Fingerprinting healthcare Institutions
Fingerprinting Healthcare Institutions - Anirudh Duggal Disclaimer: All the views / data presented are my own and do not reflect the opinions of my employer.
1
#whoAmIWork with Philips healthcareHack anythingSustainability enthusiast Research on healthcare security protocols, devices, infrastructurePlay guitar in free time Hospitalsecurityproject.com
2
AgendaWhy healthcare? Beyond phishing targeted attacks How to fingerprint?EMR fingerprinting Fingerprinting beyond servers HL7 attacks (if time permits)Q&A
3
Why healthcare?Easy targetsHigh payoff Still to mature on terms of securityLess awareness
4
Posted on 13th Feb 2016
Posted on 13th Feb, 20165
OverallHealthcare institutions are easy to fingerprint They are considerably less protectedMany entry pointsQuite many targets
6
What to expect?
Image from:http://healthcorrelator.blogspot.in/2014/09/will-your-wireless-router-give-you.html7
And
8
Inside a hospital
9
TextTextTextTextTextTextTextTextNetwork 1Network 2Healthcare centers and hospitals ideal situationHVAC systemLighting systemHospital serversWaste managementsystemsMedical devicesMonitoring devicesComputers, phones, tabletsWater controlsNAT / Bridged network with an IDS / IPSOther hospitalsVendor serversservice portalsVendor serversIntranetInternetEncrypted communicationEncrypted communicationEncrypted communicationComputers , phones, tablets
An ideal network infrastructure that we see. 10
TextTextTextTextTextTextTextTextBut what do we get?
HVAC systemLighting systemHospital serversWaste managementsystemsMedical devicesHospital computersMonitoring devicesTablets / phones Water controlsservice portalsSecurity systemsguestsInternet
11
Basics of fingerprintingFind unique but common headersBe consistent Use multiple tools shodan, censys, matego Verify manuallyUse google
12
So what can you fingerprint?Medical devicesRoutersData centerEMR software HVAC controls Lighting controls
13
Finding hospitalsGeneric searchesName searchesHospital name searchesSometimes the name is too genericNarrow down search parameters
14
Generic hospital searches HospitalHospital* HealthcareHealthcare*
15
Generic searches
16
Narrowing the searches to regionsNarrow down searches by CountryTechnology (HTTP(S), NetBIOS )Type of infrastructure (VPN, cloud)
17
Healthcare chains
This is a chain of hospitals in India and Indonesia.18
Narrowing down
Narrow down to FTP servers ;) Port 80 will show interesting results
One of the hospital name that was too generic 19
ButSometimes the names are too genericNarrow down technology Look at other parameters dont fall into honeypotsUse google - Search for address and verify
20
EMR solutionsgoldmine for attackersEasy to attack High point of impact Ransomware attacks
21
A typical hospital scenarioEMR(electronic medical record)Patient monitors / healthcare devicesLAN / WIFI/ Bluetooth/Doctor's PC /Secretary PC Doctor's Mobile/Nurse mobileOther hospitals
This is just a general observation, some hospital do have sophisticated environments, but a majority of them do not. The focus here is more on the ease of setup and maintenance rather than having a secure setup in place.
22
Fingerprinting EMR solutionsUse shodan / censys / maltego Searches vary on what you're trying to findHow I startedCreate a list of 200 popular EMR solutionsStart searching by name Look for characteristics deployment scenario, url constructs, technology Look for manuals Change language Chinese, Russian Find bugs ;)
23
ShodanCan search using nameLess false positivesShows ready exploits for OS
24
An arbitrary search on one of the biggest EMR solution provider. 25
Showing NETBIOS Exposed26
Anonymous login successful27
28
Search by exploring EMR structuresLook at unique parametersFilter by name
29
30
31
ProblemResults not constantNeed more access to dataYou cant find some systems
32
Thinking beyond ShodanShodan (Shodan.io)Easiest deep web toolsCache information Due to the paid nature, results may varyLacks multi lingual capabilitiesCensys (censys.io)Provides raw data for researchSupport Regex and can concatenate different parametersMaltego (thick client) For advanced reconCan fingerprint infrastructure
33
Searching by names
34
Multi lingual search -Russian
35
Multi lingual search -Chinese
36
Multi lingual search - Arabic
37
Using censys efficiently
38
Combining searches with google results Google gives better results with specific headers
39
Running Maltego
40
When everything failsSome systems could not be found at all Find the manual!
