Fingerprinting healthcare Institutions

Fingerprinting Healthcare Institutions - Anirudh Duggal Disclaimer: All the views / data presented are my own and do not reflect the opinions of my employer.

1

#whoAmIWork with Philips healthcareHack anythingSustainability enthusiast Research on healthcare security protocols, devices, infrastructurePlay guitar in free time Hospitalsecurityproject.com

2

AgendaWhy healthcare? Beyond phishing targeted attacks How to fingerprint?EMR fingerprinting Fingerprinting beyond servers HL7 attacks (if time permits)Q&A

3

Why healthcare?Easy targetsHigh payoff Still to mature on terms of securityLess awareness

4

Posted on 13th Feb 2016

Posted on 13th Feb, 20165

OverallHealthcare institutions are easy to fingerprint They are considerably less protectedMany entry pointsQuite many targets

6

What to expect?

Image from:http://healthcorrelator.blogspot.in/2014/09/will-your-wireless-router-give-you.html7

And

8

Inside a hospital

9

TextTextTextTextTextTextTextTextNetwork 1Network 2Healthcare centers and hospitals ideal situationHVAC systemLighting systemHospital serversWaste managementsystemsMedical devicesMonitoring devicesComputers, phones, tabletsWater controlsNAT / Bridged network with an IDS / IPSOther hospitalsVendor serversservice portalsVendor serversIntranetInternetEncrypted communicationEncrypted communicationEncrypted communicationComputers , phones, tablets

An ideal network infrastructure that we see. 10

TextTextTextTextTextTextTextTextBut what do we get?

HVAC systemLighting systemHospital serversWaste managementsystemsMedical devicesHospital computersMonitoring devicesTablets / phones Water controlsservice portalsSecurity systemsguestsInternet

11

Basics of fingerprintingFind unique but common headersBe consistent Use multiple tools shodan, censys, matego Verify manuallyUse google

12

So what can you fingerprint?Medical devicesRoutersData centerEMR software HVAC controls Lighting controls

13

Finding hospitalsGeneric searchesName searchesHospital name searchesSometimes the name is too genericNarrow down search parameters

14

Generic hospital searches HospitalHospital* HealthcareHealthcare*

15

Generic searches

16

Narrowing the searches to regionsNarrow down searches by CountryTechnology (HTTP(S), NetBIOS )Type of infrastructure (VPN, cloud)

17

Healthcare chains

This is a chain of hospitals in India and Indonesia.18

Narrowing down

Narrow down to FTP servers ;) Port 80 will show interesting results

One of the hospital name that was too generic 19

ButSometimes the names are too genericNarrow down technology Look at other parameters dont fall into honeypotsUse google - Search for address and verify

20

EMR solutionsgoldmine for attackersEasy to attack High point of impact Ransomware attacks

21

A typical hospital scenarioEMR(electronic medical record)Patient monitors / healthcare devicesLAN / WIFI/ Bluetooth/Doctor's PC /Secretary PC Doctor's Mobile/Nurse mobileOther hospitals

This is just a general observation, some hospital do have sophisticated environments, but a majority of them do not. The focus here is more on the ease of setup and maintenance rather than having a secure setup in place.

22

Fingerprinting EMR solutionsUse shodan / censys / maltego Searches vary on what you're trying to findHow I startedCreate a list of 200 popular EMR solutionsStart searching by name Look for characteristics deployment scenario, url constructs, technology Look for manuals Change language Chinese, Russian Find bugs ;)

23

ShodanCan search using nameLess false positivesShows ready exploits for OS

24

An arbitrary search on one of the biggest EMR solution provider. 25

Showing NETBIOS Exposed26

Anonymous login successful27

28

Search by exploring EMR structuresLook at unique parametersFilter by name

29

30

31

ProblemResults not constantNeed more access to dataYou cant find some systems

32

Thinking beyond ShodanShodan (Shodan.io)Easiest deep web toolsCache information Due to the paid nature, results may varyLacks multi lingual capabilitiesCensys (censys.io)Provides raw data for researchSupport Regex and can concatenate different parametersMaltego (thick client) For advanced reconCan fingerprint infrastructure

33

Searching by names

34

Multi lingual search -Russian

35

Multi lingual search -Chinese

36

Multi lingual search - Arabic

37

Using censys efficiently

38

Combining searches with google results Google gives better results with specific headers

39

Running Maltego

40

When everything failsSome systems could not be found at all Find the manual!

