 Hello everyone, my name is Barak Radad and talking with me today is Gal Kavman. Both of us work as researchers at a company called ARMIS. ARMIS is an agentless IoT security company focused on securing IoT devices and unmanaged devices in enterprise, in industrial and in medical organization. In the last year we focused our efforts on critical infrastructures used by large health care facilities and their weaknesses. So, what's on the agenda for today? We will start with a quick overview of the supply chain attack technique. Next, we will detail how we bought all medical equipment and found surprising confidential data in it. After that we will show how one can use that information and connect to medical networks with some real-life examples and lastly we will share our takeaways from the entire research and what can you do to mitigate that attack surface. Let's begin. Our story begins with a customer. As you can see, that customer is very happy. Most of us as customers rarely consider the path that products go through when they're on their way to our homes or offices. We get most of our products from distributors. These vendors rarely know if they're selling what they think they're selling and that their product was not tempered on the way to the client. But it gets even worse. The distributor gets the product from the manufacturer trusting the manufacturer that the product fits the product description and that no one was messing it on the way and there isn't anything malicious in it. And lastly Most products are made of multiple pieces. Each of those is supplied by a different supplier. Same as any other link in the chain, the manufacturer usually puts full trust in the supplier's hands. All of that means that the customer puts full trust in the entire left zone of the supply chain. Meaning that an attacker can leverage access to any of the links in the chain to get full trust in the customer's network. We can't really talk about supply chain attacks without mentioning the SolarWinds incident. The malware in that incident was deployed as part of an update from SolarWinds own servers and was signed with a valid signature like any other SolarWinds update. According to SolarWinds, these malicious updates were released between March and June 2020 impacting approximately 18,000 customers. The attackers on this incident showed a very, very rare level of sophistication going after the supplier instead of the actual target and hiding the malware actually in plain sight. Today we are going to talk about a much simpler and probably cheaper attack vector, dumpster diving. Dumpster diving is a type of attack made possible by searching through the victim's trash. You might imagine going through a physical dumpster and getting all dirty, but in reality, you can do it from the comfort of your home without any physical interaction with an actual dumpster. So that's our happy and unsuspecting customer now. Our story starts with the BD Allaris Infusion Pump. The initial goal was to find identifying characteristics of all Allaris frameworks. So we bought a few on eBay. The Allaris Infusion Pumps are an extremely common Wi-Fi connected infusion pump. You can find those in many hospitals all over the world. Over a million units of the Allaris Infusion Pump were already sold worldwide. On a simple eBay search, we found that many resellers selling old and used Allaris, we found that there are many resellers selling old and used Allaris Infusion Pumps. For our research, we just picked the most trashed ones, assuming these will have some interesting info in them. For some of the devices, the originating medical facility was apparent in the product pictures. And by the way, the reason these are on eBay is that apparently there is a huge market for used medical equipment, mainly used by hospitals in developing countries and animal hospitals. When hospitals sell these type of equipment on eBay, the thought process behind these actions goes something like this. Hospitals wish to get rid of old medical equipment, but also make some money on the way. So they sell it on eBay with the passwords, the state data and the user data. We fired up the first Allaris we bought. We navigated through the settings and found a very distinct SSID name that this device was connected to. Furthermore, we can see that the network it was connected to was a WPAPSK network. Pre-shared key network. Meaning that an attacker could easily connect to that network once we found out how to extract the pre-shared key. But since there are thousands of hospitals all across the US, we need to find a way to pinpoint the exact hospital that this infusion pump came from. Luckily, the name of the exact hospital was written on the main screen along with the department that used this device. You can see that this specific device was used in the adult medical surgery department. So we bought another one. And same as before, this device had a distinctive medical SSID and used a pre-shared key. So we needed a way to extract the key out of the device. Same as before, the hospital name and the specific department was configured and written on the main screen when the device boots. Seems like this one was stationed in the critical care department. At this point, we need to find a way to get the internal device configuration so we can extract the full wireless configuration along with the keys or any passwords. As a side project, we checked if some other private health information was left around somewhere else in the device memory. We took the device apart and examined the main board. We identified a 32-bit ARM processor, a Xilinx STP-LD, and we actually have no idea why they need that in an infusion pump. We also identified the touchable external flash card containing the firmware and an internal flash and some RAM. We found this vulnerability on BD Allari's website. It says that physical access may lead to wireless credentials and maybe some other confidential data. Mounting the flash card, it contains an autorun script that points to an L file named OSE.ELF. Examining the L file, we found the device runs the INEA OSE operating system and the IPNet TCP IP stack. Vulnerable to a set of vulnerabilities are mis-published two years ago named Urgent 11. Even though it was published two years ago, it's still relevant even today. Urgent 11 is a set of 11 vulnerabilities