The nefarious part has to do with the dialing to, and receiving configuration updates from. Say... you are a non-BRICS undercover informant. You ended up in the hospital for an attempted unliving. Your pulse is thready, blood pressure steadily decreasing. You have an internal bleed. The embedded mole in the hospital sees you came in, reports back to HQ. HQ takes the device information, configures it to mask your decreasing heart rate and blood pressure., until you've been logged off for 10 minutes. Then it reverts back to normal. Machine signals all of the alerts. Staff come in. It's too late to bring you back. The telemetry data goes into the medical record. Everyone signs off you just crashed. It's a big cover up.
They need to be closed source so they can be developed on a shoe string budget held together with glue and sticky tape and just barely work the spying and tinkering by state actors is just a bonus
@@papakamirneron2514 they are usually hooked up to a remote monitoring server so the doctors get an alert when someones vitals are funny why these arent locked down at the network level is beyond me though
Good one, but still even with updates, it should be done via a single point of access that will have exceptions only for necessary IP address like the ones that allow updates.
Same reason with single player games required account and offline mode require internet connection. The manufacturer want to be owning devices, not the buyer.
Well yeah, sure core functionality. But imagine if we left it up to you to decide what gets more functionality and what makes doctors lives easier and hospitals to populate patient files without needing to share hard-copies which have their own privacy and security issues. Why doesn't someone just sit there and monitor you, when it doesn't need to beep so damn loud when you're sick, dying and trying to rest your final moments? It's probably close to the same reason why AT&T have thousands conversations of doctors on peoples private medical information. To make lives easier for the medical professionals. bUt ItS oKaY ThAt AmErIcA HaS mY dAtA
I've had friends who worked in IT at hospitals. In no case is a device allowed to update itself. Hospitals know about these risks. But I guess they haven't caught up with reverse back doors yet. 😢 Hospital ransomware has absolutely killed people already in this country. Delayed medical procedures etc
I'm always wondering why systems in such places are connected to the internet in the first place. I guess one may want firmware updates from time to time, but hospitals should be able to have the manufacturer let them know in case of a critical update and perform automatic updates once in a while. Or they could have a central computer download the update and the devices would download from it. For the rest of the time, these could be connected just to an internal network for the central monitoring to work.
Bro, it's the same. The difference between internet access and local network access is if you have a connection to the outside world. We need better network security.
@jeong-ilkajokaya3849 But wouldn't "local-only" access prevent the issue from this video? They could communicate with a central computer that would serve very specific purposes (patient XYZ needs help; please give me a firmware update number XYZ) and one would not be able to send patient data to a random place(?)
@ You can still get hacked if someone gets into the network with another device on the network or physically getting into the network. I am saying we should focus on better cybersecurity for devices and the network that devices are connected to.
@@LowLevelTV On the one hand, there are possible technical consequences for an site that might be guilty only of egregiously bad technical practices; on the other hand, as you point out, there is the possibility of Assassination As A Service, via a government that seems perfectly capable of it. For me, it would be an easy call, and not this.
@@LowLevelTV soooo, we all have the privilege of purchasing a CMS8000 and firing up wireshark to find the IP address? Are you sure this is not a clever sales campaign 😁 Thanks though, love watching, keep up the good work.
So, everyone ignores that it's asking for NFS, which is by default blocked by the hospital's firewall. From here it looks like the firmware was actually written by that university and someone there built some "update" which can run internally on the university and it wasn't removed on the final build...
You can confirm that every hospital, in every country, has a properly configured firewall that disallows NFS? I'm sure major hospitals do, but a small medical center in a small town? Who knows.
@@eveleynce For an intentional backdoor this is kind of foolish. At the very least they should have included the mac address into the NFS credentials so that the server on the other end can tell what machine is pulling the code, so that not every device gets the malicious code (which would make detection more likely). Even better and more reliable would be to use http traffic. Still better, if you must use a public IP that is not also used for something harmless, use a cloud server in a less suspicious country. I think chances are very high that this has been done for debugging convenience.
Sure, this could be ascribed to incompetence instead of malice (as the saying goes), but (a) you wouldn't want to base a security assessment on such a guess, (b) the feature's existence doesn't speak well of the manufacturer or their software supply chain, and (c) even if it was a naive dev-time feature, it could be misappropriated.
First of all, no it is not acceptable that such devices automatically phone home "for updates" and even less so to install such updates themselves. With such critical infrastructure, such changes have to be managed by an administrator, who'd better even audit the changes that ought to be made to all their patients health data. At the very least be informed about the update and maybe roll it out in some rollout strategy. It is absolutely insane such critical devices are allowed to just be altered without supervision. Second, why are such devices even connected to the internet at all? General Ethernet connectivity has a use case as you explained, but not internet connectivity. Central nurse desks should be the only thing that's allowed to be connected to them.
I do peritoneal dialysis at home every night. My dialysis machine has an Ethernet jack and is connected to an external cellular modem so it can send the results of my treatment to my clinic and get updates to my treatment protocol. Knowing what I know about network security, I try really hard not to think about this life-saving device I'm hooked up to for ten hours a day has a network connection.
