Manipulating Medical Devices
The Federal Office for Information Security (BSI) aims to sensitize manufacturers and the public regarding security risks of networked medical devices in Germany. In response to the often fatal security reports and press releases of networked medical devices, the BSI initiated the project Manipulation of Medical Devices (ManiMed) in 2019. In this project, a security analysis of selected products is carried out through security assessments followed by Coordinated Vulnerability Diclosure (CVD) processes. The project report was published on December 31, 2020, and can be accessed on the BSI website [1].
Scope
This blog posts details the security assessment of the HAMILTON-T1 from the Swiss manufacturer Hamilton Medical AG (hereafter referred to as Hamilton). The HAMILTON-T1 ventilator is a portable ventilator approved for use in ambulances, helicopters, and airplanes. A configuration for military use exists. The device possesses a USB and a reserved Ethernet port.
Results
The HAMILTON-T1 uses a default code to enter the configuration menu of the device (CVE-2020-27278). This code can be found in the manual. By entering the configuration menu, it was possible to load a tampered configuration file via a USB flash drive, which resulted in an undefined state of the device (CVE-2020-27282). This configuration file is protected using a checksum. The checksum for tampered configurations is exposed in an error log, which is accessible to attackers (CVE-2020-27290). All attacks require physical access. An ICS Medical Advisory (ICSMA-21-047-01) was published on February 16, 2021 [2].
Impact
The identified vulnerabilities caused the device to be dysfunctional. As a result, the device did not boot. A hardware exchange of the device’s logic board was necessary to recover the device. The manufacturer identified no patient harm and prepared an update for the ventilator, thereby fixing all critical vulnerabilities.
References
[1] Bundesamt für Sicherheit in der Informationstechnik (BSI). Veröffentlichungen. Online (accessed January 12, 2021): https://www.bsi.bund.de/DE/Themen/DigitaleGesellschaft/eHealth/Medizintechnik/Veroeffentlichungen/cybermed_node.html
[2] ICS Medical Advisory (ICSMA-21-047-01). Hamilton-T1. February 16, 2021. Online (accessed February 16, 2021): https://us-cert.cisa.gov/ics/advisories/icsma-21-047-01