Hospitals around the globe rely on many types of medical
devices to deliver the most up-to-date patient care. They also spend hundreds
of millions of dollars in backup systems, redundancy, and business continuity to
ensure the 100%-functionality of these systems, which are critical to saving
Doctors and nurses rely on these devices on a daily basis,
as it allows them to focus on the challenges and complexities that require
their human expertise. But there is a scenario that no medical professional is
prepared for during their training, and something that is often overlooked by
hospitals. That is – how safe are medical devices in the face of a
This case study will examine how a major hack on a
hospital’s medical monitoring technology can directly affect patients’ lives.
Patient monitoring devices provide a snapshot of a patient’s
health status, including a full vital signs’ analysis, like heart rate, temperature,
blood oxygen levels, etc. This allows medical staff to quickly evaluate the
Samples can be taken every few hours, or, in cases where patients
are being monitored consistently, a staff member can observe several patients at
once from the nurses’ station. If the monitor detects a deviation from the
normal level of measurement, an alarm goes off at the nurses’ station, prompting
the staff to check on the patient.
Recently, a known monitor manufacturer asked BugSec to
conduct a security product evaluation. We quickly discovered that the
communication channel between the monitoring devices and the reporting unit at
the nurses’ station was based on a simple radio frequency (RF) protocol, which
would allow us to freely receive and transmit data above the channel with the
After sketching an attack surface, we decided to go with
this approach. We connected the monitor to a live person and measured his signs.
We also set up a mock nurses’ station with screens showing data from the demo
During the simulated attack, we used sophisticated tools to
pick up the frequency that the device was transmitting on. After learning how
every sign is interpreted by the system, we started playing around with it a
bit and managed to transmit different messages on the same pattern, causing the
device to relay false patient data to the nurses’ station. This, of course, is
a serious vulnerability, not only due to the impact on patients’ lives, but
also because hospitals are a public space and the ease of access by a malicious
party is so great.
We immediately reported the vulnerability to the manufacturer, including our recommendations on how to mitigate the threat, and they were able to immediately stop the false transmission.