♪ preroll music ♪

Angel: The next talk will start now

and will be 'Unpatchable -

living with a vulnerable
implanted device'

by Dr. Marie Moe and Eireann Leverett.

Give them a warm round
of applause please.

<i>applause</i>

<i>heart monitor beep sounds start</i>

So, we are here today

to talk to you about a subject

that is really close to my heart.

I have a medical implant.

A pacemaker, that is generating

every single beat of my heart.

But how can I trust my own heart,

when it's being controlled by a machine,

running a proprietary code,

and there is no transparency?

So I'm a patient,

but I'm also a security researcher.

I'm a hacker, because I like

to figure out how things work.

That's why I started a project

on breaking my own heart,

together with Eireann

and a couple of friends.

Because I really want to know

what protocols are running

in this machine inside my body.

Is the crypto correctly implemented?

Does it even have crypto?

So I'm here to inspire you today.

I want more people
to hack to save lives.

Because we are all becoming

more and more dependent on machines.

Maybe some of you in the audience

also have medical implants,

maybe you know someone

that's also depending on
medical implants

Imagine that this is your heartbeat

and it's being controlled by a device.

A device, that might fail.

Due to software bugs,

due to hardware failures.

<i>additional background sound:
real heartbeat</i>

Wouldn't you also like to know

if it has security vulnerabilities?

If it can be trusted?

<i>sounds stop</i>
<i>beeeeep</i>

E: Something to think about, right?

M: Yeah.

E: Marie is an incredibly
brave women.

When she asked me to give this talk

it made me nervous, right?

It's such a personal story.

Such a journey as well.

And she's gonna talk to you

about a lot of things, right?

Not just hacking medical devices

from a safety point of view

but also some of the
privacy concerns,

some of the transparency concerns,

some of the consent concerns.

So, there's a lot to get trough

in the next hour.

But I think you're gonna enjoy it

quite a lot.

M: So, let me tell you

the story about my heart.

So, 4 years ago

I got my medical implant.

It was a kind of emergency situation

because my heart was starting to beat

really slow,

so i needed to have the pacemaker.

I had no choice.

After I got the implant,

since I was a security researcher,

of course I started to

look up information about how it worked.

And I googled for information.

I found a technical manual

of my pacemaker

and I started to read it.

And i was quite surprised

when I learned that

my pacemaker has 2 wireless interfaces.

There is one interface, that is really

close field communication,

near field communication

that is being used when I'm at checkups

at the hospital,

where the technician,

the pacemaker technician or doctor

uses a programming device

and places it

really close to my pacemaker.

And it's possible to use that

communication to adjust the settings.

But it also has another

wireless interface,

that I was not aware of,

that I was not informed of
as a patient.

It has a possibility for remote monitoring

or telemetry,

where you can have an
access point in your house

that will communicate

with the pacemaker

at a couple of meters distance.

And it can collect logs from the pacemaker

and send them to a server

at the vendor.

And there is a web interface

where the doctor can log in

and retrieve my information.

And I have no access the data

that is being collected

by my device.

E: So imagine for a moment

that you are buying a new phone

or buying a new laptop.

You would do your homework, right?

You would understand
what interfaces where there.

But in Marie's case she's just

given a device,
and then later she gets

to go and read the manual, right?

So she's the epitome
of a informed consumer

in this space

and we want a lot more
informed consumers

in this space,

which is why we are giving this talk.

Now, I don't know about you,

but I'm used to hacking

industrial systems.

I haven't done as
much medical research

in the past.

So, when I first
started this project

I knew literally nothing

about Marie's heart.

Or even my own.

And she had to teach me
how the heart works

and how her pacemaker works.

So, would you mind explaining

some details to the audience
that will be relevant

through the rest of the presentation?

M: Actually I think
we're going to show you

a video of
how the heart works.

So, it's a little bit of
biology introduction here

before we start
with the technical details.

So, this.. play the video.

Video: A normal heart beat rate

and rhythm is called
'Normal Sinus Rhythm'.

The heart's pumping action

is driven by electrical stimulation

within the heart muscle.

the heart's electrical system

allows it to beat in an

organized, synchronized pattern.

Every normal heart beat

has 4 steps.

Step 1:

As blood flows into the heart

an electrical impulse

from an upper area of the right atrium

also known as the sinus node

causes the atria to contract.

When the atria contract

they squeeze the blood

into the ventricles.

Step 3:

There is a very short pause

only about a fraction of a second.

and Step 4:

The ventricles contract

pumping the blood to the body.

A heart normally beats

between 60-100 times/min.

Electrical signals in your heart

can become blocked or irregular,

causing a disruption

in your hearts normal rhythm.