//Knowing what I know about network security, I try really hard not to think about this life-saving device I'm hooked up to for ten hours a day has a network connection.// I know how to fix that.
@@TravisBHartwell i think you can resolve this by simply filtering the packet that go to clinic and allowing only them tò be sent on the network,however i would be caution with It ,Better be safe than Sorry i wouldn't really care that the CCP knows what my pulse is
@No-mq5lw Also on PD, it's not for cleaning or maintenance, it reports data about the treatment to the dialysis nurses and doctors. There's not really any cleaning of the machine, you use a new cartridge and lines every treatment. It's all self-contained, the fluid never actually enters the machine. It's pretty neat how it works actually.
two questions, how did this get certified? And how are the companies and ppl responsible not in jail? Our tollerance and the lack of consequences of shit software in critical aplications will lead to this being more and more common. The only reason this isn't a widespread issue is because most devices aren't YET connected to the internet, or the lack of proper screening for this kind of crap.
I can get PII of every person connected to a machine at my hospital within a minute of walking in, because all the machines broadcast their data over the network in plain text. Medical equipment is notorious for having little to no security.
I configured firewalls for some hospitals a while back, and you wouldn't believe how utterly janky to outright creepy medical devices are behaving on the network. Everything from not following established networking RFCs, not encrypting traffic, connecting to a bunch of non-existent internal IPs and up to creepy stuff like weird outgoing connections to IPs in other countries, sometimes back to the manufacturer (OK), sometimes to completely unknown IPs in Taiwan, China, etc (NOT OK). We completely isolated all medical devices in that project and scrutinized every single connection, the IT people from the hospital then got in touch with the manufacturers to question them about the connections and to explain what is necessary for what purpose. If there wasn't a solid explanation for a connection we kept them blocked for good and sometimes even reset/reflashed the devices, it's wise to not take any chances with these things.
Ideally speaking, all pieces of hospital equipment are connected to a network. This allows advanced real time monitoring of a patient and recording of that data directly into a personal health record. If the hospital IT/biomed staff know their stuff, all of the equipment is never accessible directly from the internet.
I'm not sure this could be used for assassination as a service, as the custom instructions are sent (and potentially run) at boot, whereas the patient identifying happens afterwards. I know the custom code could have its own door, but I reckon the article would have mentioned it specifically if there was an ongoing ability to accept ACE (given that ACE after determining the patient is much more concerning than ACE beforehand)
This seems a little too obvious for a malicious backdoor. given the hardcoded IP, complete lack of security or obfuscation it kinda feels like really bad debugging left in the code. I wonder if the IP (for NFS mount or patient info) was still accessible, was there any sign that anyone was on the other end?
Yeah an intentional backdoor would be actually hidden/obfuscated. This seems like shit debug code that a bad developer left there. Doesnt change the severity and potential of the vulnerability, though.
@@Bramble20322 True, its still a crazy vulnerability. It just feels like some shit code I would write to troubleshoot an ESP32 or some other embedded device that was acting up. But that would never leave my house and I'd be too embarrassed let anyone use the device or see the code.
Also, NFS and LPD for data transport?? I mean, the 90s called and want their protocols back 😅. In all seriousness, if that is intentional, you must be aware that there is a higher likelihood that those ports will be blocked, as opposed to say HTTP or DNS.
I understand that these devices are in a local network so that the hospital staff can monitor the patients locally. I do not understand why this LAN would need to be connected to the internet though. 😅
I'd argue such a critical device should not phone home and install anything at all by itself in the first place - just see the little hiccup that soft-bricked AEG top of the range ovens a few years ago...
I've worked in the medical device industry as an Engineer for several years. These devices should not be calling out to anything off the local network in almost every case. We upload firmware packages to clients servers and then deploy the packages from there. I don't know of any medical device that auto updates, that is a recipe for disaster.
@5:50 and that is usually enough information to possible have records released/synced from the EMR (like epic care everywhere, you call in with some of the patient info and if the info matches you can get a code to sync/release records for your EMR to import
It's almost impossible to kill someone using those backdoors. The worst you could do is to have some check for a life-threatening condition and then selectively replay some old data. But that would require quite a bit of foreknowledge about what emergency is going to happen. And if that patient is unattended for long periods, the likelihood of something like that would be low. Another modality may be to fool a physician into thinking the heart rate is too low or too high and giving the wrong medication. But that's even harder to pull off.
Any hospital using this device is automatically sending all health data of every patient connected to this device to the Chinese university. Any of them can be targeted and commanded to die due to false feedback by China. The only countermeasures possible are to replace the devices, the software or to block the ip in the hospitals router.
I'm not a network admin, but I'd think as part of a security review devices that should not be using the internet, only intranet, would be configured as such. x.x I suppose it depends if their monitoring system is local or cloud-based though.
Since it isn't overwriting the actual firmware, if you did pull the firmware image somehow, you may not see what was running AT THE TIME when something nefarious happened.
