During the 26th DEFCON conference this past week McAfee researchers showed how they have successfully been able to falsify patient vitals that are reported to the central monitoring stations. Two variations of the attack are possible due to weak communication protocols between client devices and the central monitoring station. In the first scenario, the attacker would need direct access to the patient and the equipment, where they would be able to disconnect the patient and plug in their own device that would then transmit false information.
However, McAfee researchers found that it was possible to also use a method called ARP spoofing to feed false information to the monitoring station by capturing data coming from a client device, manipulating it, and sending the data on to the central monitoring station because of a UDP based protocol called RWHAT. RWHAT is used by many medical devices, most of which are wired and wireless capable devices. While this is not a widely known protocol, it is easy to see and manipulate due to the simplicity of the UDP packets. Additionally, these devices often use no authentication or weak authentication.
The doctors that helped the researchers vet the potential threat indicated that it is common practice to make diagnoses based on the data on the central monitoring stations. The method that was used by the McAfee researchers was to acquire a client monitoring station and a central monitoring system from eBay. While the units used are from 2004, they are still commonly used today. McAfee was careful not to mention the manufacturer of the units used as they are still in the process of working with the company to patch the vulnerabilities. Once they had the equipment and were able to crack the networking component, their next step was to acquire an ECG simulator from eBay for about $100. With the ECG simulator available, they determined that the traffic was unencrypted and contained counter and patient information.
Using the emulation as a springboard they successfully were able to modify the data being sent to the monitoring station. Then in real-time they were able to simulate a flatline signal to the central monitoring station as well as manipulate oxygen levels and blood pressure information. This creates the potential to falsify information to staff that might result in unneeded or unwanted procedures or prescriptions. This attack could potentially make staff believe that a patient is resting peacefully when they are not hooked up to their bedside equipment, or worse. While this threat vector might not be subjected to mass exploitation it could be leveraged in cases of high-value patients.