When the heart's rhythm is too fast,

too slow or out of order,

an arrhythmia,

also called a rhythm disorder occurs.

When your heart beats out of rhythm,

it may not deliver enough blood

to your body.

Rhythm disorders can be caused

by a number of factors

including disease, heredity,

medications or other factors.

E: So for those of you
who are already aware of that,

apologies.

But I needed to learn that.

I needed to learn the basics

before we even got started, right?

So...

M: So this is a diagram of the

electrical system of the heart.

So, as you see,
this is the sinus node

that is generating the pulse.

And in my case

I had a problem with the signal

being generated by the sinus node

not reaching the lower
heart chamber.

It's something called an AV block
or a heart block

So, occasionally this will cause

an arrhythmia that makes
the heart pause.

If you don't have a heart beat

for, like ... 8-10 seconds,

you lose your consciousness.

And that was, what happened to me.

I just suddenly found myself

lying on the floor

and I didn't remember how I got there.

And it turned out that it was my heart

that had taken a break.

So that's how I discovered

that I had this issue.

So, this is where the signal is blocked

on the way down to the lower heart chamber

But there's a backup function

in the heart that can make

a so called backup pulse.

And I had that backup pulse

when I went to the
emergency room.

So I had a pulse
around 30-40 beats/min.

And that's generated by some cells

in the lower heart chamber.

So, after I got the pacemaker

my heart started to become

a little bit more lazy.

So it is not certain,

that I will have this backup pulse

anymore if the pacemaker
stops working.

So currently

my heart is 100% running
on the pacemaker.

So, let's also look at
how the pacemaker works.

I have another video of that.

So, this is my little friend

that is running my heart.

Video: A pacemaker
is a miniaturized computer

that is used to treat
a slow heart beat.

It is about the size

of a couple of stacked silver dollars

and weights approximately 17-25 grams.

It is usually surgically placed

or implanted just under the skin

in the chest area.

The device sends
a tiny electrical pulse

down a thin coated wire,

called a lead, into your heart.

This stimulates the heart to beat.

This impulses are very tiny

and most people
do not feel them.

While the device
helps your heart

maintain its rhythm,

it also stores information

about your heart that can be

retrieved by your doctor

to program the device.

E: Remember that!

M: Yeah... Did you see

the ones and zeros at the end

of the video?

That's what we want
to know more about.

Because this information

that is being collected
by the pacemaker,

how it works,

how the code looks like,

it's all closed source,

it's all proprietary information.

And that's why we need more

security researchers,

we need more 3rd party testing,

to be sure that we can trust this code.

E: And you can imagine that

we're doing some of
this research as well.

But I'm not gonna break
Marie's heart on stage,

I'm not gonna drop 0-day

on some medical devices,

so if you came for that,

it's not worth staying.

The rest of the presentation

will be about some of
the things we found

and how this works and

how you might approach this research.

And some of the people
who did this research before,

because there's plenty of others,

and we like to give a shout-out

to those who've done
great research in advance.

But essentially this point is

very relevant.

That the internet
of medical things

is already here.

And Marie is wired into it.

She's a bit younger than the average

pacemaker patient, but, you know,

she was thrust into this situation

where she had to think about things

in a very different way.

Like, you did a Masters,
breaking crypto,

and also a PHD in Information Security.

Did you imagine, that
things you learned

about SSH and
network security

might one day apply to your
heart and your own body?

M: No, I never
figured out that

my research would eventually
end up inside my own body.

That's something I never
thought about.

And also, there's a lot of

people that don't think about

how the medical devices
actually work.

So, when I asked this question

to health care professionals

they look at me like I'm crazy,

they don't ... they have never
thought about this before.

That there's actually code
inside my body

and someone has
programmed it,

someone has
written this code.

And, did they think
about, that this

would actually control
someone's life,

and be my own personal
critical infrastructure?

E: Yeah, personal
infrastructure, right?

On a physical level.

And also, I think, it's...

You know, the point that you made
is important to reiterate,

that you go and see your doctor

and you ask these questions about

whether anyone can hack into my heart

and they probably look
at you and go like

'Don't you worry your pretty
little head about that', right?

But Marie used to head up

the Norwegian computer
emergency response team

for a couple of years

and knows a lot of hackers

and knows what she's
talking about, right?

So, when she asked her doctor
these questions,

they're very legitimate questions.

And the doctors probably
don't know anything about code,

but they need to move
towards a place

where they can answer
those questions with some

honesty and certainty and
treat them with the dignity

that they deserve.

Should we show them
a little bit more

about the total ecosystem
of devices

that we are talking about,
at least in this particular talk?