From what I could gather it seems that the filesystem mount doesnt require authentication in any way, and that the firmware binaries aren't verified. Does that mean that with a phone and the password to the employee's wifi I could impersonate that specific IP address (Using ARP spoofing or any other form of spoofing, as I assume hospital networks dont have advanced anti-spoofing measures) and just backdoor the patients monitors? Doing exactly what you said the CCP could do?
Is there a possibility that this was a junior programmer that sloppily did this to debug the firmware and never took it out? Either way, not great that they didn't catch this.
I agree, looks like a general backdoor should do more (even if we don't consider the hiding part it would be desirable to have some device identification functionality like sending serial numbers before running a backdoor). Feels like some private contract work they did with the university and sloppy code leaked into the release firmware.
Just makes you wonder what other critical devices we use on our daily lives have such terrible problems/vulnerabilities. Did no one fucking even check anything on that stuff before selling on a critical industry like healthcare?? Why is it even connected to the internet in the first place? I guess cutting costs on QA/Testing and paying out lawsuits is just cheaper, lol.
“Welcome to the embedded programming seminar, part 1. Today’s lesson: How do IoT devices work and how you can upgrade them. We have prepared some endpoints for your disposal.“ 💀
I'm fairly concerned about the amount of FUD here. Hospital equipment is networked for 2 very specific reasons: 1. on site telemetry and 2. recording to a personal health record. Other than that, a piece of equipment having access to the internet generally depends on hospital IT/biomed staff doing their jobs in regards to general network security. Sometimes there's off site telemetry like a mfr'r needs logs to be able to diagnose how a machine failed or even a subpoena to find out how someone expired on a ventilator. Generally, the FDA certification process requires disclosing how the sausage is made so to speak in regards to software, and this depends on the amount of risk tied to a piece of equipment. A ventilator where someone needs it to breath goes through much more scrutiny than say a pulse oximeter where if it fails, there's a chance to misdiagnose, but otherwise the patient can go on to live another day for another device to catch the misdiagnosis.
Depends on CSO at hospital. Does the hospital CSO get same directive as other hospital CSO's or do they have choice? If the CSO for a hospital has choice, why has policy not been defined at the top most level? Managing the IT security policy for something as large as a health organisation, whilst in itself isn't particularly difficult. Expecting the CSO at each hospital to verify each and every policy is adhered to is another rabbit hole. A CSO will trust the person HR employed.
Automatic firmware updates are normal, absolutely should not be for medical devices. The IT department should get an email with a change log and shove firmware on a USB stick that they can upload to not in use devices. Imagine just accidentally bricking these devices in the middle of the night. Also blown away this was not discovered earlier, i look at outbound traffic coming from my washing machine, you think some IT guy somewhere would have noticed outbound traffic coming from the patient monitor subnet.
Maybe it's time for all such devices, which are part of critical infrastructure - military, medical, energy sector use etc. - to be checked and their code inspected, before allowing import into the US and EU. Sounds appropriate to me.
Additionally attachers could potentially reveal with information shown at device a patology and doctors attempting to treat this fake patology cause death. But anyway, they have tons of data to be stored on their servers .
Besides the backdoor itself, why are devices in hospital network allowed to connect to "any" IP-address they want to? Shouldn't happen. Should be monitored much earlier and be present on different logs for administrators to check why a device from "room xyz" is trying to yell out to a IP range, that, in this case is in China. I know, firmware updates, ... but also for firmware updates, they don't have to run alone without being monitored. Especially not for health product with sensible data. We all saw what happens when Windows systems update early in the morning and nothing works afterwards. Great topic, thanks for sharing!
Why: a) isn't the data anonamised, the machine shouldn't know who it's tracking, only it's own ID so the central machine can assign it to a room and thus a person can inferred b) vnetting a more common accurance. My hospital's medical devices should NOT have access to the wider internet, at all, only stuff within the hospital's IT infrastructure, and only the stuff it needs access to.
Why does a vital signs monitor need patient information? Surely the only thing the hospital systems need to know is it's location i.e. the data is associated with a room or a bed, and who is in that room or bed would be centralised information not available to the device itself.
any device without documentation how it does "updates" and generally networking is by default suspicious (and lots of other red flags not mentioned here)
If handheld radios can be rigged someone could possibly kill someone with this... Also the other thing is there are standards for medical networks is there not also who's running the networks in the hospitals where they're not monitoring for these things and blocking them at the switch level but I get this is really bad but my concern is if it was reporting back to China in the US in a hospital we might need to have a conversation about cybersecurity...
Am I losing my mind, or isn't NFS itself inherently "secure" insofar as it needs explicit IP access to even mount the drive, unless they explicitly allow any IP to access it?
I think that some device shouldn't be able to have an updatable firmware or it should have two separate systems for the critical functions and the "smart" functions
…but you still can't own the devices you bought: you're obliged to repair only at certified workshops, install only OS variants the manufacturer wants you to, you can't disagree if they change the terms of sale _after_ the sale, etc. But who cares if some random shady dudes in C-na own your medical equipment without you knowing, what could have gone wrong…
@@Wkaelx They don't need to live on the internet. They need to be accessible by others within the hospital, but hospitals have a department to maintain the devices they can be updated when needed.