41
42
Now if you goto shodan and search for this vendor with filter as windows server 2003 you get and EMR!43
Easy way - visit the vendor website site ;)
44
Logging on the PACS system
45
Cloud based EMREasy to findscalable and reliable Many entry points web, mobile, IOT devicesGoogle is very effective in searching such solutions
46
In a nutshellFinding EMR is easyYour EMR might be secure, other infrastructure might be notAttacks go beyond your audits and process
47
Besides servers
48
Routers and internet access points
49
Cams smile ;)
50
HVAC controls!
51
Insider attacksGeneric system attacks MITM , BSOD , Network exploitsHL7 exploits
52
Potential entry pointsHardwareWifi / LanSerial ports USB - Firmware The sensors Keyboard / mouse FirewireSoftware Protocols and OS
To compare them to an IOT device but with much enhanced capacity, these RTOS devices have a dedicated program and usually does not run an off the shelf OS. 53
What is HL7?Health level standards Most popular in healthcare devices (HL7 2.x) Quite old designed in 1989FHIR is the next gen
54
HL7 2.xMost popular HL7 versionNew messages / fields added
55
HL7 2.x
HL7
56
Things to know|| is a delimiter / field MSH message header segmentThe standards define the messages not the implementation
57
An HL7 messageMSH|^~\&||STI SQESERV3|||||ORU^R01|HP1304538180456|P|2.3||||||8859/1PID|||MRN-3M31^^^^MR~Encounter-3M31FF^^^^VN~AlternatiFF-3M31^^^^U||3M31LastUpdate^Test-FirstUpdate^Middle-Update||19330808|FPV1||I|OR^^OR9&0&0||||||||||||||||Encounter-3M31FFOBR|||||||20110504154300OBX||TX|6^Soft Inop^MDIL-ALERT|1|ALL ARRH ALRMS OFF||||||FOBX||ST|0002-d006^EctSta^MDIL|0|""||||||FOBX||ST|0002-d007^RhySta^MDIL|0|SV Rhythm||||||FOBX||NM|0002-4bb8^SpO2^MDIL|0|100|0004-0220^%^MDIL|||||FOBX||NM|0002-0302^ST-II^MDIL|0|-1.0|0004-0512^mm^MDIL|||||FOBX||NM|0002-0304^ST-V2^MDIL|0|0.6|0004-0512^mm^MDIL|||||FOBX||NM|0002-f125^pNN50^MDIL|0|0.00|0004-0220^%^MDIL|||||FOBX||NM|0002-4182^HR^MDIL|0|80|0004-0aa0^bpm^MDIL|||||FOBX||NM|0002-4a15^ABPs^MDIL|0|120|0004-0f20^mmHg^MDIL|||||FOBX||NM|0002-4a16^ABPd^MDIL|0|70|0004-0f20^mmHg^MDIL|||||FOBX||NM|0002-4a17^ABPm^MDIL|0|91|0004-0f20^mmHg^MDIL|||||FOBX||NM|0002-4261^PVC^MDIL|0|0|0004-0aa0^bpm^MDIL|||||FOBX||NM|0002-5012^awRR^MDIL|0|25|0004-0ae0^rpm^MDIL|||||FOBX||NM|0002-e014^Tblood^MDIL|0|37.0|0004-17a0^C^MDIL|||||FOBX||NM|0002-4822^Pulse^MDIL|0|60|0004-0aa0^bpm^MDIL|||||FOBX||NM|0002-50b0^etCO2^MDIL|0|40|0004-0f20^mmHg^MDIL|||||FOBX||NM|0002-50ba^imCO2^MDIL|0|0|0004-0f20^mmHg^MDIL|||||FOBX||NM|0002-f0c7^T1^MDIL|0|40.0|0004-17a0^C^MDIL|||||FOBX||NM|0002-f081^SD NN^MDIL|0|0.00|0004-0aa0^bpm^MDIL|||||FOBX||NM|0002-f03d^STindx^MDIL|0|3.5|0004-0512^mm^MDIL|||||F