M: Yeah.

E: So, this was
all new to me.

I mean I've moved around
in networks and done some

penetration testing and
some stuff in the past,

but I didn't know much about
implantable medical devices.

So, we've got a couple
of them there.

The ICD, which is the
in-cardio-defibrillator,

that's some of the work
that you saw from Barnaby Jack

which we will mention later,

was on those particular devices,

We've got the pacemakers
and of course other devices

could be in this diagram as well.

Like, we could be talking
about insulin pumps

or other things in the future.

The device itself speaks
to box number 2,

which we will tell you a little bit
more about in a moment,

using a protocol, commonly
referred to as 'MICS'.

A number of different
devices use this

Medical Implant
Communication Service.

And Marie shocked me yesterday

when she found
a couple devices

that potentially use Bluetooth. <i>sighing</i>
<i>laughter</i>

So, would you like to tell them
a little bit more about the access point,

and I'll join in?

M: Yeah, so, the access
point is the device

that you can typically have
on your bed stand

and that will, depending
on your configuration,

contact your pacemaker
as regular intervals,

e.g. once during the night.

It will start a communication
with the pacemaker,

couple of meters distance,

and will start
collecting logs.

And this logs will
then be sent,

it can be via SMS
or other means,

to a server.

So, there's a lot of my
personal information

that can end up different
places in this diagram.

So, of course it's
in my own device,

it will be then communicated
via this access point

and also then

via the cellular network.

And then it will also be stored
in the telemetry server.

Potentially when I go
for the checkups

my personal information will
also end up in my

doctor workstation

or in the electronic
patient records.

And there's a lot of things
that can go wrong there.

E: Yeah, you
can see, it's using

famously secure methods
of communication

that have never been backdoored or
compromised by anyone ever before,

even here at this conference,
probably even this time around.

So these are some things
that are concerning.

The data also travels often
to other countries

and so there are questions
about the jurisdiction

in terms of privacy laws
in terms of some of this data.

And some of you can go and
look deeper into that as well.

The telemetry store thing
I think is important,

some of this is a telemetry store,
such as the server at the vendor.

So the vendor owns some
machines somewhere

that collect data
from Marie's heart.

So you can imagine she goes to see her
doctor and the doctor is like:

'Hey, Marie, last weekend, did you, ...
run a half marathon or something?'

And she hasn't told him, right?

Like, he just can look
at the data and see,

that her heart rate was up
for a couple hours.

That's true though, right? You
did actually run a half marathon.

M: Yeah, I did run a half marathon.
<i>laughing</i>

E: So, the telemetry
store is one part,

but there's also the
doctors work station

which contains a lot of
this medical data.

So, from privacy perspective
that's part of the attack surface.

But there's also the programmers, right?

There's the device's programmers.

So that's an interesting point, that
I hope a lot of you are interested in

already, that there
is a programmer

for these devices.

M: So, we actually
went shopping on eBay

and we found some
of these devices.

E: You can buy them on eBay?

M: Yeah.
E: <i>laughing</i>

M: So, I found
a programmer

that can program
my device, on eBay

and I bought it.

And I also found a couple of
these access points.

So, that's what we're
now starting to look at.

E: We just wanna to give
you an overview of this system,

and it's fairly similar across the
different device vendors,

and we're not going to talk
about individual vendors.

But if you're gonna go and
do this kind of research

you can see that some of the research
you've already done in the past

applies to different parts
of this process.

M: And talking about
patient privacy,

when we got the
programmer from ebay

it actually contained
patient information.

So, that's the
really bad thing.

E: So, I found
this very odd.

I had a similar reaction
to yourselves because

I usually do industrial
system stuff.

One of my friends picked up
some PLCs recently and

they had data from the nuclear plant,
that the PLCs had been used in.

So, decommissioning is a problem
in industrial systems

but it turns out also
in medical devices, right?

I guess that's a useful point
to make as well,

about the costs of doing
this kind of research.

It is possible to get some
devices, some implants

from people who have sadly
passed on,

but that comes with a very high
cost of biomedical decontamination.

So that raises the cost
of doing this research

on the implants themselves,
not necessarily on the rest

of the devices.

M: Yeah, so, also want
to say, that in this research

I had not have not tinkered
with my own device.

So, that would not be a good thing ...

E: You're not gonna let me,
like, SSH into your heart and just ...

M: Um.. No.
E: ... just delete some stuff.. No?

M: No.
E: I wouldn't do it anyway,

but it's an interesting point, right?

So, like, there are a lot of
safety percussions

that we and the rest
of the team have to take

when we are doing this research.

And one of them is
not pairing Marie's pacemaker

with any of the devices
that are under test.

