GhostExodus, the ETA, and a Control Systems Incident at Carrell Clinic (part 3)
Previous parts (Pre-requisite information. There will be a pop quiz at the end.):
In this post I will be displaying and discussing some screenshots that Jesse “GhostExodus” McGraw posted online. These screenshots were taken on the PC controlling Carrell Clinic’s HVAC system, uploaded to a photobucket account owned by GhostExodus, and linked to in posts on anarchistcookbook.com and warezscene.org (still available there). When XXxxImmortalxxXX initially bragged to me about hacking this HVAC system himself, he linked the same photobucket images directly, which led me to discover the forum posts that linked the same images.
What you’re looking at in these screenshots, if you’re not familiar with control systems, is Human-Machine Interface (HMI) software. HMI software represents what would have once been a physical control panel with switches, dials, gauges, and other similar elements. The software displays the status of various elements of the system, and allows the operator to make changes, either directly (by flipping a switch, for example), or by modifying a parameter that the system automatically tries to maintain or use as a boundary.
Since the HMI for a control system is very specific to that system, HMI software is typically distributed as a combination of IDE (for developing the custom interface) and a runtime (for running the developed system). HMI systems also implement access control and auditing, features that often serve as a last line of defense for a control system. While I cannot speak for BACtalk’s security (I have no experience with it yet), a combination of misconfiguration and vulnerabilities in HMI products’ security features can lead to this layer of defense being weak. Until HMI software security improves, it’s very important to layer defenses around them, with strict control over who can access the systems physically or over a network.
Let’s take a look at the shots (click them to see them at full resolution):
In this shot, you can see what appears to be a “main menu” for the control system, with buttons that take you to other screens that control different sections of the hospital. The most interesting thing here is the dialog box, “BACtalk Alarm”. The “Acknowledge” buttons allow an operator to record that he or she has seen the alarm, which should go in an audit log that can be reviewed if there are problems in the future. An attacker with access to these systems and the associated logs could “acknowledge” alarms that were meant to be seen by operators, and potentially even modify the audit logs. The criminal complaint against GhostExodus made reference to problems with alarms this specific HVAC system was having after being compromised.
Here, we see a floorplan for an area of the hospital containing some operating rooms (OR 2 through OR 5). Among other things, you can see the open/closed status of the vents in various rooms. The buttons to the right of these status could be controls to toggle the status. I’m not really sure what the weird gray graphic between/overlapping the status of “AHU 7 OA Alarm” and “AHU 4 OR Alarm” is. If you have a guess, leave a comment. (Nevermind, glitch in GIMP.)
Note that since HMI interfaces are custom-designed in an IDE for the purposes of each control system, that the user interfaces are not always self-explanatory. Operators have to be trained to understand the elements of each system. This one’s not really that bad compared to a lot of them, though.
This is the scary one. It’s a list of parameters for systems in a “Surgery Center” or operating room. Here, an operator (or attacker) can modify the temperatures and levels at which pumps kick in, or shut things on and off. I’m not familiar with hospital control systems, and especially not with those involved in surgery, but I imagine that changes made to these systems could wreak some havoc.
These screenshots were posted by GhostExodus on the warezscene and anarchistcookbook forums with the following text:
Spreading botnets is boring. But sometimes you get a hefty prize for all your hard work and labor. Like this you see below. An HVAC server. An HVAC is: HVAC (pronounced either “H-V-A-C” or “H-vak”) is an initialism or acronym that stands for “heating, ventilating, and air conditioning”. HVAC is sometimes referred to as climate control and is particularly important in the design of medium to large industrial and office buildings such as skyscrapers and in marine environments yay for wiki
In reality, GhostExodus compromised the system with physical access as a night security guard. It is not known if this HMI was “legitimately” accessible remotely with RDP or similar protocols. It was revealed in the criminal complaint that malicious software allowing for remote access was confirmed to be installed on the system.
GhostExodus followed up in the same thread on warezscene with this post:
nice. You almost can’t help it ya know. It must be done!
Hopefully this isn’t something many people feel compelled to do.
That’s a very modern hospital system. Nevertheless it’s always the same: I doubt that these surgery controls were monitored by the admin, because the technology exists to automate. What’s the sense of automation if you’ve to check it. Work is work.
One should assume that humans are wise enough not to touch technology life depends on. But as we see… A sad example of a guy whose intelligence could have been developed.
Nevertheless: why can you make adjustments of that kind without further authentication?
That gray graphic? Looks to me like additional floor plan that is outside o the scope of these particular operating suites. “grayed out” as it were….
No weird overlapping grey graphic on my view!
Thanks Larry, you made me look at it again and the gray thing is not freakin’ there anymore. Must have been some screwy artefact/glitch in GIMP when I was looking at it earlier today.
Gremlins.
[...] GhostExodus, the ETA, and a Control Systems Incident at Carrell Clinic (part 3) « McGrew Security B… [...]
Hmmm… interesting I may have missed it in the articles… but was it ever ascertained if the “remote access” software was ever utilized? Or how it was installed? (this one is a long shot I know)
You serve your masters well Mcgrew. Now fall in line for the concentration camp like a good citizen.
Hi Art,
The remote access software was installed onto the Hospital systems with physical access. Only forensic analysis of GhostExodus’ computers that have (almost certainly) been seized can tell for certain if that software was accessed remotely. There really isn’t any reason to install it unless you plan on accessing it remotely, however, and the videos I have posted clearly show him interacting with bots on an IRC channel.
Thanks for the comment!
Hi Hamburgler,
I was told that I could meet Mayor McCheese in this line?
I just don’t understand why this dork felt the need to tell you, of all people, about this little adventure of his. Isn’t that like bragging to a Wendy’s employee about about how you ripped off a McDonald’s last week?
[...] ‹ GhostExodus, the ETA, and a Control Systems Incident at Carrell Clinic (part 3) — Core Security Sends in the Schwag [...]
I don’t know who’s the bigger attention whore, you or GhostExodus. Most of the so-called “Whitehat Hackers” can’t do shit without metasploit anyways.
McGrew busts McGraw, I had to laugh when I read that!
Hey, you linked the site to the forums that I got to.
just lurking and noticed that. =]
Nigguh fo-shizzle, im free.
[...] http://www.mcgrewsecurity.com/2009/07/06/ghostexodus-the-eta-and-a-control-systems-incident-at-carre... [...]