predecessor of Super POCSAG, Flex, Mobi several others

Designed for low speed transmission of data

Morphed over the years as popularity grew

How the Technology works 32-bit blocks of data transmitted

Simple Frequency Modulation (FM) using Frequency Shift Keying (FSK)

+/- 4.5khz on the carrier frequencies

Gives about 512 bits per second (64 characters)

Slow by any standard but effective for transmission of plan text

Transmitted on both VHF & UHF (152Mhz – 158Mhz & 420Mhz – 540Mhz)

Most commonly in the 900Mhz range for Consumer services

Flex / Mobi work in a similar fashion though much higher data speeds

Flex / Mobi use a FM 4 level modulation on the carrier signal

Easily Intercepted and modified

A revisit to Old School Hacking

Medical facilities and Hospitals heavily rely on this technology*

How’s it’s being used…

Time sensitive data sharing between Doctors and Nurses

Acts as a form of middleware between doctors and nurses

Personnel communication within a facility

Room status, equipment readiness,etc.

Notification of success / failure for tasks

System alerts ( disk space, disk failure, cpu utilization)

Some medical data / Patient information / Patient movement

Patient Treatments (YIKES!)

Patient status (prescriptions, diagnosis, events , etc.)

Patient info (address, contacts, age, insurance carrier, etc.)*

A revisit to Old School Hacking Continued…

How is this data intercepted ? Pocsag / Flex offer no real security

No encryption

Data is only obfuscated via FSK modulation

Most transmissions are easily intercepted via demodulation

Most organizations do little to “encode” their transmissions

ECPA – 18.USC 2510 (prohibits interceptions of radio messaging)

How to intercept - (Pentester’s tool kit) It is illegal to intercept messages from national carriers!!!

Simple signal receiver (one with a line out or discriminator tap preferred)

Hardware or software “data slicer” (Kits, l0pht, google is your friend)

Decoding software – PDW (most popular and free)

Frequency range (easily obtained, scanning, signal metering, RDF, etc.)

Signal capture Tuning – equal parts luck, tuning & skill

A good directional antenna makes tuning & capture easier for closed systems

A revisit to Old School Hacking Continued…

Revisit to Old School Hacking

This is the tip of the iceberg!

Many examples of sensitive information being transmitted SSN numbers

patient policy information

Home addresses

General Inappropriate conversations (Doctors, nurses, patients?)

Not all organizations are transmitting sensitive information

Some organizations protect their material better than others

A general lack of understanding of the risks!

Often looked over by Information Security

Zigbee Radio Devices

The coolest badge you are ever likely to receive!

802.15.4 multi-channel Packet Capturing (cheap!)

IEEE 802.15.4 is an attacker rich (still) emerging tech…

What is Zigbee (Quick Primer)

Ratified in 2003-2004

WPAN digital radios

Low power (60-100mW)

Low cost & short range*

DSSS modulation (Spread Spectrum)

250kbps (on the high end)

2.4ghz ISM, 868mhz Europe, 915Mhz USA

16 channels

Typically Star or Mesh topology

Built-in security*

Intelligent transmitter – lowers output power

Zigbee Radio Packet Interception

How is it used in Health Care (Telemedicine)

Continua Health Alliance – Seems to be steering the ship

A standard for Zigbee - ISO/IEEE 11073 Health Device Comm.

Typical system is made up of low power sensors communicating back to collection devices “Gateway / Access device”

Most devices rely on pre-shared keys generated and distributed by trusted server

Wide range of uses

Safety sensors, wrist transmitters, fall (movement) detectors

Medical Equipment tracking (portable medical devices)

Patient Sensor data (BP, ECG, pulse, oximeter, thermometer, etc.)

Building Automation (lighting, alarms, intelligent appliances)

New users are being adopted everyday

LOTS of potential attacks possible

Not all devices are encrypted

Zigbee (xbee) 802.15.4 Wireless

Zigbee Packet Interception CCDC Badge is an awesome platform to build on!

Provides robust platform for testing, capturing and analyzing 802.15.4

Our badge has some advantages

Covertly capture 802.15.4 packets without the use of a computer

Easily concealable / Practically disposable

Long capture times using simple batteries

Scans through channels and captures (11 – 26)

Data is captured to micoSD card for later analysis

Self contained

Ease of code changes / open protocol stack

Zigbee Pentester’s Edition

Zigbee Pentester’s Edition

Surprising amount of unencrypted 802.15.4 fames around!

Lots of interesting information can be captured

Currently there is no IDS for Zigbee*

Susceptible to replay attacks

Easy to DoS communication between sensors and receivers

(Headlines….Anonymous stops doctors from receiving patient data, patient croaks! … Story at 11…)

General lack of understanding of the risks associated with the technology

More security research is needed!

Zigbee (xbee) 802.15.4 Wireless

MASINT Measurement and Signature Intelligence

Building the assessment and attack tools of tomorrow

What is MASINT ?

Measurement & Signature Intelligence

Collection of unintended emissions or byproducts of devices

All devices generate unique undesirable trans. artifacts

Hospitals use/have lots of unintended emissions!

Quick History Lesson on MASINT

Discrete intelligence gathering process

DoD - Officially adopted as a Intelligence discipline in the 80s

Often aggregated with other information sources

(ELINT, SIGINT, HUMINT, ETC.)

