Douglas McKee of McAffee presented his research into the security of medical diagnostic equipment at last week’s Defcon conference in Las Vegas.
McKee presented a variety of techniques for intercepting and altering medical diagnostic information as it was transmitted to the hospital’s (Windows XP or Windows 7-based!) central monitoring system. The most difficult attacks required physical access to the bedside equipment in a patient’s room, but McKee also presented a devastating man-in-the-middle attack that could by launched by attackers on the same LAN as the patient — say, an attacker who cracked an insecure wifi password or plugged a laptop into a hospital Ethernet port.
The LAN-based attack takes advantage of the insecure Rwhat protocol, which uses unencrypted UDP packets to stream realtime data from diagnostic equipment to monitoring stations. Through well-understood ARP spoofing techniques, an attacker could trick bedside equipment into sending diagnostic information to their own computer, then pass altered information on to the real monitoring station. By subtly and credibly altering these streams, attackers could mislead doctors about a patient’s status, causing them to miss symptoms or prescribe potentially harmful substances.
These would likely be targeted attacks, aimed at high-value targets in the hospital; I’ve recently been told some hair-raising stories about the lax information security at one of the hospitals designated to receive the President should they be injured while in town. This is pretty hair-raising in light of those discussions.
“Any modifications made to patient data would need to be believable to medical professionals for there to be any impact,” McKee said, while also clarifying that the actual patient monitoring device near the patient’s bed will not be affected by this attack and continue to display actual readings.
But in cases where medical staff take decisions based on the readings received via central monitoring systems —which also provide historical views of past readings— the attack has high chances of fooling medical professionals.
McKee did not reveal the make and model of the medical equipment he used for his tests, as he is still working with the vendor to patch the discovered issues.
Hackers Can Falsify Patient Vitals [Catalin Cimpanu/Bleeping Computer]
Trou is an interactive sculpture from Valencia, Spain’s Mireia Donat Melús: the nylon and silicon fiber blob invites viewers to don a surgical glove and insert their hands and arms into an elastic orifice in the sculpture’s surface — and watching their probing appendage from within via a live video-feed.
Disney is being sued by the Michael Jackson estate for using fair-use clips in a biopic called “The Last Days of Michael Jackson” — in its brief, the company decries “overzealous copyright holders” whose unwillingness to consider fair use harms “the right of free speech under the First Amendment.”
When scammers get inside of the networks of financial institutions, they sometimes stage “cashouts” where they recruit confederates around the world to all hit ATMs at the same time with cards tied to hacked accounts and withdraw the maximum the ATMs will allow; but the wilier criminals first disable the anti-fraud and withdrawal maximum features […]
We’ve all used Excel at some point in our careers, but chances are most of us have only scratched the surface of what this ubiquitous program can do. From automating simple tasks to presenting data through beautiful charts and PivotTables, Excel brings a ton of utility to the table that can make a huge impact […]
Traveling isn’t always the most comfortable experience, but at least you have your music to keep you company on those long flights. That is, until your chatty neighbor and that crying baby three seats over drown out your playlist. These Paww WaveSound 3 Noise-Cancelling Bluetooth Headphones block up to 20 decibels of audio, so you can […]
SEO can be a fickle creature, but it can work in your favor—you just need the right tools. When it comes to getting your site on that coveted first page of Google, SERPstash Premium simplifies the process with 21 user-friendly tools designed to break down your page’s performance and show you where you can improve. Lifetime […]