41

42

Now if you goto shodan and search for this vendor with filter as windows server 2003 you get and EMR!43

Easy way - visit the vendor website site ;)

44

Logging on the PACS system

45

Cloud based EMREasy to findscalable and reliable Many entry points web, mobile, IOT devicesGoogle is very effective in searching such solutions

46

In a nutshellFinding EMR is easyYour EMR might be secure, other infrastructure might be notAttacks go beyond your audits and process

47

Besides servers

48

Routers and internet access points

49

Cams smile ;)

50

HVAC controls!

51

Insider attacksGeneric system attacks MITM , BSOD , Network exploitsHL7 exploits

52

Potential entry pointsHardwareWifi / LanSerial ports USB - Firmware The sensors Keyboard / mouse FirewireSoftware Protocols and OS

To compare them to an IOT device but with much enhanced capacity, these RTOS devices have a dedicated program and usually does not run an off the shelf OS. 53

What is HL7?Health level standards Most popular in healthcare devices (HL7 2.x) Quite old designed in 1989FHIR is the next gen

54

HL7 2.xMost popular HL7 versionNew messages / fields added

55

HL7 2.x

HL7

56

Things to know|| is a delimiter / field MSH message header segmentThe standards define the messages not the implementation

57

An HL7 messageMSH|^~\&||STI SQESERV3|||||ORU^R01|HP1304538180456|P|2.3||||||8859/1PID|||MRN-3M31^^^^MR~Encounter-3M31FF^^^^VN~AlternatiFF-3M31^^^^U||3M31LastUpdate^Test-FirstUpdate^Middle-Update||19330808|FPV1||I|OR^^OR9&0&0||||||||||||||||Encounter-3M31FFOBR|||||||20110504154300OBX||TX|6^Soft Inop^MDIL-ALERT|1|ALL ARRH ALRMS OFF||||||FOBX||ST|0002-d006^EctSta^MDIL|0|""||||||FOBX||ST|0002-d007^RhySta^MDIL|0|SV Rhythm||||||FOBX||NM|0002-4bb8^SpO2^MDIL|0|100|0004-0220^%^MDIL|||||FOBX||NM|0002-0302^ST-II^MDIL|0|-1.0|0004-0512^mm^MDIL|||||FOBX||NM|0002-0304^ST-V2^MDIL|0|0.6|0004-0512^mm^MDIL|||||FOBX||NM|0002-f125^pNN50^MDIL|0|0.00|0004-0220^%^MDIL|||||FOBX||NM|0002-4182^HR^MDIL|0|80|0004-0aa0^bpm^MDIL|||||FOBX||NM|0002-4a15^ABPs^MDIL|0|120|0004-0f20^mmHg^MDIL|||||FOBX||NM|0002-4a16^ABPd^MDIL|0|70|0004-0f20^mmHg^MDIL|||||FOBX||NM|0002-4a17^ABPm^MDIL|0|91|0004-0f20^mmHg^MDIL|||||FOBX||NM|0002-4261^PVC^MDIL|0|0|0004-0aa0^bpm^MDIL|||||FOBX||NM|0002-5012^awRR^MDIL|0|25|0004-0ae0^rpm^MDIL|||||FOBX||NM|0002-e014^Tblood^MDIL|0|37.0|0004-17a0^C^MDIL|||||FOBX||NM|0002-4822^Pulse^MDIL|0|60|0004-0aa0^bpm^MDIL|||||FOBX||NM|0002-50b0^etCO2^MDIL|0|40|0004-0f20^mmHg^MDIL|||||FOBX||NM|0002-50ba^imCO2^MDIL|0|0|0004-0f20^mmHg^MDIL|||||FOBX||NM|0002-f0c7^T1^MDIL|0|40.0|0004-17a0^C^MDIL|||||FOBX||NM|0002-f081^SD NN^MDIL|0|0.00|0004-0aa0^bpm^MDIL|||||FOBX||NM|0002-f03d^STindx^MDIL|0|3.5|0004-0512^mm^MDIL|||||F