in the IPNet IP stack. It's an extremely common IP stack for IoT and mission critical devices. BD Allari's published a specific advisory about these vulnerabilities. The vulnerabilities allow remote code execution over the network with no user interaction whatsoever. Furthermore, to date, there is no patch for the Allari's devices. And even if there was a patch, there is no remote update process, so a customer would need to physically disassemble the device in order to apply it. On the mitigation section of the advisory, it says, consider stronger network controls for wireless authentication, which are harder to replicate. What that actually means is that if an attacker manages to infiltrate the wireless network somehow, and it doesn't even matter how, there is no other protection for the Allari's infusion pumps on the device side. Gaining control over these pumps, an attacker can extract personal records, and in some cases, even alter the prescriptions. Back to the Allari's firmware research. Since the main binary is executed from ATA0, we guessed that the external SD card is mounted on ATA0. By modifying autorun.cmd, we can execute arbitrary commands on startup. So we tried the help command, hoping that we will see some information about the other commands, and that's what we got. We got a short list explaining every available command in the shell. One interesting command is the PS command, known from Linux. This command just shows the currently running processes. We can already identify the FAT FM process, probably responsible for the FAT file system, mounted on ATA0. The next interesting command is the Vols command. This command shows the currently mounted volumes. Just looking at the sizes of those volumes, we can tell that ATA0 is indeed the external flash card, and FFX is the internal flash card. Internal flash. So we copied the internal flash to the external flash, so we can read it using the cpdir command and examining the data. We found that for every configuration that we configured in the management server, there is a corresponding XML file in the internal flash. One of these files contain the plain text password for the original Wi-Fi network. As you can see, all of the Wi-Fi settings are saved under a tag named Datalink, including the SSID and the password. But we didn't stop there. As we've said before, the author and CMD runs an elf named OSE.elf. Reversing OSE.elf, we found that it also runs a startup script. But this time the startup script is being run from the context of the elf file, and not from the boot. And it has a different implementation for the shell commands. Here you can see the function and all it does, it just checks if there is a file named PCU15app.cmd. And if there is a file with that name, it just executes it using the internal shell. Running PS again, but this time from the context of the elf file, there were 80 processes, almost 50 more than the number we have seen during the boot phase. Executing the help command, we saw something interesting. There are also a lot more commands, many new commands that weren't there before. One interesting command that stood out and was added is the log command. And here you can see the extended help for the log command. And it seems like the log is split into log stores, and uses multiple log volumes. Using the log command, we were able to extract the internal logs of the device. And here you can see actual internal logs of one of the devices. The screenshot at the top shows the patient's name. And the screenshot at the bottom shows the prescription along with the treatment date. Both of these are confidential, personal health information. Analyzing these findings, since the only protection for the Allaris infusion pumps is the Wi-Fi network authentication, getting access to the network opens up the risk of an RCE over the current Allaris devices in the networks. I will now give the stage to Gal, who will talk about another interesting device that we bought and contains some corporate secrets. After the Allaris success, we went ahead and bought all kind of medical devices. One of them was the Mac 5500 EKG by GE. The EKG machine is an advanced electrocardiology device used by many medical facilities across the USA. To communicate with the outside world, this device has an onboard printer and a serial port. Since this device should be used in close proximity to patients, it is usually mounted on a medical card. To enable mobility, a wireless network adapter should be connected to the serial port. The wireless adapter of this device is advertised and sold with the serial Wi-Fi to Wi-Fi converter that connects to the medical network of a Wi-Fi into the serial port of the EKG machine. That wireless module is called Mobiling. The Mobiling is actually a device made by Silex named SIGS 500. It has a custom firmware created by Silex 4G that can be downloaded from the GE website. This is a picture of a second hand SIGS 500 that we bought online. It was connected to the medical card using Velcro. One can only imagine how easy it is to steal this device from an active card. The SIGS is used to connect all the equipment that communicates over serial ports to modern Wi-Fi networks. It is used mainly in medical and OT environments. We got this adapter together with an old EKG machine we bought online. Here are the results of a quick ebay search of this device showing many retired Silex devices. Some of the ebay sellers even advertise it as part of the GE EKG machine. Although relatively new firmware versions are available for the SIGS 500, we encountered only old firmware versions with known exploitable CVEs. Other products we bought as sensitive information still configured on them. We will show that this information is enough to geolocate the facility the device came from and to access the hospital internal Wi-Fi network. Let's start with a quick examination of the device and then move to see the sensitive data configured on it. The device uses a pretty old Linux kernel with many known vulnerabilities. We ran a board scan using Nmap on the device to find out which open services are available. The Nmap output showed many results. There was a 10-net based administration console, FTP server and many other unneeded services. There is a vulnerability in the old firmware version with exploits available online for the SIGS that allows anyone