My Eonon android head unit (basically a car radio plus other things running thru it) has "*. xlog" files daily under logging in its menu. I found it after getting a file access code & enabling Dev Mode. Looking it up, it's a WeChat encrypted log file it produces daily. I don't let it connect to anything and use it as a glorified radio.
It's so often and with so many devices. The majority of people just give up and accept the Chinese dominiation and risk of all-out online attach as a potential fact. Just like rain, just accept it and hope for the best. Sad.
You seriously undersell how important this is, especially at the end . "Itsa little weird " it's outright nefarious, and yes to the assassination part. Shouldve left it at that if you werent going to add on to mentioning how bad this actually is
Sounds like it must be a subsidiary of Microsoft to me. Damn Chinese, don't they know the US has a monopoly on spyware and nefarious coding practices 🤣
why would you allow such a critical device to talk to the internet in the first place. IP enabled I get it, however, there's never a good enough reason for these to be able to talk somewhere outside their own little intra net. Simply idiotic.
come talk with me about hacking @ lowlevel.tv/live
What if I want to code bad 😈😈
@jonapoka7109 (links to ChatGPT). xD
@jonapoka7109 "Once you start down the dark path, forever will it dominate your destiny, consume you it will."
this reminded me about all the o harvesting going on in ch... maybe it was developed in ch so they can find the correct ppl to havest...
It cost money
CCP now knows your pulse
They already knew it from all the smart watches and fitness bands people wear lol
@ they take a backdoor, and build electronics around it
@@Coaxalis hahahaha yeah
it's typical of badly coded test or data sharing code. Nothing to do with spying, it's just terrible code.
The nefarious part has to do with the dialing to, and receiving configuration updates from. Say... you are a non-BRICS undercover informant. You ended up in the hospital for an attempted unliving. Your pulse is thready, blood pressure steadily decreasing. You have an internal bleed. The embedded mole in the hospital sees you came in, reports back to HQ. HQ takes the device information, configures it to mask your decreasing heart rate and blood pressure., until you've been logged off for 10 minutes. Then it reverts back to normal. Machine signals all of the alerts. Staff come in. It's too late to bring you back. The telemetry data goes into the medical record. Everyone signs off you just crashed. It's a big cover up.
AaaS Assassination as a Service lmfao dawg I'm dea
"I'm dea..."
CCP: I know 🤗
So that's how the Assassin's Creed works in the modern day.
or maybe something like MaaS, Murder as a service, kinda sounds like MaaS murderer :D
😂 Na since when the chinese got aaas? You lying i seen dem
And yet they say that medical devices need to be closed source and irreparable for "security" reasons.
What for is this connected to the Internet?
@@sznikers updates haha
They need to be closed source so they can be developed on a shoe string budget held together with glue and sticky tape and just barely work the spying and tinkering by state actors is just a bonus
@@sznikers Updates and probably for medical reasons such as alerting nurses and inputting data into the EMR.
@@stevegredell1123 Could still be a network without internet access, and a sms/pager server that alerts nurses.
"Assassination as a Service" - new phrase I wish I'd never learned.
"Well done 47, the money is currently being wired to your account."
Defo incorporating that into a cyberpunk adventure.
Oxygenation, not oxidation! Blood oxidation would be quite bad at those levels
Rust can run on anything.
ironically oxygenation works via oxidation (of iron)
yes, your body runs on rust
"Oopsie doopsie just a leftover test function we forgot to remove for the final release teehee!"
saaaaawwwwwyyyyyy
@@LowLevelTV wont happen again, pinky pwomise :3
For God’s sake, why are devices that do not need the internet to function connected to anything more than a LAN?
@@papakamirneron2514 they are usually hooked up to a remote monitoring server so the doctors get an alert when someones vitals are funny
why these arent locked down at the network level is beyond me though
Because updates. Everyone knows you don't need oxygen monitoring if you haven't paid your monthly subscription fee.
Good one, but still even with updates, it should be done via a single point of access that will have exceptions only for necessary IP address like the ones that allow updates.
Same reason with single player games required account and offline mode require internet connection. The manufacturer want to be owning devices, not the buyer.
Well yeah, sure core functionality. But imagine if we left it up to you to decide what gets more functionality and what makes doctors lives easier and hospitals to populate patient files without needing to share hard-copies which have their own privacy and security issues.
Why doesn't someone just sit there and monitor you, when it doesn't need to beep so damn loud when you're sick, dying and trying to rest your final moments?