58

MSH|^~\&||STI SQESERV3|||||ORU^R01|HP1304538180456|P|2.3||||||8859/1PID|||MRN-3M31^^^^MR~Encounter-3M31FF^^^^VN~AlternatiFF-3M31^^^^U||3M31LastUpdate^Test-FirstUpdate^Middle-Update||19330808|FPV1||I|OR^^OR9&0&0||||||||||||||||Encounter-3M31FFOBR|||||||20110504154300OBX||TX|6^Soft Inop^MDIL-ALERT|1|ALL ARRH ALRMS OFF||||||FOBX||ST|0002-d006^EctSta^MDIL|0|""||||||FOBX||ST|0002-d007^RhySta^MDIL|0|SV Rhythm||||||FOBX||NM|0002-4bb8^SpO2^MDIL|0|100|0004-0220^%^MDIL|||||FOBX||NM|0002-0302^ST-II^MDIL|0|-1.0|0004-0512^mm^MDIL|||||FOBX||NM|0002-0304^ST-V2^MDIL|0|0.6|0004-0512^mm^MDIL|||||FOBX||NM|0002-f125^pNN50^MDIL|0|0.00|0004-0220^%^MDIL|||||FOBX||NM|0002-4182^HR^MDIL|0|80|0004-0aa0^bpm^MDIL|||||FOBX||NM|0002-4a15^ABPs^MDIL|0|120|0004-0f20^mmHg^MDIL|||||FOBX||NM|0002-4a16^ABPd^MDIL|0|70|0004-0f20^mmHg^MDIL|||||FOBX||NM|0002-4a17^ABPm^MDIL|0|91|0004-0f20^mmHg^MDIL|||||FOBX||NM|0002-4261^PVC^MDIL|0|0|0004-0aa0^bpm^MDIL|||||FOBX||NM|0002-5012^awRR^MDIL|0|25|0004-0ae0^rpm^MDIL|||||FOBX||NM|0002-e014^Tblood^MDIL|0|37.0|0004-17a0^C^MDIL|||||FOBX||NM|0002-4822^Pulse^MDIL|0|60|0004-0aa0^bpm^MDIL|||||FOBX||NM|0002-50b0^etCO2^MDIL|0|40|0004-0f20^mmHg^MDIL|||||FOBX||NM|0002-50ba^imCO2^MDIL|0|0|0004-0f20^mmHg^MDIL|||||FOBX||NM|0002-f0c7^T1^MDIL|0|40.0|0004-17a0^C^MDIL|||||FOBX||NM|0002-f081^SD NN^MDIL|0|0.00|0004-0aa0^bpm^MDIL|||||FOBX||NM|0002-f03d^STindx^MDIL|0|3.5|0004-0512^mm^MDIL|||||F

59

MSH|^~\&||STI SQESERV3|||||ORU^R01|HP1304538180456|P|2.3||||||8859/1PID|||MRN-3M31^^^^MR~Encounter-3M31FF^^^^VN~AlternatiFF-3M31^^^^U||3M31LastUpdate^Test-FirstUpdate^Middle-Update||19330808|FPV1||I|OR^^OR9&0&0||||||||||||||||Encounter-3M31FFOBR|||||||20110504154300OBX||TX|6^Soft Inop^MDIL-ALERT|1|ALL ARRH ALRMS OFF||||||FOBX||ST|0002-d006^EctSta^MDIL|0|""||||||FOBX||ST|0002-d007^RhySta^MDIL|0|SV Rhythm||||||FOBX||NM|0002-4bb8^SpO2^MDIL|0|100|0004-0220^%^MDIL|||||FOBX||NM|0002-0302^ST-II^MDIL|0|-1.0|0004-0512^mm^MDIL|||||FOBX||NM|0002-0304^ST-V2^MDIL|0|0.6|0004-0512^mm^MDIL|||||FOBX||NM|0002-f125^pNN50^MDIL|0|0.00|0004-0220^%^MDIL|||||FOBX||NM|0002-4182^HR^MDIL|0|80|0004-0aa0^bpm^MDIL|||||FOBX||NM|0002-4a15^ABPs^MDIL|0|120|0004-0f20^mmHg^MDIL|||||FOBX||NM|0002-4a16^ABPd^MDIL|0|70|0004-0f20^mmHg^MDIL|||||FOBX||NM|0002-4a17^ABPm^MDIL|0|91|0004-0f20^mmHg^MDIL|||||FOBX||NM|0002-4261^PVC^MDIL|0|0|0004-0aa0^bpm^MDIL|||||FOBX||NM|0002-5012^awRR^MDIL|0|25|0004-0ae0^rpm^MDIL|||||FOBX||NM|0002-e014^Tblood^MDIL|0|37.0|0004-17a0^C^MDIL|||||FOBX||NM|0002-4822^Pulse^MDIL|0|60|0004-0aa0^bpm^MDIL|||||FOBX||NM|0002-50b0^etCO2^MDIL|0|40|0004-0f20^mmHg^MDIL|||||FOBX||NM|0002-50ba^imCO2^MDIL|0|0|0004-0f20^mmHg^MDIL|||||FOBX||NM|0002-f0c7^T1^MDIL|0|40.0|0004-17a0^C^MDIL|||||FOBX||NM|0002-f081^SD NN^MDIL|0|0.00|0004-0aa0^bpm^MDIL|||||FOBX||NM|0002-f03d^STindx^MDIL|0|3.5|0004-0512^mm^MDIL|||||FPatient identifierMessage type and HL7 identifierMessage fields