58
MSH|^~\&||STI SQESERV3|||||ORU^R01|HP1304538180456|P|2.3||||||8859/1PID|||MRN-3M31^^^^MR~Encounter-3M31FF^^^^VN~AlternatiFF-3M31^^^^U||3M31LastUpdate^Test-FirstUpdate^Middle-Update||19330808|FPV1||I|OR^^OR9&0&0||||||||||||||||Encounter-3M31FFOBR|||||||20110504154300OBX||TX|6^Soft Inop^MDIL-ALERT|1|ALL ARRH ALRMS OFF||||||FOBX||ST|0002-d006^EctSta^MDIL|0|""||||||FOBX||ST|0002-d007^RhySta^MDIL|0|SV Rhythm||||||FOBX||NM|0002-4bb8^SpO2^MDIL|0|100|0004-0220^%^MDIL|||||FOBX||NM|0002-0302^ST-II^MDIL|0|-1.0|0004-0512^mm^MDIL|||||FOBX||NM|0002-0304^ST-V2^MDIL|0|0.6|0004-0512^mm^MDIL|||||FOBX||NM|0002-f125^pNN50^MDIL|0|0.00|0004-0220^%^MDIL|||||FOBX||NM|0002-4182^HR^MDIL|0|80|0004-0aa0^bpm^MDIL|||||FOBX||NM|0002-4a15^ABPs^MDIL|0|120|0004-0f20^mmHg^MDIL|||||FOBX||NM|0002-4a16^ABPd^MDIL|0|70|0004-0f20^mmHg^MDIL|||||FOBX||NM|0002-4a17^ABPm^MDIL|0|91|0004-0f20^mmHg^MDIL|||||FOBX||NM|0002-4261^PVC^MDIL|0|0|0004-0aa0^bpm^MDIL|||||FOBX||NM|0002-5012^awRR^MDIL|0|25|0004-0ae0^rpm^MDIL|||||FOBX||NM|0002-e014^Tblood^MDIL|0|37.0|0004-17a0^C^MDIL|||||FOBX||NM|0002-4822^Pulse^MDIL|0|60|0004-0aa0^bpm^MDIL|||||FOBX||NM|0002-50b0^etCO2^MDIL|0|40|0004-0f20^mmHg^MDIL|||||FOBX||NM|0002-50ba^imCO2^MDIL|0|0|0004-0f20^mmHg^MDIL|||||FOBX||NM|0002-f0c7^T1^MDIL|0|40.0|0004-17a0^C^MDIL|||||FOBX||NM|0002-f081^SD NN^MDIL|0|0.00|0004-0aa0^bpm^MDIL|||||FOBX||NM|0002-f03d^STindx^MDIL|0|3.5|0004-0512^mm^MDIL|||||F
59
MSH|^~\&||STI SQESERV3|||||ORU^R01|HP1304538180456|P|2.3||||||8859/1PID|||MRN-3M31^^^^MR~Encounter-3M31FF^^^^VN~AlternatiFF-3M31^^^^U||3M31LastUpdate^Test-FirstUpdate^Middle-Update||19330808|FPV1||I|OR^^OR9&0&0||||||||||||||||Encounter-3M31FFOBR|||||||20110504154300OBX||TX|6^Soft Inop^MDIL-ALERT|1|ALL ARRH ALRMS OFF||||||FOBX||ST|0002-d006^EctSta^MDIL|0|""||||||FOBX||ST|0002-d007^RhySta^MDIL|0|SV Rhythm||||||FOBX||NM|0002-4bb8^SpO2^MDIL|0|100|0004-0220^%^MDIL|||||FOBX||NM|0002-0302^ST-II^MDIL|0|-1.0|0004-0512^mm^MDIL|||||FOBX||NM|0002-0304^ST-V2^MDIL|0|0.6|0004-0512^mm^MDIL|||||FOBX||NM|0002-f125^pNN50^MDIL|0|0.00|0004-0220^%^MDIL|||||FOBX||NM|0002-4182^HR^MDIL|0|80|0004-0aa0^bpm^MDIL|||||FOBX||NM|0002-4a15^ABPs^MDIL|0|120|0004-0f20^mmHg^MDIL|||||FOBX||NM|0002-4a16^ABPd^MDIL|0|70|0004-0f20^mmHg^MDIL|||||FOBX||NM|0002-4a17^ABPm^MDIL|0|91|0004-0f20^mmHg^MDIL|||||FOBX||NM|0002-4261^PVC^MDIL|0|0|0004-0aa0^bpm^MDIL|||||FOBX||NM|0002-5012^awRR^MDIL|0|25|0004-0ae0^rpm^MDIL|||||FOBX||NM|0002-e014^Tblood^MDIL|0|37.0|0004-17a0^C^MDIL|||||FOBX||NM|0002-4822^Pulse^MDIL|0|60|0004-0aa0^bpm^MDIL|||||FOBX||NM|0002-50b0^etCO2^MDIL|0|40|0004-0f20^mmHg^MDIL|||||FOBX||NM|0002-50ba^imCO2^MDIL|0|0|0004-0f20^mmHg^MDIL|||||FOBX||NM|0002-f0c7^T1^MDIL|0|40.0|0004-17a0^C^MDIL|||||FOBX||NM|0002-f081^SD