1. Jenny Knackmuß, Thomas Möller, Wilfried Pommerien & Reiner Creutzburg Brandenburg University of Applied Sciences, IT- and Media Forensics Lab, P.O.Box 2132, D-14737 Brandenburg, Germany Assecor GmbH, Storkower Str. 207, D-10369 Berlin, Germany Städtisches Klinikum Brandenburg GmbH, Zentrum für Innere Medizin II, Hochstr. 29, D-14770 Brandenburg, Germany Medizinische Hochschule Brandenburg CAMPUS GmbH, Fehrbelliner Straße 38, D-16816 Neuruppin, Germany Email: {knackmus|creutzburg}@fh-brandenburg.de thomas.moeller@assecor.de w.pommerien@mhb-fontane.de ABSTRACT Nowadays, wearable and implantable medical devices are being increasingly deployed to improve diagnosis, monitoring, and therapy for various medical conditions. Compared to other types of electronics and computing systems, security attacks on these medical devices have extreme consequences and must be carefully analyzed and prevented with strongest efforts. Often, the security vulnerabilities of such systems are not well understood or underestimated. The aim of this paper is to demonstrate security attacks that can easily be done in the laboratory on a popular infusion pump on the market, and to propose defenses against such attacks. INTRODUCTION Medical devices become more and more complex. Many years ago the control of such devices was strictly mechanical. Nowadays, the devices are mechanically, electronically and optically controlled with extensive software. In health care, many different types of systems are found to be capable of communicating with each other. In order to ensure an uninterrupted information flow, these systems need to be integrated and managed in IT networks. There are a number of standards and laws in which the responsibility of the manufacturer is controlled for patient safety. The responsibility for the proper application of the maintenance or operation of medical devices is often left to the hospital. The integration of different medical devices in a hospital network error sources in relation to patient safety arise Medical Devices Directive. Therefore, the aim of this paper to show, what risks may arise when medical devices are not adequately protected in IT network. During the investigation no hardware or software manipulations were carried out. The infusion pump unit is registered to a network and is managed manually through a web server application. Attack Szenario In this paper a typical scenario was simulated and analyzed for security risks. The attacks include sniffing, scanning, ”brute force” method and analysis of Web server functionalities in which sensitive data can be read from the infusion and infusion syringe pump. Sniffing For sniffing in the test network Wireshark is used. Wireshark is a tool that analyzes the network protocols and provides the ”recorded through” data packets in output formats. The infusion pump unit is sending continuously traffic without any manipulation. Therefore, the traffic from the pump could be identified. The next figure shows a recording of data streams from the test network. It is possible to see relevant information such as the IP address of the infusion pump unit and the corresponding MAC address with the name of the manufacturer. After completion of the listening process, a result log is created. This log lists the devices that are registered to the same period in the test network. The medical device was found with the corresponding IP address and MAC address are listed. Security risk of medical devices in IT networks – the case of an infusion pump unit SPIE Defense, Electronic Imaging, “Mobile Devices and Multimedia: Enabling Technologies, Algorithms, and Applications 2015”, Vol. 9411 It opens a welcome screen of the device manufac- turer and it must be entered user name and pass- word. Furthermore, the type of the operating system and the device is detected by the scan with Nmap. CONCLUSION With the conducted attack scenario we have illustrated that networked medical devices are a major risk to patient safety in unsecure IT networks. Brute-Force Methode To ensure that only authorized users can access the web server application a user name and a password is required. A brute-force method was to crack the password with the help of the Hydra tool. The containing attack tools are set accordingly and running on the Web server application. Control of the process revealed that the Web server application allows several attempts to enter the user name and passwords - without blocking the access. This brute- force attack may take up to 3 days. However, this was not necessary for this experiment because the default passwords were found on the web through intensive research. The entry of default passwords for each level has been successful on the web server application. Vulnerability of Web Server Application Besides the presented attack several vulnerabilities of web server applications are found. These include: Incorrectly entering the username or password is not transmitting the information that the input is incorrect, but it is communicated in detail the input is wrong where. If an attacker knows the URLs no registration is required, it can be copied into the web browser and an easy access without registration on the Web server application is possible.. Scanning At the beginning of the investigation, a scan with the Open Vulnerability Assessment system (OpenVAS) is performed for the analysis of vulnerabilities. The evaluation protocol showed the highest warning level ”10” for security vulnerabilities. It can be assumed that the control protocols of the pump unit are responsible. An additional scan is performed with the network scanner Nmap. Nmap is a tool for scanning and evaluation of hosts. Here, mainly the open ports are of special interest. In particular, the port 80 and port 443, for the management and monitoring of the infusion pump unit is controlled by a web server application. The scan showed that the corresponding two ports to open the Web application server are open. In order to test the availability of the pump in the test network, the IP address 10.237.254.22 was read out and verified by the brodcast. For the use of the Web server application, the browser must accept to run Java Script and allow cookies. Entering the URL http: //10.237.254.22 was successful without further restrictions.