It's probably close to the same reason why AT&T have thousands conversations of doctors on peoples private medical information. To make lives easier for the medical professionals.
bUt ItS oKaY ThAt AmErIcA HaS mY dAtA
I've had friends who worked in IT at hospitals. In no case is a device allowed to update itself. Hospitals know about these risks. But I guess they haven't caught up with reverse back doors yet. 😢
Hospital ransomware has absolutely killed people already in this country. Delayed medical procedures etc
I'm always wondering why systems in such places are connected to the internet in the first place. I guess one may want firmware updates from time to time, but hospitals should be able to have the manufacturer let them know in case of a critical update and perform automatic updates once in a while. Or they could have a central computer download the update and the devices would download from it. For the rest of the time, these could be connected just to an internal network for the central monitoring to work.
Bro, it's the same. The difference between internet access and local network access is if you have a connection to the outside world. We need better network security.
@jeong-ilkajokaya3849 But wouldn't "local-only" access prevent the issue from this video? They could communicate with a central computer that would serve very specific purposes (patient XYZ needs help; please give me a firmware update number XYZ) and one would not be able to send patient data to a random place(?)
@ You can still get hacked if someone gets into the network with another device on the network or physically getting into the network.
I am saying we should focus on better cybersecurity for devices and the network that devices are connected to.
@jeong-ilkajokaya3849 yeah but that's one extra layer that would have to be cracked. It's not much better, but definitely not the same.
Why is the beacon IP redacted? If I were a hospital IT admin, I would definitely want to block that IP.
I think there's 1.) fear of retribution on the IP or 2.) its not locked down so there would a ton of counter-hacking
@@LowLevelTV On the one hand, there are possible technical consequences for an site that might be guilty only of egregiously bad technical practices; on the other hand, as you point out, there is the possibility of Assassination As A Service, via a government that seems perfectly capable of it.
For me, it would be an easy call, and not this.
@@LowLevelTV soooo, we all have the privilege of purchasing a CMS8000 and firing up wireshark to find the IP address? Are you sure this is not a clever sales campaign 😁
Thanks though, love watching, keep up the good work.
@@LowLevelTV The IP should be retaliated against. The other point is valid though
If youre a hospital it and youre blocking one IP youre doing it wrong. Those critical devices should only be able to connect to the things it needs to
So, everyone ignores that it's asking for NFS, which is by default blocked by the hospital's firewall.
From here it looks like the firmware was actually written by that university and someone there built some "update" which can run internally on the university and it wasn't removed on the final build...
you have a very optimistic view of some hospitals' IT departments and network configurations
You can confirm that every hospital, in every country, has a properly configured firewall that disallows NFS?
I'm sure major hospitals do, but a small medical center in a small town? Who knows.
@@eveleynce For an intentional backdoor this is kind of foolish. At the very least they should have included the mac address into the NFS credentials so that the server on the other end can tell what machine is pulling the code, so that not every device gets the malicious code (which would make detection more likely). Even better and more reliable would be to use http traffic. Still better, if you must use a public IP that is not also used for something harmless, use a cloud server in a less suspicious country. I think chances are very high that this has been done for debugging convenience.
Sure, this could be ascribed to incompetence instead of malice (as the saying goes), but (a) you wouldn't want to base a security assessment on such a guess, (b) the feature's existence doesn't speak well of the manufacturer or their software supply chain, and (c) even if it was a naive dev-time feature, it could be misappropriated.
First of all, no it is not acceptable that such devices automatically phone home "for updates" and even less so to install such updates themselves. With such critical infrastructure, such changes have to be managed by an administrator, who'd better even audit the changes that ought to be made to all their patients health data. At the very least be informed about the update and maybe roll it out in some rollout strategy. It is absolutely insane such critical devices are allowed to just be altered without supervision.
Second, why are such devices even connected to the internet at all? General Ethernet connectivity has a use case as you explained, but not internet connectivity. Central nurse desks should be the only thing that's allowed to be connected to them.
I do peritoneal dialysis at home every night. My dialysis machine has an Ethernet jack and is connected to an external cellular modem so it can send the results of my treatment to my clinic and get updates to my treatment protocol. Knowing what I know about network security, I try really hard not to think about this life-saving device I'm hooked up to for ten hours a day has a network connection.
//Knowing what I know about network security, I try really hard not to think about this life-saving device I'm hooked up to for ten hours a day has a network connection.//
I know how to fix that.
@@TravisBHartwell i think you can resolve this by simply filtering the packet that go to clinic and allowing only them tò be sent on the network,however i would be caution with It ,Better be safe than Sorry i wouldn't really care that the CCP knows what my pulse is
If your dialysis machine needs to be cleaned or a PM, how is a patient going to reliably report such a thing by themselves?
@No-mq5lw Also on PD, it's not for cleaning or maintenance, it reports data about the treatment to the dialysis nurses and doctors. There's not really any cleaning of the machine, you use a new cartridge and lines every treatment. It's all self-contained, the fluid never actually enters the machine. It's pretty neat how it works actually.
This would have been so trivial to find if there were any amount of auditing on HIPAA compliance.
