Explore the vulnerabilities of IoT medical devices and their potential impact on health record security in this Derbycon 2018 conference talk. Delve into connected healthcare devices, medical device classifications, and data flow architectures. Examine real-world horror stories like MEDJACK and MEDJACK2, and follow the speakers' journey as they investigate a purchased PDA. Learn about wireless setting manipulation, telnet observations, and traffic analysis. Discover fuzzing techniques, privilege escalation methods, and how to access encrypted patient data and prescriptions. Gain insights into the importance of built-in security measures for IoT medical devices and understand the potential consequences of inadequate protection for sensitive health information.
Overview
Syllabus
Intro
[-]$ About us
[-]$ Connected Healthcare Devices
[-]$ Medical Devices Classification
[-]$ Data Loop
[-]$ The Architecture
[-]$ The Nightmare Tons of new connected medical devices
[-]$ The Horror Stories - MEDJACK/ MEDJACK2
[-]$ About the Device
[~]$ Workflow Hospital Network
[-]$ Initial Observations
[-]$ We Bought a PDA
[-]$ Overwriting Wireless Settings
[-]$ Additional Observations - Telnet
[-]$ The Initial Traffic
[-]$ Time to Fuzz
[-]$ Winning Packet
[-]$ Master Drug List
[-]$ Workflow
[-]$ Let's Break It Down
[-]$ Privilege Escalation
[-]$ The Encrypted File - Win!!!
[-]$ Access to Patient Data
[-]$ Prescriptions
[-]$ Closing Remarks • Built-in, not bolted on
