HF 2021 - Call for Papers

I'm Not A Doctor, I Just Play One On HTTP: Vulnerabilities in HL7 FHIR
2021-11-19, 15:30–16:20, Hackfest - Track 1

In a modern hospital, protocols are required to allow different departments to communicate to each other. HL7's FHIR is the next generation of the most widely used of these protocols. This talk is about the form of the protocol, vulnerabilities and CVEs discovered during research into the protocol that could lead to everything from account compromise to completely disabling a hospital's electronic medical record system (EMRs), as well as design flaws that may lead to significant misconfigurations in deployments.

In the modern healthcare environment, health care is provided by different departments all using various software solutions. Various protocols are used to send information between the departments. These protocols are used for everything from tracking patient admittance, dispensing medication, and transmitting health records between hospitals. They are essential for the delivery of care in the modern healthcare sector, but are largely unknown outside of healthcare IT. The goal of this talk is to cover research into HL7's FHIR, a protocol that's not widely known but is becoming the most broadly deployed interoperability protocol in the United States, a component of healthcare worldwide, and whose implementation is legally mandated is some circumstances. This protocol shows up everywhere from your phone to your local hospital to Google Cloud to the DEF CON Bio-hacking Village CTF, and is supported by an overwhelming majority of EMRs.

This talk will review both the historical and technical aspects FHIR in depth. First, we'll quickly discuss the reason why these protocols were created, and explain the structure of modern healthcare environments like hospitals and doctor's offices. Next, we'll cover the protocol itself, covering its construction, structure, and use. We'll talk about implementations of the protocol, including the most widely used implementation. Then we'll talk about design issues which significantly weaken the protocols such as lack of authentication, and discuss and demonstrate methods to MITM the traffic. We'll also discuss several methods of fingerprinting environments and discovering resources. We'll demonstrate two CVEs discovered as part of this research, CVE-2021-32053 and CVE-2021-32054, which allow attackers to deny service to an entire medical records system and to upload and serve arbitrary resources and webpages or upload malware on critical infrastructure running affected versions. We'll close with a short discussion of FHIR's future, the security of EMRs in general, and best practices that can be used by organizations to securely deploy these protocols.

Are you releasing a tool? – no Have this talk already be given? – no