Hacking My Ambulance
by anonymous
For the last three plus years I have worked for a competitor to the nation's largest private ambulance provider, American Medical Response.
Like most people in the industry, I have learned to loathe this monster for its (((all-too-corporate business strategies))) and its overwhelming quest for (((higher profits))) - often at the expense of reliable quality personnel and equipment.
Recently I completed my paramedic internship with a paramedic preceptor who works for AMR and I was treated to some inside information while interning. Having a technical background, my ears perked up when things were being discussed and my preceptor had no qualms about letting me poke around here and there.
In this article, I will share what I learned about AMR's field computers during my internship.
In some regions AMR is now utilizing notebook computers for charting purposes.
A field chart is different from an in-hospital chart in that it contains all of the patient's billing information as part of the medical record recorded by medical personnel.
In other words, protected personal information is gathered and recorded by the EMTs and paramedics that operate on the ambulance. This information is then transmitted electronically to an ODBC database that the company's billing department accesses via daily queries and assembles invoices from the data gathered.
Because acceptable levels of security are typically more expensive than lower levels, AMR has, in its corporate wisdom, chosen the latter of the two. Let's explore.
The computers used in the field as of the time of my internship were all Itronix GoBooks. The company initially purchased GoBook I's (the first generation), and has purchased whichever model was most current ever since then. The latest model is the GoBook III, but there are plenty of GoBook IIs still around.
Hardware specs are available at www.itronix.com and www.gobookiii.com/gb3/features.htm.
The interesting hardware components include Bluetooth capability (left active and unsecured), 802.11b/g (AMR typically orders only 802.11b chipsets), and CDMA cellular frequency cards. The CDMA cards are the PC cards available from wireless providers such as Cingular and Verizon.
AMR uses both companies for mobile Internet access in different regions depending on which provider has the best coverage for a given area. The cards are housed internally and connect to an external antenna mounted on the screen portion of the case. We'll come back to this device later for a discussion of the security holes it presents.
AMR upgraded these units to Windows XP only over the last year or so. The official explanation was that they feared Windows XP would somehow not support the Access Database front-end they use for charting.
What I find so amusing about this is that they purchased a Windows XP Professional license with every GoBook III and then relied on their Windows 2000 corporate license for the actual OS licensure.
However, when they switched to Windows XP they actually purchased a corporate license to cover all of the computers that they already had licenses for! This, of course, means you stand a good chance of being able to use the Windows XP Pro license stuck to the bottom of the GoBooks without getting caught.
Now, Windows XP Pro implements Active Directory (Duh), and AD has several security policies that can be implemented to limit the access users have, but you need a Domain Controller supplying the Group Policy Object in order to have different policies apply to different users.
With the computers being deployed in the field constantly they could not be part of a domain-based network. This posed a real problem in that Supervisors and IT staff needed much more access to the machine than AMR was willing to allow their field employees to have.
So someone poked around on the Internet and found that by replacing the actual user GPO file you can implement different security measures for different users.
Basically, you create two different GPO files, one older than the other and having tighter security, and swap them around like this:
Log on as an administrator and place the newer and less secured GPO named registry.pol in the C:\Windows\System32\GroupPolicy\User directory.
Next, logon under each of the users you want to give more access to (i.e., supervisors and IT personnel). Then, logon as the admin again and move the GPO to a different folder and replace it with the older registry.pol file with more security.
When the Supervisor and IT users are logged on with the older GPO in place it is ignored because the policies that are currently applied are newer than the ones in the current GPO. The standard users however are never logged on with the newer policy in place so they implement the older, more secure policy.
Of course, these policies are typically very poorly managed and there isn't a whole lot you'd really care to do that a creative mind won't figure out how to accomplish.
Instead of browsing directories to launch programs create shortcuts on the desktop. And since you can always create a new text file on the desktop you have complete freedom in writing batch and Windows Script files to do your bidding.
Because AMR doesn't like their employees goofing off on the clock they also install ContentWatch to restrict Internet use.
This service works by restricting websites based on their categorization in a database obtained from an Internet server. A user logs on with a username and password and their restriction list is downloaded.
Each site visited by Internet Explorer is compared against a database that categorizes sites based upon content (e.g., shopping, news, personal, adult, etc.) and users are only allowed to view sites within approved categories.
Sites that have not been categorized can be blocked or viewed based upon the individual user's settings that are applied by their administrator. Since the restriction lists are downloaded each time a user logs on I have not found a way to get around this particular hurdle.
It's not that I wanted to download porn, I just wanted to use MySpace and "personals" are restricted.
The best way to overcome this would be to snag a supervisor's password since they have free access or to find a way to kill the program. Thus far I have been unsuccessful in killing it, but I never tried too hard either.
Of course, if you're brave and don't mind a traceable approach you could always download Firefox via a Telnet'd FTP connection (telnet to port 21).
If you intend to do this, I suggest burying the program files deep in the directory structure and launching via an unassuming script in the System32 or some other clogged directory.
You might also want to dig the uninstall data out of the registry so it doesn't show up on the "Add/Remove Programs" control panel. See, they'll trace the time stamp of the program directory back to who was using the computer on that date at that time, and unfortunately the system clock is fairly well protected.
