July 5, 2011
Coding for Death: Exploits that can Kill
This is the story of how I (probably) could have used an Acrobat bug to kill my Dad.
Word Count: ~890
Please see the correction to this article at the bottom of the page
Citing prior work is important so let me be clear in stating this idea (killing someone via an exploit) isn’t mine nor is it particularly new. The first time I saw a realistic example of how hacking could be used to kill someone was in one of those Syngress Stealing the Network: * books where a character changed someone’s blood type in a hospital record. I doubt the idea started there either. That being said, what follows are my experiences and observations.
Back in 2005 Dad had his first CABG to do a quad bypass. Every year thereafter until his death in 2009 he would have cardiac incidents that would require an angiogram or angioplasty. In that procedure essentially doctors snake a thin cable with various attachments through the femoral artery in your upper inner thigh up to your heart. From there they can take pictures from the inside of various structures or using different attachments put in stents, laser out plaque, write their initials, etc. To me that kind of technology is amazing and medical science is one of the things I always wish I knew more about.
The machine that was controlling the wire being used for the angioplasty was being controlled in turn by a Windows XP desktop. While the doctor was going over the results I noticed the Adobe Acrobat icon in the systems tray. When the doctor was done I asked if I could take a closer look at the results, “help yourself just don’t touch anything”. So I looked at the version of Acrobat and saw it was something in the 7.x series. Sorry doc I couldn’t help myself.
The doctor and I then had this exchange (I’m paraphrasing):
Me: “So I see you’ve got Acrobat on here, do you use this to view patient data?”
Doctor: “Oh yeah, if a case gets referred to us the common practice is that the patient will come with a CD on which there are test results we look at during the procedure.”
Me: “And this machine also controls the catheter?”
Doctor: “To a degree yes”
Me: “Tolerances here being very important?”
Doctor: “Yes, very.”
I had packed my CANVAS development laptop. Having something to distract you (and a mild sedative) while waiting for loved ones to get out of surgery is a plan I can’t endorse enough. We had a very reliable exploit for CVE-2007-5659 which I had previously tested to work for the exact version of Acrobat they were using.
With a bit of custom development work, here is your attack scenario:
- 1) Weaponize a legitimate PDF, repair memory such that Acrobat doesn’t crash out or reexec Acrobat on a benign PDF.
- 2) Escalate your way to Local System
- 3) Surgeons depend on the information provided to them by this machine to be exceedingly accurate, I could distort this data (how they are oriented in space for example) or just add a delay to the displayed image. Direct manipulation of the wire may have been possible.
I am very confident that this would lead to an accident involving a laser drill and the inside of your heart. Which is to say, a bad accident. Here are some other fun things I learned on that visit:
- 1) Some brands of portable vitals monitors have embedded webservers
- 2) To reduce potential tripping hazards, some medical gear uses wireless but only supports things like WEP and WPA1, it is a pain in the ass to type in complex keys on these devices
- 3) There are multiple LAN drops near every patient bed for the plugging in of the aforementioned devices
- 4) Automated pill dispensers are also typically networked (In my limited experience I have never seen one that wasn’t)
- 5) VNC is heavily used in a lot of hospitals
This is the result of what I saw with my eyes and some internet research, not any probing of the hospital network.
So for an investment of say, $250,000 in equipment and maybe $250,000 in exploit development costs (5 devs, 4 months, $50k per) you could have yourself an arsenal of reliable exploits that would allow you to do whatever you wanted on these machines. Your exploits would go a long way: hospitals don’t replace most equipment that often, there is a lot of common equipment between hospitals, I don’t know of any forensics firm that specializes in medical equipment though they may exist.
For half a million dollars you can buy yourself a infinitely reusable weapons system that’s hard to detect, hard to defend against, and allows for you to not even be in the same room as your target. People are right to worry about SCADA hacking causing industrial accidents but those sorts of things are always so, messy. Neat to think about.
In closing I’m going to recognize and dedicate this post and this blog to my Dad, who encouraged and helped me become the curious, sneaky and devious character I am today.
Correction: Friendly redditor sqrt7744 pointed out here that my initial idea of an attack vector was probably not viable. I maintain that putting a malicious PDF on a patient’s record CD that’s viewed in the OR is a bad thing, but the vector from PDF -> Death is not as clean cut (if it even exists) as I originally thought, though surely worth looking into. Also, sqrt7744 pointed out that the Syngress plot device about changing a blood type as also not likely viable, I can’t speak to hospital procedures so I don’t know how accurate that is.