If you can talk to a device over a network, then the possibility of hacking it exists. Patient monitors, such as those used in hospitals, are no exception, as McAfee's Advanced Threat Research team recently discovered.
It is common in hospitals for patient monitors to be tied into a central "monitoring station", writes McAfee's Douglas McKee, which means with the right hardware and software, a malicious user could sniff out the data packets and modify them, sending nurses and doctors false information.
Rather than use a real patient (or hospital, for that matter), McAfee performed its tests with components purchased from eBay. While the hardware was 14 years old and running Windows XP Embedded, the company confirmed the devices were "still in use" today.
After running some initial tests, McAfee made some interesting discovers:
- The two devices are speaking over unencrypted UDP
- The payload contains counters and patient information
- The broadcast address does not require the devices to know each other’s address beforehand
- When the data is sent distinct packets contain the waveform
With enough time, researchers were able to modify the packets, to the point of sending a flat-line ECG signal to the central monitor.
There are a few caveats. For one, because it's a "man-in-the-middle" attack, the patient's monitor was unaffected, displaying the correct values. The hacker would also need to be on the local network.
And, like many such hacks, the uses are niche. However, McKee spoke with a doctor, Shaun Nordeck, who explained how it could be abused in practise:
"Fictitious cardiac rhythms, even intermittent, could lead to extended hospitalisation, additional testing, and side effects from medications prescribed to control heart rhythm and/or prevent clots. The hospital could also suffer resource consumption."