60

MSH|^~\&||STI SQESERV3|||||ORU^R01|HP1304538180456|P|2.3||||||8859/1PID|||MRN-3M31^^^^MR~Encounter-3M31FF^^^^VN~AlternatiFF-3M31^^^^U||3M31LastUpdate^Test-FirstUpdate^Middle-Update||19330808|FPV1||I|OR^^OR9&0&0||||||||||||||||Encounter-3M31FFOBR|||||||20110504154300OBX||TX|6^Soft Inop^MDIL-ALERT|1|ALL ARRH ALRMS OFF||||||FOBX||ST|0002-d006^EctSta^MDIL|0|""||||||FOBX||ST|0002-d007^RhySta^MDIL|0|SV Rhythm||||||FOBX||NM|0002-4bb8^SpO2^MDIL|0|100|0004-0220^%^MDIL|||||FOBX||NM|0002-0302^ST-II^MDIL|0|-1.0|0004-0512^mm^MDIL|||||FOBX||NM|0002-0304^ST-V2^MDIL|0|0.6|0004-0512^mm^MDIL|||||FOBX||NM|0002-f125^pNN50^MDIL|0|0.00|0004-0220^%^MDIL|||||FOBX||NM|0002-4182^HR^MDIL|0|80|0004-0aa0^bpm^MDIL|||||FOBX||NM|0002-4a15^ABPs^MDIL|0|120|0004-0f20^mmHg^MDIL|||||FOBX||NM|0002-4a16^ABPd^MDIL|0|70|0004-0f20^mmHg^MDIL|||||FOBX||NM|0002-4a17^ABPm^MDIL|0|91|0004-0f20^mmHg^MDIL|||||FOBX||NM|0002-4261^PVC^MDIL|0|0|0004-0aa0^bpm^MDIL|||||FOBX||NM|0002-5012^awRR^MDIL|0|25|0004-0ae0^rpm^MDIL|||||FOBX||NM|0002-e014^Tblood^MDIL|0|37.0|0004-17a0^C^MDIL|||||FOBX||NM|0002-4822^Pulse^MDIL|0|60|0004-0aa0^bpm^MDIL|||||FOBX||NM|0002-50b0^etCO2^MDIL|0|40|0004-0f20^mmHg^MDIL|||||FOBX||NM|0002-50ba^imCO2^MDIL|0|0|0004-0f20^mmHg^MDIL|||||FOBX||NM|0002-f0c7^T1^MDIL|0|40.0|0004-17a0^C^MDIL|||||FOBX||NM|0002-f081^SD NN^MDIL|0|0.00|0004-0aa0^bpm^MDIL|||||FOBX||NM|0002-f03d^STindx^MDIL|0|3.5|0004-0512^mm^MDIL|||||F

Potential Entry Point

61

MSH|^~\&||STI SQESERV3|||||ORU^R01|HP1304538180456|P|2.3||||||8859/1PID|||MRN-3M31^^^^MR~Encounter-3M31FF^^^^VN~AlternatiFF-3M31^^^^U||3M31LastUpdate^Test-FirstUpdate^Middle-Update||19330808|FPV1||I|OR^^OR9&0&0||||||||||||||||Encounter-3M31FFOBR|||||||20110504154300OBX||TX|6^Soft Inop^MDIL-ALERT|1|ALL ARRH ALRMS OFF||||||FOBX||ST|0002-d006^EctSta^MDIL|0|""||||||FOBX||ST|0002-d007^RhySta^MDIL|0|SV Rhythm||||||FOBX||NM|0002-4bb8^SpO2^MDIL|0|100|0004-0220^%^MDIL|||||FOBX||NM|0002-0302^ST-II^MDIL|0|-1.0|0004-0512^mm^MDIL|||||FOBX||NM|0002-0304^ST-V2^MDIL|0|0.6|0004-0512^mm^MDIL|||||FOBX||NM|;;;;;anisdlasdkals