DEFCON 29 IoT Village - Hadad and Kaufman - Reverse Supply Chain Attack

The supply-chain attack vector has gained a lot of attention in the passing year. Our talk, however, will present a different type of a supply-chain attack vector -- the reverse supply-chain attack. The process of a supply chain attack involves an attacker altering code of software, or the hardware of a device, en route to a potential victim. The reverse supply chain attack starts from the other end of the chain -- when a device is removed from a secure network. While IT departments are aware of the importance of wiping the harddrives of PCs, before they are being thrown away, or sold off, they are not fully aware that certain medical devices also withhold sensitive data, and the process to wipe these devices is also non-trivial. In this talk, we will demonstrate the type of data that can be recovered from the most popular infusion pump -- the BD Alaris Infusion Pump. The recovered data can allow an attacker to infiltrate internal networks of medical facilities and exfiltrate or alter personal patient data. In the process of analyzing this attack vector, we purchased a handful of these used infusion pumps from eBay, which led us to the credentials of internal networks of large hospital facilities all over the US.