Fingerprinting healthcare institutions
- 2. #whoAmI
• Work with Philips healthcare
• Hack anything
• Sustainability enthusiast
• Research on healthcare security – protocols, devices, infrastructure
• Play guitar in free time
• Speak at conferences
• Hospitalsecurityproject.com
- 3. Agenda
• Why healthcare?
• Beyond phishing – targeted attacks
• How to fingerprint?
• EMR fingerprinting
• Fingerprinting beyond servers
• Q&A
- 10. Text
• Text
• Text
• Text
Text
• Text
• Text
• Text
Network 1 Network 2
Healthcare centers and hospitals
– ideal situation
HVAC
system
Lighting
system
Hospital
servers
Waste
management
systems
Medical
devices
Monitoring
devices
Computers,
phones,
tablets
Water
controls
NAT / Bridged network with an IDS / IPS
Other
hospitals Vendor servers
“service
portals”
Vendor servers
Intranet
Internet
Encrypted communication
Encrypted communication Encrypted communication
Computers ,
phones,
tablets
- 11. Text
• Text
• Text
• Text
Text
• Text
• Text
• Text
But what do we get?
HVAC
system
Lighting
system
Hospital
servers
Waste
management
systems
Medical
devices
Hospital
computers
Monitoring
devices
Tablets /
phones
Water
controls “service
portals”
Security
systems
guests
Internet
- 12. Basics of fingerprinting
• Find unique but common headers
• Be consistent
• Use multiple tools – shodan, censys, matego
• Verify manually
• Use google
- 13. So what can you fingerprint?
• Medical devices
• Routers
• Data center
• EMR software
• HVAC controls
• Lighting controls
- 14. Finding hospitals
• Generic searches
• Name searches
• Hospital name searches
• Sometimes the name is too generic
• Narrow down search parameters
- 15. Generic hospital searches
• Hospital
• Hospital*
• Healthcare
• Healthcare*
• <name of the hospital>
• <name of the software / protocol>
- 17. Narrowing the searches to regions
• Narrow down searches by
• Country
• Technology (HTTP(S), NetBIOS )
• Type of infrastructure (VPN, cloud)
- 20. But…
• Sometimes the names are too generic
• Narrow down technology
• Look at other parameters – don’t fall into honeypots
• Use google - Search for address and verify
- 22. A typical hospital scenario
EMR
(electronic medical
record)Patient
monitors /
healthcare
devices
LAN / WIFI/
Bluetooth/
Doctor's PC /
Secretary PC
Doctor's Mobile/
Nurse mobile
Other hospitals
- 23. Fingerprinting EMR solutions
• Use shodan / censys / maltego
• Searches vary on what you're trying to find
• How I started
• Create a list of 200 popular EMR solutions
• Start searching by name
• Look for characteristics – deployment scenario, url constructs, technology
• Look for manuals
• Change language – Chinese, Russian
• Find bugs ;)
- 33. Thinking beyond Shodan
• Shodan (Shodan.io)
• Easiest deep web tools
• Cache information
• Due to the paid nature, results may vary
• Lacks multi lingual capabilities
• Censys (censys.io)
• Provides raw data for research
• Support Regex and can concatenate different parameters
• Maltego (thick client)
• For advanced recon
• Can fingerprint infrastructure
- 46. Cloud based EMR
• Easy to find
• “scalable and reliable”
• Many entry points – web, mobile, IOT devices
• Google is very effective in searching such solutions
- 47. In a nutshell
• Finding EMR is easy
• Your EMR might be secure, other infrastructure might be not
• Attacks go beyond your audits and process
- 53. Defending hospitals
• Secure networks
• Have Public and Private networks
• Harden routers and firewalls – have a patching policy
• Look out for shodan and censys
• Assume the network will be compromised
• Isolate high value components
• Encrypt and Backup
• Know your devices –vendor management
- 54. Thank you
Minatee Mishra Michael Mc Neil
Ben Kokx Jiggyasu Sharma
Sanjog Panda Pardhiv Reddy
Ajay Pratap Singh Neelesh Swami
Archita Aparichita Sagar Popat
Narendra Makkena Kartik Lalan
Pratap Chandra Ashish Shroff
Swaroop Yermalkar
Editor's Notes
- Posted on 13th Feb, 2016
- Image from:
http://healthcorrelator.blogspot.in/2014/09/will-your-wireless-router-give-you.html
- An ideal network infrastructure that we see.
- This is a chain of hospitals in India and Indonesia.
- One of the hospital name that was too generic
- This is just a general observation, some hospital do have sophisticated environments, but a majority of them do not.
The focus here is more on the ease of setup and maintenance rather than having a secure setup in place.
- An arbitrary search on one of the biggest EMR solution provider.
- Showing NETBIOS Exposed
- Anonymous login successful
- Now if you goto shodan and search for this vendor with filter as windows server 2003 you get and EMR!