Doctor's desktop with medical equipment, computer and X-ray of human lungs.

Your vital signs’ monitor may need critical care

Hospitals around the globe rely on many types of medical devices to deliver the most up-to-date patient care. They also spend hundreds of millions of dollars in backup systems, redundancy, and business continuity to ensure the 100%-functionality of these systems, which are critical to saving lives.

Doctors and nurses rely on these devices on a daily basis, as it allows them to focus on the challenges and complexities that require their human expertise. But there is a scenario that no medical professional is prepared for during their training, and something that is often overlooked by hospitals. That is – how safe are medical devices in the face of a cyber-attack?

This case study will examine how a major hack on a hospital’s medical monitoring technology can directly affect patients’ lives.

Patient monitoring devices provide a snapshot of a patient’s health status, including a full vital signs’ analysis, like heart rate, temperature, blood oxygen levels, etc. This allows medical staff to quickly evaluate the patient’s status.

Samples can be taken every few hours, or, in cases where patients are being monitored consistently, a staff member can observe several patients at once from the nurses’ station. If the monitor detects a deviation from the normal level of measurement, an alarm goes off at the nurses’ station, prompting the staff to check on the patient.

Recently, a known monitor manufacturer asked BugSec to conduct a security product evaluation. We quickly discovered that the communication channel between the monitoring devices and the reporting unit at the nurses’ station was based on a simple radio frequency (RF) protocol, which would allow us to freely receive and transmit data above the channel with the right tools.

After sketching an attack surface, we decided to go with this approach. We connected the monitor to a live person and measured his signs. We also set up a mock nurses’ station with screens showing data from the demo patient.

During the simulated attack, we used sophisticated tools to pick up the frequency that the device was transmitting on. After learning how every sign is interpreted by the system, we started playing around with it a bit and managed to transmit different messages on the same pattern, causing the device to relay false patient data to the nurses’ station. This, of course, is a serious vulnerability, not only due to the impact on patients’ lives, but also because hospitals are a public space and the ease of access by a malicious party is so great.

We immediately reported the vulnerability to the manufacturer, including our recommendations on how to mitigate the threat, and they were able to immediately stop the false transmission.


Somebody’s watching me

Have you ever felt like somebody is listening to your private conversations? Would you believe that this could happen within your own living room?

A recent POC carried out by the BugSec research team exposed vulnerabilities in a smart TV operating system sold by a well-known telecommunications company. The team discovered that hackers were using malicious applications to access the TV operating system and were able to listen to any conversations that took place in the vicinity using built-in microphones designed for voice commands.

This is how we figured it out:

It began with a simple penetration test that BugSec’s Red Team conducted for a smartphone manufacturer. The manufacturer was extremely pleased with our findings, which showed our innovation and outside-of-the-box thinking when it comes to HW/SW manipulation. We were then asked to perform a smart TV penetration test, which of course, we agreed to right away.

In general, smart TVs operate similarly to smartphones. They have common known hardware, use a compiled version of an open source operating system (e.g. Android TV), and have a flexible UI that’s designed and developed by the manufacturer. They also have an applications-ready platform which allows developers to gain access to certain hardware components such as microphones and data stored in the TV drives. A penetration test for smart TV is no different than a penetration test for a smartphone as far as the techniques and attack landscape go.

Our smart TV test focused on a very common app that is widely used and installed across many customers. After successfully exploiting a vulnerability, we were able to gain full control of the TV set. Through various manipulation techniques, we were then able to manage the hardware components – from there, it was a short path to opening a built-in microphone for voice tapping.

What are the key take-aways form this? The more a device is connected and behaves like a computer, the more hackable it is. The manufacturer was happy to get the test results, of course, while we continue to search for new vulnerabilities so that we can get to them before the bad guys do.