to completely take over the device. But we didn't need to exploit anything. All the devices came with the default password still configured on them, allowing us to simply connect and collect the data they had. The most interesting data is the Wi-Fi and information. As we see the alarmist, the SSID was left on the device along with the keys needed to connect to the Wi-Fi network. As you can see, it's where we're in the face. One of the devices we bought online was configured with a certificate instead of password. This enables the hospital to revoke live certificates. Further on, we will show that the hospital companies use the same SSID for the Wi-Fi network in order of facilities. Being able to exclude specific devices from the network is critical, since changing the Wi-Fi password over multiple facilities is unrealistic. The device was also configured with internal IP addresses, giving an attacker basic information about the target network. We can see here the internal DNS server address, the domain name, and the internal SMTP server address. The device also contained some hints about the physical location it came from. But this time, it didn't contain the hospital name. To locate the hospital, we had to find to take another approach. Wiggle.net is a website for collecting information about wireless networks. Anyone can register and upload data, such as Wi-Fi network, SSID, and the location it was seen at. Wiggle also allows users to easily query that information. This project was created to raise awareness to wireless network security. First, use Wiggle's API to query where the Wi-Fi network was seen worldwide. All of the results were in the USA. Since the real locations are where the SSIDs were seen, most of the results were locations for near medical facilities. One of the networks we found was seen on highways. Since it's in the middle of the road, nor nearby any medical facilities, we suspected to be an ambulance wireless network. It means that in some cases, attackers doesn't even need to enter the hospital to attack its network. They can just wait outside until an ambulance parks nearby. The Wiggle search gave us an unexpected amount of results. Here is an example of only one of the SSIDs found. Apparently, hospital companies use the same Wi-Fi SSID for older hospitals. It's not very surprising, since having the same SSID and password probably makes moving equipment between facilities much, much easier. Since there were too many results, we had to cluster them into groups so we can see where the results were concentrated. Next, to identify the hospitals automatically, we cross the cluster's locations with open datasets of medical facilities. There were matches for almost every cluster, and the unmatched clusters were identified by a hand. In the picture, you can see the clusters noted by pins over the heat map of medical facilities in the USA. The next step was to check if our analysis was correct by physically attending the suspected hospitals. We went near one of the hospitals and opened the Wi-Fi page on our phone, looking for the SSID of the network that we have seen in the device configurations. And there it was. We saw the exact SSID that we were looking for. The Silex device is all an attacker needs to hack into the hospital's internal Wi-Fi network. After talking about the problem, let's talk a bit about the solution. We opened the device manual and looked for a factory reset command. We found that apparently all you need to do is this. First, power up the device. Then, press the reset button for five seconds. And that's it. The device should be wiped from any configuration and ready to be sold online for anyone. For the Alaris PCU, there is a cleanup command available from the management server. Please use it the next time you get rid of an Alaris Infusion pump. I will now give the stage back to Barack for some takeaways and some ups. Thanks, God. There are a few general guidelines that apply to all Wi-Fi connected devices and not just the ones we talked about today. The most important mitigation is to avoid the use of pre-shared keys. There is minimal control over these and when one device is stolen or taken out of the network, you need to change the password of all devices. Using a device-specific certificate is much safer and making the certificate time constrained is even better so that even if you messed up and the device got stolen somehow, you won't need to worry about the certificate for long. Along with the Alaris Infusion pumps and the Wi-Fi to serial converters, we bought some more Wi-Fi connected medical equipment. That equipment contains pacemeters, glucometers, and some medical wearables. We contacted all of the medical facilities we have seen in our research today. All of them asked to get back their equipment and none of them gave us our money back. We hope that they worked on better solutions for the Wi-Fi security and refreshed their device cleanup practices before selling their internal equipment on eBay. Just a few takeaways. As customers, it's easy to ignore the full supply chain and only look at the part of the chain that happens before we get the device. We also wish to point that manufacturers should emphasize the proper disposal process for their devices. Regarding the hospitals and medical facilities, they should have multiple layers of protection so that one stolen device will not mean that their entire network is now vulnerable. They should use wireless certificates and revoke those certificates when the device leaves the hospital. The wireless password or certificate is just the first gate to the hospital network. Using network monitoring solutions, hospitals can now know when someone is probing around the network even if an attacker got in the network somehow. And lastly, eBay is a great place for buying Wi-Fi passwords for medical facilities. And that's the end of our talk. Besides this talk, we have also presented a talk on Black Hat about a set of vulnerabilities we found in Mission Critical Hospital infrastructure. That infrastructure is the Pneumatic Tube system used by hospitals to deliver samples throughout the hospital. That set of vulnerabilities is called Pond Piper. Combining the findings in this research and Pond Piper, an attacker could have easily caused physical chaos in the hospital. Thanks for listening to our talk and goodbye.