Saw this vulnerability pop up a few days ago, was hoping you'd cover it haha. Love this channel
two questions, how did this get certified? And how are the companies and ppl responsible not in jail? Our tollerance and the lack of consequences of shit software in critical aplications will lead to this being more and more common. The only reason this isn't a widespread issue is because most devices aren't YET connected to the internet, or the lack of proper screening for this kind of crap.
I can get PII of every person connected to a machine at my hospital within a minute of walking in, because all the machines broadcast their data over the network in plain text. Medical equipment is notorious for having little to no security.
RIP when you stole someone's Univ code and claimed it as your own.
Right. 😂😂😂😂
The fact that my CPAP machine calls home with all my sleep data without my consent makes me lose sleep
I configured firewalls for some hospitals a while back, and you wouldn't believe how utterly janky to outright creepy medical devices are behaving on the network.
Everything from not following established networking RFCs, not encrypting traffic, connecting to a bunch of non-existent internal IPs and up to creepy stuff like weird outgoing connections to IPs in other countries, sometimes back to the manufacturer (OK), sometimes to completely unknown IPs in Taiwan, China, etc (NOT OK).
We completely isolated all medical devices in that project and scrutinized every single connection, the IT people from the hospital then got in touch with the manufacturers to question them about the connections and to explain what is necessary for what purpose. If there wasn't a solid explanation for a connection we kept them blocked for good and sometimes even reset/reflashed the devices, it's wise to not take any chances with these things.
That AaaS got me rolling 😂
Pay a monthly subscription to have all hour foes removed
Wow. I just learned that these devices are connected to internet... like why???
Do you even watch the video?
Ideally speaking, all pieces of hospital equipment are connected to a network. This allows advanced real time monitoring of a patient and recording of that data directly into a personal health record. If the hospital IT/biomed staff know their stuff, all of the equipment is never accessible directly from the internet.
I'm not sure this could be used for assassination as a service, as the custom instructions are sent (and potentially run) at boot, whereas the patient identifying happens afterwards. I know the custom code could have its own door, but I reckon the article would have mentioned it specifically if there was an ongoing ability to accept ACE (given that ACE after determining the patient is much more concerning than ACE beforehand)
Just as long as the new software isn't loaded during the patient's stay.
This seems a little too obvious for a malicious backdoor. given the hardcoded IP, complete lack of security or obfuscation it kinda feels like really bad debugging left in the code. I wonder if the IP (for NFS mount or patient info) was still accessible, was there any sign that anyone was on the other end?
Yeah an intentional backdoor would be actually hidden/obfuscated. This seems like shit debug code that a bad developer left there. Doesnt change the severity and potential of the vulnerability, though.
@@Bramble20322 True, its still a crazy vulnerability. It just feels like some shit code I would write to troubleshoot an ESP32 or some other embedded device that was acting up. But that would never leave my house and I'd be too embarrassed let anyone use the device or see the code.
I agree. Totally feels like a QC issue, not a malicious attack.
Also, NFS and LPD for data transport?? I mean, the 90s called and want their protocols back 😅. In all seriousness, if that is intentional, you must be aware that there is a higher likelihood that those ports will be blocked, as opposed to say HTTP or DNS.
I understand that these devices are in a local network so that the hospital staff can monitor the patients locally.
I do not understand why this LAN would need to be connected to the internet though. 😅
this kind of nonsense is why my hospital still has a closet full of old school hardware-only monitors that only have ports for power and sensors.
literally they don't even have power buttons, you just unplug them to turn them off.
I'd argue such a critical device should not phone home and install anything at all by itself in the first place - just see the little hiccup that soft-bricked AEG top of the range ovens a few years ago...
I'm going to ask a stupid question, why the hell is a patient monitor connected to the internet?
I swear, security practices in hospitals are a joke. If anyone was going to leak my personal info, I'd bet on that industry first.
just sending patient telemetry for advertisement purposes xD
And this is why all the med devices should be segmented.
I've worked in the medical device industry as an Engineer for several years. These devices should not be calling out to anything off the local network in almost every case. We upload firmware packages to clients servers and then deploy the packages from there. I don't know of any medical device that auto updates, that is a recipe for disaster.
@5:50 and that is usually enough information to possible have records released/synced from the EMR (like epic care everywhere, you call in with some of the patient info and if the info matches you can get a code to sync/release records for your EMR to import
It's almost impossible to kill someone using those backdoors. The worst you could do is to have some check for a life-threatening condition and then selectively replay some old data. But that would require quite a bit of foreknowledge about what emergency is going to happen. And if that patient is unattended for long periods, the likelihood of something like that would be low. Another modality may be to fool a physician into thinking the heart rate is too low or too high and giving the wrong medication. But that's even harder to pull off.
Mr Robot level insanity.
So if someone got their backdoor operated in a hospital, Chinese can access that info through a backdoor?
Any hospital using this device is automatically sending all health data of every patient connected to this device to the Chinese university.
Any of them can be targeted and commanded to die due to false feedback by China.
The only countermeasures possible are to replace the devices, the software or to block the ip in the hospitals router.
