Breaking Bad - Stealing Patient Data Through Medical Devices

Explore the risks associated with connected healthcare devices in this Black Hat conference talk. Delve into the benefits and challenges of adopting IoT for medical devices, examining current exposure, common communication channels, and interconnectivity approaches with critical components. Gain insights into potential vulnerabilities through case studies of digital pens and IV infusion pumps, including workflow analysis, default account exploitation, and reverse engineering techniques. Learn about the implications of compromised medical data compared to financial information, and understand the importance of securing the healthcare IoT ecosystem. Discover practical examples of attack surfaces, troubleshooting methods, and potential security flaws in medical device networks.

Introduction
Sara Barrett
Agenda
Disclaimer
What are connected medical devices
Categories of connected medical devices
Inhouse medical devices
Information loop
Ecosystem
Why connected medical devices
Challenges of connected medical devices
Serial to Ethernet converters
Attack surface
Metric
Financial vs Medical Data
Case Studies
Digital Pen
Workflow
Default Accounts
Use Case Scenario
Observations
Analysis
Reverse Engineering
Port Scan
Prescriptions
Summary
IV Infusion Pump
Pump Server
Lab Setup
Initial observations
Troubleshooting
eBay
Exporting Network Settings
More Observations
Initial Packet
Master Drug List
Conclusion