Previous parts (Pre-requisite information. There will be a pop quiz at the end.):
- Part 1 – Definitely read the criminal complaint.
- Part 2 – Watch some videos
In this post I will be displaying and discussing some screenshots that Jesse “GhostExodus” McGraw posted online. These screenshots were taken on the PC controlling Carrell Clinic’s HVAC system, uploaded to a photobucket account owned by GhostExodus, and linked to in posts on anarchistcookbook.com and warezscene.org (still available there). When XXxxImmortalxxXX initially bragged to me about hacking this HVAC system himself, he linked the same photobucket images directly, which led me to discover the forum posts that linked the same images.
What you’re looking at in these screenshots, if you’re not familiar with control systems, is Human-Machine Interface (HMI) software. HMI software represents what would have once been a physical control panel with switches, dials, gauges, and other similar elements. The software displays the status of various elements of the system, and allows the operator to make changes, either directly (by flipping a switch, for example), or by modifying a parameter that the system automatically tries to maintain or use as a boundary.
Since the HMI for a control system is very specific to that system, HMI software is typically distributed as a combination of IDE (for developing the custom interface) and a runtime (for running the developed system). HMI systems also implement access control and auditing, features that often serve as a last line of defense for a control system. While I cannot speak for BACtalk’s security (I have no experience with it yet), a combination of misconfiguration and vulnerabilities in HMI products’ security features can lead to this layer of defense being weak. Until HMI software security improves, it’s very important to layer defenses around them, with strict control over who can access the systems physically or over a network.
Let’s take a look at the shots (click them to see them at full resolution):
In this shot, you can see what appears to be a “main menu” for the control system, with buttons that take you to other screens that control different sections of the hospital. The most interesting thing here is the dialog box, “BACtalk Alarm”. The “Acknowledge” buttons allow an operator to record that he or she has seen the alarm, which should go in an audit log that can be reviewed if there are problems in the future. An attacker with access to these systems and the associated logs could “acknowledge” alarms that were meant to be seen by operators, and potentially even modify the audit logs. The criminal complaint against GhostExodus made reference to problems with alarms this specific HVAC system was having after being compromised.
Here, we see a floorplan for an area of the hospital containing some operating rooms (OR 2 through OR 5). Among other things, you can see the open/closed status of the vents in various rooms. The buttons to the right of these status could be controls to toggle the status. I’m not really sure what the weird gray graphic between/overlapping the status of “AHU 7 OA Alarm” and “AHU 4 OR Alarm” is. If you have a guess, leave a comment. (Nevermind, glitch in GIMP.)
Note that since HMI interfaces are custom-designed in an IDE for the purposes of each control system, that the user interfaces are not always self-explanatory. Operators have to be trained to understand the elements of each system. This one’s not really that bad compared to a lot of them, though.
This is the scary one. It’s a list of parameters for systems in a “Surgery Center” or operating room. Here, an operator (or attacker) can modify the temperatures and levels at which pumps kick in, or shut things on and off. I’m not familiar with hospital control systems, and especially not with those involved in surgery, but I imagine that changes made to these systems could wreak some havoc.
These screenshots were posted by GhostExodus on the warezscene and anarchistcookbook forums with the following text:
Spreading botnets is boring. But sometimes you get a hefty prize for all your hard work and labor. Like this you see below. An HVAC server. An HVAC is: HVAC (pronounced either “H-V-A-C” or “H-vak”) is an initialism or acronym that stands for “heating, ventilating, and air conditioning”. HVAC is sometimes referred to as climate control and is particularly important in the design of medium to large industrial and office buildings such as skyscrapers and in marine environments yay for wiki
In reality, GhostExodus compromised the system with physical access as a night security guard. It is not known if this HMI was “legitimately” accessible remotely with RDP or similar protocols. It was revealed in the criminal complaint that malicious software allowing for remote access was confirmed to be installed on the system.
GhostExodus followed up in the same thread on warezscene with this post:
nice. You almost can’t help it ya know. It must be done!
Hopefully this isn’t something many people feel compelled to do.