It’s not every day that a person would come home from their university class and say, “Today I wirelessly hacked a pacemaker and killed the patient. Tomorrow I’ll hack an insulin pump and kill a patient.” Yet a few select souls from the University of South Alabama (USA) can shout that from a rooftop and still don’t need to worry about going to prison because the wireless medical devices were in iStan; it’s the “most advanced wireless patient simulator on the market.”
“The simulator had a pacemaker so we could speed the heart rate up, we could slow it down. If it had a defibrillator, which most do, we could have shocked it repeatedly. If it was the intent, we could definitely cause harm to the patient,” Mike Jacobs, professor and the director of the human simulation program at the university, told Motherboard. “It's not just a pacemaker, we could do it with an insulin pump, a number of things that would cause life-threatening injuries or death.”
The $100,000 iStan has “internal robotics that mimic human cardiovascular, respiratory and neurological systems. When iStan bleeds, his blood pressure, heart rate and other clinical signs change automatically.” iStan, which is used by USA’s College of Nursing, breaths, bleeds from two locations, cries, secretes bodily fluids, speaks, groans, wheezes, gags, gasps, coughs and mumbles (pdf).
“In other words, the iStan simulates a living or, as the case may be, a dying person.” Jacobs added, “It responds to 300 different types of simulated medications and procedures, and the physiological response is identical to that of a human.” The research included a photo of iStan and the Muse software interface that interacts with the iStan.
While killing a simulated human via hacking is less dramatic than wirelessly murdering a real human via a keyboard, researchers said it can be done by “a student with basic information technology and computer science background;” the medical mannequin attackers had no penetration testing skills, but successfully launched brute force and denial of service attacks as well as attacks on security controls.
Why should anyone care that a simulated human can be hacked? Because of the dreaded ripple effect. According to the researchers, “If medical training environments are breached, the long term ripple effect on the medical profession, potentially, impacts thousands of lives due to incorrect analysis of life threating critical data by medical personnel.”
The medical mannequin’s network security solution and the network protocol were vulnerable to attack. Although it doesn’t reveal actual pins and full MAC addresses, the research paper “Compromising a medical mannequin” (pdf) lists the steps the researchers took to hack iStan. “The security solution was breached using an open source brute force attack against the router Personal Identification Number (PIN). The network protocol was attacked through a denial of service attack.”
During the first step of studying iStan’s documentation, the researchers discovered “iStan’s front-end platform utilizes Adobe Flash Player and Muse software, which is a browser based application, to interact with iStan’s profiles. The network protocols used by the iStan consist of TCP and 802.11 wireless transmissions between the controlling laptops and the iStan’s internal access point. The iStan’s direct dependencies consist of either a Windows or OS X machine, iStan mannequin and a properly configured access point.”
The second step included finding known attacks to exploit the security weaknesses. These included a Denial of Service (DoS) attack using HPING3 and using Reaver for a “brute force attack against Wi-Fi Protected Setup register PIN numbers.” The third step was to go back over documentation to discover the configuration needed for attacks. Finally, during the fourth step, they launched their attacks.
The paper included steps for the brute force attack using Reaver and BackTrack 5 from a live CD; they tried the same brute force attack on the iStan mannequin using a virtual machine. The first attack took slightly over seven hours, but in the second they were able to crack the passphrase in “9,528 seconds or two hours thirty-eight minutes and forty-eight seconds.” Future research will include customized dictionaries so brute force attacks can crack it even faster.
They monitored the controlling medical mannequin’s computer to see if it “provided any indications that there was something wrong.” They also captured the results of the attacks; other future research on hacking other medical training mannequins with implantable devices will determine if the “residual data from the iStan breaches would be helpful in digital forensic investigations.”
The denial of service attack used the first seven steps from the brute force attack before deviating in steps eight through 11. They successfully conducted brute force attacks and denial of service attacks against two different iStan mannequins before determining that “medical training mannequins are at risk” and those risks could trickle down to others when hacked simulated humans are used for training purposes.
While we've heard about vulnerable medical devices and equipment for years, the researchers believe it's time to integrate cyber-based scenarios into medical training, since when a device fails, it could be due to “malfunction or from byzantine actions of a malicious adversary.” They added, “Future practitioners will be trained to deal with medical device failures, byzantine or otherwise, and will reinforce the use of alternate or traditional techniques that do not rely on technology.”