NN^MDIL|0|0.00|0004-0aa0^bpm^MDIL|||||FOBX||NM|0002-f03d^STindx^MDIL|0|3.5|0004-0512^mm^MDIL|||||FPatient identifierMessage type and HL7 identifierMessage fields
60
MSH|^~\&||STI SQESERV3|||||ORU^R01|HP1304538180456|P|2.3||||||8859/1PID|||MRN-3M31^^^^MR~Encounter-3M31FF^^^^VN~AlternatiFF-3M31^^^^U||3M31LastUpdate^Test-FirstUpdate^Middle-Update||19330808|FPV1||I|OR^^OR9&0&0||||||||||||||||Encounter-3M31FFOBR|||||||20110504154300OBX||TX|6^Soft Inop^MDIL-ALERT|1|ALL ARRH ALRMS OFF||||||FOBX||ST|0002-d006^EctSta^MDIL|0|""||||||FOBX||ST|0002-d007^RhySta^MDIL|0|SV Rhythm||||||FOBX||NM|0002-4bb8^SpO2^MDIL|0|100|0004-0220^%^MDIL|||||FOBX||NM|0002-0302^ST-II^MDIL|0|-1.0|0004-0512^mm^MDIL|||||FOBX||NM|0002-0304^ST-V2^MDIL|0|0.6|0004-0512^mm^MDIL|||||FOBX||NM|0002-f125^pNN50^MDIL|0|0.00|0004-0220^%^MDIL|||||FOBX||NM|0002-4182^HR^MDIL|0|80|0004-0aa0^bpm^MDIL|||||FOBX||NM|0002-4a15^ABPs^MDIL|0|120|0004-0f20^mmHg^MDIL|||||FOBX||NM|0002-4a16^ABPd^MDIL|0|70|0004-0f20^mmHg^MDIL|||||FOBX||NM|0002-4a17^ABPm^MDIL|0|91|0004-0f20^mmHg^MDIL|||||FOBX||NM|0002-4261^PVC^MDIL|0|0|0004-0aa0^bpm^MDIL|||||FOBX||NM|0002-5012^awRR^MDIL|0|25|0004-0ae0^rpm^MDIL|||||FOBX||NM|0002-e014^Tblood^MDIL|0|37.0|0004-17a0^C^MDIL|||||FOBX||NM|0002-4822^Pulse^MDIL|0|60|0004-0aa0^bpm^MDIL|||||FOBX||NM|0002-50b0^etCO2^MDIL|0|40|0004-0f20^mmHg^MDIL|||||FOBX||NM|0002-50ba^imCO2^MDIL|0|0|0004-0f20^mmHg^MDIL|||||FOBX||NM|0002-f0c7^T1^MDIL|0|40.0|0004-17a0^C^MDIL|||||FOBX||NM|0002-f081^SD NN^MDIL|0|0.00|0004-0aa0^bpm^MDIL|||||FOBX||NM|0002-f03d^STindx^MDIL|0|3.5|0004-0512^mm^MDIL|||||F
Potential Entry Point
61
MSH|^~\&||STI SQESERV3|||||ORU^R01|HP1304538180456|P|2.3||||||8859/1PID|||MRN-3M31^^^^MR~Encounter-3M31FF^^^^VN~AlternatiFF-3M31^^^^U||3M31LastUpdate^Test-FirstUpdate^Middle-Update||19330808|FPV1||I|OR^^OR9&0&0||||||||||||||||Encounter-3M31FFOBR|||||||20110504154300OBX||TX|6^Soft Inop^MDIL-ALERT|1|ALL ARRH ALRMS OFF||||||FOBX||ST|0002-d006^EctSta^MDIL|0|""||||||FOBX||ST|0002-d007^RhySta^MDIL|0|SV Rhythm||||||FOBX||NM|0002-4bb8^SpO2^MDIL|0|100|0004-0220^%^MDIL|||||FOBX||NM|0002-0302^ST-II^MDIL|0|-1.0|0004-0512^mm^MDIL|||||FOBX||NM|0002-0304^ST-V2^MDIL|0|0.6|0004-0512^mm^MDIL|||||FOBX||NM|;;;;;anisdlasdkals