7:12 -10000 credit score for real now
I'm not a network admin, but I'd think as part of a security review devices that should not be using the internet, only intranet, would be configured as such. x.x
I suppose it depends if their monitoring system is local or cloud-based though.
Well. That could directly harm but also have people misdiagnosed and treated with dangerous treatments and b deleted
Since it isn't overwriting the actual firmware, if you did pull the firmware image somehow, you may not see what was running AT THE TIME when something nefarious happened.
From what I could gather it seems that the filesystem mount doesnt require authentication in any way, and that the firmware binaries aren't verified.
Does that mean that with a phone and the password to the employee's wifi I could impersonate that specific IP address (Using ARP spoofing or any other form of spoofing, as I assume hospital networks dont have advanced anti-spoofing measures) and just backdoor the patients monitors? Doing exactly what you said the CCP could do?
And here I am worrying if all my smart devices are on the isolated IOT VLAN
Is there a possibility that this was a junior programmer that sloppily did this to debug the firmware and never took it out? Either way, not great that they didn't catch this.
I agree, looks like a general backdoor should do more (even if we don't consider the hiding part it would be desirable to have some device identification functionality like sending serial numbers before running a backdoor).
Feels like some private contract work they did with the university and sloppy code leaked into the release firmware.
Just makes you wonder what other critical devices we use on our daily lives have such terrible problems/vulnerabilities. Did no one fucking even check anything on that stuff before selling on a critical industry like healthcare?? Why is it even connected to the internet in the first place?
I guess cutting costs on QA/Testing and paying out lawsuits is just cheaper, lol.
yes, that's what it is. Medical industry is full of shit code like that
It is possible that it is a deliberate backdoor pretending to be sloppy code, for the sake of plausible deniability...
“Welcome to the embedded programming seminar, part 1. Today’s lesson: How do IoT devices work and how you can upgrade them. We have prepared some endpoints for your disposal.“ 💀
lowlvl: *snort*; *snort* "What a heck is going on???
me: [spraying my morning coffee] lmfao
pls keep doing what u doing mr.lowlvl. its amazing staff to watch great job
I'm fairly concerned about the amount of FUD here. Hospital equipment is networked for 2 very specific reasons: 1. on site telemetry and 2. recording to a personal health record. Other than that, a piece of equipment having access to the internet generally depends on hospital IT/biomed staff doing their jobs in regards to general network security. Sometimes there's off site telemetry like a mfr'r needs logs to be able to diagnose how a machine failed or even a subpoena to find out how someone expired on a ventilator.
Generally, the FDA certification process requires disclosing how the sausage is made so to speak in regards to software, and this depends on the amount of risk tied to a piece of equipment. A ventilator where someone needs it to breath goes through much more scrutiny than say a pulse oximeter where if it fails, there's a chance to misdiagnose, but otherwise the patient can go on to live another day for another device to catch the misdiagnosis.
If buildings were built like software, one woodpecker could demolish the Empire State Building
Well, sounds like a feature for the support team
No, because the support team would listen on a company owned domain. Not a static ip address owned by a random university.
Would it be normal for such a device to have Internet access?
Right! I wouldn't be surprised a lot of them do and the hospitals staff doesn't even know 😅
To connect it to the hospital monitoring system? That'd be my guess
Imo they shouldn't be.
Internet access is just communication with other devices. Let it be the internet or local network, it's just communication with other devices.
Depends on CSO at hospital. Does the hospital CSO get same directive as other hospital CSO's or do they have choice? If the CSO for a hospital has choice, why has policy not been defined at the top most level? Managing the IT security policy for something as large as a health organisation, whilst in itself isn't particularly difficult. Expecting the CSO at each hospital to verify each and every policy is adhered to is another rabbit hole. A CSO will trust the person HR employed.
I just hope mr/mrs Padre made a full recovery 🙏
This stuff is scary, sort of makes me think do the walkie talkies, pagers, etc. situation recently type stuff with no fireworks.
Good work mister.
well I guess these things needs to be on a vlan...
Automatic firmware updates are normal, absolutely should not be for medical devices. The IT department should get an email with a change log and shove firmware on a USB stick that they can upload to not in use devices. Imagine just accidentally bricking these devices in the middle of the night.
Also blown away this was not discovered earlier, i look at outbound traffic coming from my washing machine, you think some IT guy somewhere would have noticed outbound traffic coming from the patient monitor subnet.
Maybe it's time for all such devices, which are part of critical infrastructure - military, medical, energy sector use etc. - to be checked and their code inspected, before allowing import into the US and EU. Sounds appropriate to me.
Additionally attachers could potentially reveal with information shown at device a patology and doctors attempting to treat this fake patology cause death. But anyway, they have tons of data to be stored on their servers .
Besides the backdoor itself, why are devices in hospital network allowed to connect to "any" IP-address they want to? Shouldn't happen. Should be monitored much earlier and be present on different logs for administrators to check why a device from "room xyz" is trying to yell out to a IP range, that, in this case is in China. I know, firmware updates, ... but also for firmware updates, they don't have to run alone without being monitored. Especially not for health product with sensible data. We all saw what happens when Windows systems update early in the morning and nothing works afterwards.