Moving on to the ever more interesting section where we discuss the CDMA PC cards and how they access the Internet. The region I am most familiar with used Cingular as a wireless provider and Sony GC83 EDGE PC cards.
I'm not sure why, but they refuse to use the most recent firmware versions. Rumor has it someone somewhere had a problem with a firmware version and had to downgrade to fix the problem.
Of course, two or three new versions have come out since then and AMR has yet to upgrade to the newer versions. What I find particularly interesting is that the Cingular network issues Class C addresses.
Couple this with the use of RealVNC on every AMR computer and you have a gaping security hole. If someone were to snag the company password (I believe they have only two passwords - one for workstations and one for servers) they could sniff around the Cingular network, assuming they have a Cingular card and are in the same region, and find a computer with port 5900 open.
The advantage to the IP addressing scheme being Class C, for those who haven't figured it out, is that you significantly diminish the number of IP addresses you have to scan to find an AMR computer. But there is another way you can isolate an AMR computer on this network.
As previously mentioned, AMR uses an Microsoft Access database front-end developed in-house to chart patient data. They have dubbed the program MEDS. It stands for Multi-EMS Data System.
The database is unencrypted so any user can poke around in all of the tables, provided they can figure out how to launch MSACCESS.EXE.
This is nice in that it stores configuration data, including what ports the program uses for sending and receiving in these tables. Browse around and figure out what ports are currently being used and query the results of your port scan for addresses with both the MEDS port and port 5900 open. Any computers you find will likely be AMRs.
Exploring MEDS even more turns up a few other interesting little quips.
The data entered into MEDS is stored in separate access tables with a Patient Care Reporting (PCR) ID referencing the individual chart each piece of information is associated with. For instance, there is a table titled MED_C that contains the list of patient medications typed in by a user (medications selected from a drop down list are stored in a separate table).
Each row has three columns. The first column is the default Primary Key and increases by a value of one in each row, the second column is the individual PCR ID (unique only on that computer), and the third is the actual text entered by a user.
So to find a patient's personal information you need only run a query of the appropriate tables and match the patient's name, date of birth, address, phone number, and Social Security number based on the PCR ID.
It should be noted that failure to protect this information from unauthorized users (which includes an EMT or paramedic authorized to use the system but not authorized to view data entered by another user) is a violation of federal law - reference HIPAA §164.308 (a)(4), which states that users must be prevented from accessing sensitive electronic data they do not need to access in order to perform their duties.
Basically, you should not be able to view patient data you did not personally enter, but you can. But to really get at the data it's best to just steal the whole database, something else you should definitely not be able to do.
A standard user can run telnet, open a connection to an FTP server, and upload C:\Program Files\MEDS\MEDS.mdb (sometimes the file name includes a version number).
Older versions of MEDS created a file in the root directory title PCRDATA with no file extension. This file had all of the PCR data on the system in plain text, another grievous HIPAA violation.
Today the file is encrypted, a step that took only four or five years to implement.
As you can see by doing things in-house and under budgeting their projects AMR has left themselves open to some pretty costly lawsuits. With the private ambulance industry becoming more and more competitive, they have really taken some big chances with this program.
Consider the fact that some states have mandated public reporting of security breaches in publicly traded companies, mix it with the generally very competitive public bidding process that EMS agencies are typically required to go through every few years for their ambulance provider contracts, and throw in a little industrial espionage... see where I'm going?
AMR has opened itself to simple espionage tactics by making it incredibly easy for a corporate spy to get hired on as a field employee, steal protected personal data stored on a field system, and let it be known that the data was stolen.
AMR would then be required to contact every person whose personal information was compromised and inform them of such and make a public announcement reporting the breach. Something of that nature happening during a contract bid would be devastating to the company, which is already losing bids across the nation.
That's pretty much all of the goodies I picked up regarding the computers, but here are some fun vehicle facts for those of you unfortunate enough to be working for the giant:
1.) If you're tired of hearing the seat belt reminder ding at you all the time you can disable the Ford BeltMinder feature quite easily.
Simply turn the ambulance off, keep all of the doors closed, set the parking brake, turn off the headlights and do the following:
Insert the key and turn it forward to the first position, but do not start the car. After about a minute the little guy wearing his seat belt) light will appear on the cluster panel (dashboard). You now have 30 seconds to buckle and then unbuckle your seat belt ten times. After the tenth time the light will flash four times indicating the function has been disabled. Now buckle and unbuckle one more time. Congrats, it will now leave you alone.
Each year is different so play around with it. I found this information on Google, so you should be able to as well. Sorry for those who have RoadSafety. This won't work for you.
2.) If you don't like being dinged at for having the door open, or having the light on, it's pretty easy to disable this feature too.
First, you should know that when the door is open the circuit is closed by the door pin. So disconnecting the door pin will make the vehicle computer think the door is always closed. To do this, just pull really hard (I was able to do it with bare fingers) on the door pin itself. When it comes out simply disconnect the wires and then reinsert the pin into the door jam. Done.
3.) Finally, to shut up that lady who blabs at you while you're backing up just take a look at the little speaker behind the driver's head. On one side is a tiny little switch. Flip it and she'll be no more.
None of these little workarounds damages or vandalizes the vehicle in anyway, so have at it.
And for God's sake, find a company with a soul to work for. Peace!