Lots of different types of MASINT

Electro / Electronic / Nuclear / Explosives

Geospatial / Materials / Electromagnetic fields*

Emerging Technologies - MASINT

MASINT is rapidly growing in the Corporate Info. Sec. space

How does this pertain to Health Care devices?

MASINT provides Info. Sec. professionals a platform for:

Assessing risks

Reverse Engineering

Threat modeling

Troubleshooting

Competitive intelligence

Detection of malicious activity

Health Care’s adoption of wireless devices is helping drive MASINT in the Corporate environment.

How about an example…..

MASINT – For Assessing Security of Devices

MASINT – work in progress Collect – Assess – Attack

Implanted Cardioverter High Energy Defibrillator What all the cool kids are getting for Christmas!!! Guess what! It’s completely controlled wirelessly! 802.15.1(Bluetooth) & 802.15.4(Zigbee) models

Provides a framework / roadmap for wireless security testing

Analyze wireless devices when physical access is not an option

Assess functionality / Capabilities

Identify Signals of Interest (SOI) - Origin and strength

Gather Actionable Intelligence

How does this work?

With a focus on Hospitals - What does it do?

Uniquely identify equipment by its RF artifacts

MASINT becoming integrate in Info Sec programs

MASINT components are being added to pen testing capabilities

Track people by the electronic devices they carry

Develop Technical Surveillance & Counter Measures Capabilities

Identify spurious transmissions / jamming

Cost and complexity for MASINT technology is decreasing

MASINT - Why Should you Care?

Spectrum Analyzer

(SDR) Search Receiver &

Antenna System

Signal Collection Analysis & Signature

Generation

Signature Analysis, Tracking, Intel

RF MASINT – Lets Build It!

Spectrum Analyzers – Lots of Choices but… Not a good fit! Generally very expensive! ($10K-$60K)

Typically not designed to provide MASINT or TSCM functionality

Limited frequency range

Difficult to get data out of in raw form

Restrictive antenna capabilities

Some hacker friendly models exist (SpecTran, AnritsuTekTronix, etc.)

Device of choice – Signal Hound (USB-SA44B) Software defined / USB connected / easily interfaced

Decoding Capabilities (FM,WFM, NFM, CW, SSB, Video, FSK, ASK, etc.)

API available / scripting friendly

Low cost $300 - $400 used

1Hz to 4.4GHz / fast sweep times*

Good Sensitivity / built-in Preamp / Attenuators*

Calibration capabilities

Let’s build it!!! – Equipment

Premise – low power RF equipment can be uniquely identified

Signatures structure Signature taken a set frequency (446MHz, 220MHz, 146MHz, 900MHz)

RF Signature recorded over (3) secs with a Span of 10Khz

Unique Signature created using Amplitude (Max & Min) per/Hz

Aprox. Distance 10ft – no faraday enclosure used

Let’s build it!!! – Spectral collection

Frequency (MHz) Amplitude Min(mW) Amplitude Max(mW)

445.994986 1.51E-09 1.51E-09

445.995015 1.53E-09 1.53E-09

445.995045 1.17E-09 1.17E-09

445.995075 7.27E-10 7.27E-10

445.995104 4.87E-10 4.87E-10

445.995134 1.91E-10 1.91E-10

445.995164 1.66E-10 1.66E-10

445.995193 2.63E-10 2.63E-10

445.995223 4.61E-10 4.61E-10

445.995253 5.80E-10 5.80E-10

445.995282 3.29E-10 3.29E-10

445.995312 1.12E-10 1.12E-10

445.995342 6.12E-10 6.12E-10

Motorola XTS3000 model3

Finding unique RF characteristics All electronic devices will generate unique “Artifacts” in near-field

Filtering Ambient noise with 10db attenuation

Measuring mW at the SRD antennas

Collecting Amplitude

Max/Mins

RF span 10Khz

3+ sec measurement

340 Points of Interest

0.e-14 sensitivity

.CSV file output

User defined Max

Amplitude

Let’s build it!!! – SOI Signature Collection

Signal of Interest (SOI)

Ambient Noise Floor (ANF)

Attenuation to reduce ANF

Unique Artifacts / (POIs)

Signature Creation Scripts – Python & .NET Signature Generator & Signature Compare

Let’s build it!!! – SOI Signature Creation

Signature Comparing No two signatures will come back 100% same

Script provides a configurable tolerance

Tolerance does not sway results significantly because of the ranges

Negative hits increase as you move away from center

Let’s build it!!! – SOI Signature Compare

Let’s build it!!! – Signature Compare Contin…

MASINT is becoming more widely adopted in corporate and industrial environments

It is possible to build a high functioning MASINT implementation using low cost equipment

MASINT capabilities offers many advantages for Information Security for testing and assessing wireless technologies.

MASINT and TSCM capabilities can be obtained and incorporated into an organization's information security practice.

MASINT – Wrap up

Health Care is big business and has many unique challenges when it comes to Information Security!

Sensitive data can often be access in ways that have not been fully considered or understood – Security assessments are Very important!

It’s just as important to reassess legacy technologies – Risk can change over time and as a business/industry matures!

The rate and adoption of new technologies is escalating faster than Security Professionals can keep up! Business leader beware!

To Surmise…..

Contact information : Brad Bowers Bbowers@digitalintercept.com

THANK YOU!!!