80 to 0 in under 5 seconds: Falsifying a medical patient's vitals

Conference:  Defcon 26



The presentation discusses the vulnerability of medical devices and the RWHAT protocol used in central monitoring stations. The lack of authentication and security mitigations in medical devices pose a risk to patient safety.
  • Medical devices rely on uncommon networking protocols to gather patient data
  • The RWHAT protocol used in central monitoring stations is vulnerable to real-time data modification by attackers
  • Lack of authentication allows rogue devices to mimic patient monitors
  • The presentation includes a technical dissection of the security issues and real-world attack scenarios
  • The impact of potential attacks on patient safety is discussed
  • Mitigation techniques for vendors and facilities are presented
The presentation includes a demonstration of live modification of a patient's critical data using actual medical device hardware. The vulnerability of medical devices and the RWHAT protocol is illustrated through scenarios where false information is provided to medical personnel, potentially leading to incorrect treatment decisions and patient harm.


It seems each day that passes brings new technology and an increasing dependence upon it. The medical field is no exception; medical professionals rely upon technology to provide them with accurate information and base life-changing decisions on this data. In recent years there has been more attention paid to the security of medical devices; however, there has been little research done on the unique protocols used by these devices. In large, health care systems medical personnel take advantage of to make decisions on patient treatment and other critical care, use central monitoring stations. This information is gathered from many devices on the network using uncommon networking protocols. What if this information wasn't accurate when a doctor prescribed medication? What if a patient was thought to be peacefully resting, when in fact they are under cardiac arrest? McAfee's Advanced Threat Research team has discovered a weakness in the RWHAT protocol, one of the networking protocols used by medical devices to monitor a patient's condition. This protocol is utilized in some of the most critical systems used in hospitals. This weakness allows the data to be modified by an attacker in real-time to provide false information to medical personnel. Lack of authentication also allows rogue devices to be placed onto the network and mimic patient monitors. This presentation will include a technical dissection of the security issues inherent in this relatively unknown protocol. It will describe real-world attack scenarios and demonstrate the ability to modify the communications in-transit to directly influence the receiving devices. We will also explore the general lack of security mitigations in the medical devices field, the risks they pose, and techniques to address them. The talk will conclude with a demonstration using actual medical device hardware and a live modification of a patient's critical data.