Great topic, thanks for sharing!
Why:
a) isn't the data anonamised, the machine shouldn't know who it's tracking, only it's own ID so the central machine can assign it to a room and thus a person can inferred
b) vnetting a more common accurance. My hospital's medical devices should NOT have access to the wider internet, at all, only stuff within the hospital's IT infrastructure, and only the stuff it needs access to.
I sincerely doubt if a medical device would not have a backdoor of some sort. It's just who controls the backdoor😅
So... We install a device on a network, with full internet access.
Any IT admins there that cares the slightest about security????
Why does a vital signs monitor need patient information? Surely the only thing the hospital systems need to know is it's location i.e. the data is associated with a room or a bed, and who is in that room or bed would be centralised information not available to the device itself.
Imagine if they know President from every country? This is an true nightmare 😮
Why are medical devices IoT?
What is the history of the IP address? One of our IP addresses ranges got changed and we get loads of odd traffic to one of the IP addresses....
Well that have to have some reliable way to track the spread of their new infections.
any device without documentation how it does "updates" and generally networking is by default suspicious (and lots of other red flags not mentioned here)
So, how long has this device been on the market? Curious how long all that traffic has been going on with nobody noticing until now...
NFS is so 1990's. Bit rookie to use a hard coded IP too.
If handheld radios can be rigged someone could possibly kill someone with this... Also the other thing is there are standards for medical networks is there not also who's running the networks in the hospitals where they're not monitoring for these things and blocking them at the switch level but I get this is really bad but my concern is if it was reporting back to China in the US in a hospital we might need to have a conversation about cybersecurity...
First documented use of "assassination as a service" ???
Am I losing my mind, or isn't NFS itself inherently "secure" insofar as it needs explicit IP access to even mount the drive, unless they explicitly allow any IP to access it?
Where does the hard coded IP go to? Is it the vendor of the device?
I think that some device shouldn't be able to have an updatable firmware or it should have two separate systems for the critical functions and the "smart" functions
Hacknet had a mission about this 👀
…but you still can't own the devices you bought: you're obliged to repair only at certified workshops, install only OS variants the manufacturer wants you to, you can't disagree if they change the terms of sale _after_ the sale, etc.
But who cares if some random shady dudes in C-na own your medical equipment without you knowing, what could have gone wrong…
_WHY_ isn't/arern't these kinds of devices on a separate vlan or network without internet access?
Hardware requirement
@@Wkaelx They don't need to live on the internet. They need to be accessible by others within the hospital, but hospitals have a department to maintain the devices they can be updated when needed.
@@kevinshumaker3753 It's just plain incompetence then.
My Eonon android head unit (basically a car radio plus other things running thru it) has "*. xlog" files daily under logging in its menu. I found it after getting a file access code & enabling Dev Mode. Looking it up, it's a WeChat encrypted log file it produces daily. I don't let it connect to anything and use it as a glorified radio.
This is criminal.
Do you think brands like Lenovo have hardware or firmware backdoors?
Lenovo? Yeah. OnePlus, Rednote, etc, phones? Yeah
Any device will have backdoors, either to foreign countries or three letter agencies. Gotta remember snowden, dude.
Lenovo had 😅 it was ensuring you see ads 😅
Lenovo's new ai laptop: advertising intelligence
It's so often and with so many devices. The majority of people just give up and accept the Chinese dominiation and risk of all-out online attach as a potential fact. Just like rain, just accept it and hope for the best. Sad.
Do reverse backdoors need sockets to work?
All forms of networking needs a packet, packets are sent through sockets.
You seriously undersell how important this is, especially at the end . "Itsa little weird " it's outright nefarious, and yes to the assassination part. Shouldve left it at that if you werent going to add on to mentioning how bad this actually is
Solution: cut of the internet wire between the US and China...
Am i blind or is there no ioc list for ips and urls this is reaching out to?
all they needed to do to hide it was put there malicious server inside the updates server
So medical devices don't have to be FIPS compliant?
So... why blackout the IP-Address? Would be helpful to block it, no?
Sounds like it must be a subsidiary of Microsoft to me. Damn Chinese, don't they know the US has a monopoly on spyware and nefarious coding practices 🤣
Why does this device need to connect to the Internet?
why would you allow such a critical device to talk to the internet in the first place.
IP enabled I get it, however, there's never a good enough reason for these to be able to talk somewhere outside their own little intra net.
Simply idiotic.
SZA is doing cybersecurity now??? (joke)
CCP is coming to visit the patient in his room....
HIPAA violation penalties will break this company
While the reverse engineering itself is fascinating, I'll just call it, nobody's going to do anything about this.
yeah, no.
there probably is an innocent Explanation.
maybe ask the university.
Wi-Fi pacemaker, networked IV pump
Don't worry. Tariffs will fix this
Ni yao bu yao? Hao bu hao?
You want or not? Like it or not?
Get new devices in hospitals 😂 still using windows ce terminals over here