Penetration Testing in Healthcare

In September the deadline for compliance with changes to the HIPAA rules relating to breaches of unsecured electronic Protected Health Information went into effect. At NopSec, we understand security-related processes and the risks associated with electronic protected health information (ePHI). The following post describes a recent penetration testing engagement that helped one of our customers address serious security vulnerabilities in an embedded medical device.

The heart of the matter

The medical device that was the target of our penetration test was a sensitive device used in heart monitoring. There are three components in this medical device:

1. A sensor implanted into the patient’s pulmonary artery that is responsible for gathering patient’s readings and sending it to a hardware device.
2. A hardware device that is responsible for present the graphical user interface (GUI) to the user, initiating readings, tracking readings, storing patient details, etc.
3. A antenna embedded into a special pillow, which is responsible for communicating/interrogating the implanted sensor.

The device sends a burst of radio frequency energy to activate the sensor in the heart. This sensor then measures the required parameters and reports the results.

Penetration testing of an embedded device

Now that we understand the medical components part of this test, let’s dive into into the objective, methodology and execution to understand what we did.

Our objective was to mimic an adversary possessing the medical device and trying to gain root access to the machine in order to identify any sensitive and confidential information.

The first step in our process was to gather publicly available information about the device through the company website, hardware and software manuals, and manuals of similar products. From this we were able to discern that the medical device was running a version of Windows XP Embedded.

Inspecting the physical device we determined that there were USB and Smartcard inputs/outputs. Additionally, by disassembling the device we discovered an Ethernet port and flash storage.

Identifying attack vectors

We prioritized our attack vectors in descending order of priority (Ethernet port, flash storage, and USB port)  and proceeded to build a toolkit. “Ctrl Alt Del” provided a login prompt that exposed usernames so we determined the first objective was to crack the root and patient accounts using the “etc passwd” and “etc shadow” file with the intention of obtaining terminal access to the device.  The operating system did not maintain shadow file and hence we were able to obtain the encrypted passwords from   “etc passwd”. We launched JohnTheRipper(JTR) to crack the passwords for root, patient or service accounts.

Based on the above files, we tried to use the passwords we found on the filesystem for the user patient in the login panel and we were successfully logged in to the operating system.  Before moving on to escalating privileges, we checked if the same password would work for root account. Interestingly, we were able to login as root into the medical device operating system using the same password thereby gaining complete access to the machine. PWNED!

Learn more about NopSec’s approach to penetration testing and the methodology we use to secure applications, infrastructure, and devices from security breaches. Best Practices Guide: Penetration Testing.