Do you wanna say a bit more
about connectivity and vulnerability?

M: Yeah, so...

I was worried
when I discovered that

I had this possible connectivity
to the medical internet of things.

In my case this is switched off
in the configurations

but it's there.

It's possible to turn it on,
it's possible for me to be

hooked up to the,
this internet of medical things.

And for some patients
this is really benefit.

So you always have to make
a risk-based decision

on whether or not to
make use of this

connectivity.

But I think it's really important
that you make an informed decision

about that and that the patient

is informed and has given
his or her consent

to have this feature.

The battery lifetime of my pacemaker
is around 10 years.

So in 6 years time

I will have to have a
replacement surgery

and I'm going to be
a really difficult patient <i>laughing</i>

<i>laughter</i>

So, ...
<i>applause</i>

E: Right on.

M: I really want to know

how the devices work
by then and

I want to make an informed
decision on whether or not

to have this connectivity.

But of course for lot of patients
the benefit of having this

outweighs the risk.

Because people that had other
heart problems than me

they have to go for more
frequent checkups.

I only have to go once a year.

So, for patients that need to go
frequently for checkups,

it's really good for them
to have the possibility

of having telemetry and
having connectivity to

have remote patient monitoring.

E: Yeah, imagine you
have mobility problems or

you even just live far

from a major city.

And making the journey
to the hospital is quite arduous,

then this kind of remote
telemetry allows your doctor

to keep track of
what's going on.

And that's very important,
we don't wanna, like...

have a big scary testosterone
filled talk where we, like,

hack some pacemakers.

We wanna talk about
how there's a dual use thing

going on here.

And that there is a lot of value
in having this devices

but we also want them to be safe
and secure and preserve our privacy

and a lot of other things.

So, these are some
of the issues.

Of course the last one,
the remote assassination scenario,

that' s everyone favorite one
to fantasize about

or talk about, or make
movies about, but

we think there's a lot of
other issues in here

that are more interesting,

some quality issues even, right,

that we'll talk about
in a little bit.

Battery exhaustion,

again something many people
don't think about. But...

I'm very interested in
cyber-physical exploitation

and so some of this elements
were interesting to me

that you might use the device
in a way that wasn't expected.

M: So personally I'm not afraid
of being remotely assassinated.

E: I've actually never known
you to be afraid of anything

M: <i>laughing</i>

I'm more worried about
software bugs in my device,

the things that can malfunction,

E: Is that just theoretical?

M: No, actually software bugs

have killed people.

So, think about that!

People that are not here,

they don't have their voice
and they can't really

give there story.

But there are stories about persons
depending on medical devices

dying because their
device malfunctioned.

E: There's even some
great research

from academics about
how the user interface design

of medical devices can have
an impact on patients safety

and how designing UX

much more clearly
and concisely

specifically for the
medical profession

might improve
the care of patients.

Do you wanna say more
about this slide or should we

go on to the previous work,
should we... go ahead!

M: Yeah, I think it's really
important also to...

the issue of trusting the vendors.

So, as a patient I'm
expected to just, you know,

trust, that my device
is working correctly,

every security vulnerability
has been corrected by the vendor

and it's safe.

But I want to have more
third party testing,

I want to have more security
research on medical implants.

And as a lot things, like ...
history has shown

we can't always trust that
the vendors do the right thing.

E: I think this is a good
opportunity for us to ask

a very fun question, which is:

Any fans of DMCA in the room?

<i>laughter</i>

No? No fans? Alright.

Well, you then you'll really enjoy this.

Marie has some very exciting news
about DMCA exemptions.

M: Yeah, so... October, this year

there was a ruling of
an DMCA exemption for

security research
on medical devices

also for automotive security research.

So, this means, that

as researchers you can

actually do reverse engineering
of medical implants

without infringing copyright laws.

It will take effect
I think October next year.

E: Yeah.
M: That is really a big

step forward in my opinion.

And I hope that this will
encourage more research.

And I also want to mention
that there are

fellow activist patients
like myself

that was behind that proposal
of having this exemptions.

So, Jay Radcliff who hacked
his own insulin pump,

Karen Sandler, who is a free and
open software advocat.

And Hugo Campos, who has
an ICD implant, he is very ...

he wants to have access
to his own data

for quantified self reasons.

So this patients,
they actually

made this happen,
that you're allowed to do

security research
on medical devices.

I think that's really great.

<i>applause</i>

E: Do you wanna say something
about Scott Erven's presentation

that you saw at DEF CON?

M: Yeah, that was a really
interesting presentation about

how medical devices have
really poor security.

And they have, like,
hard coded credentials,

and you can find them
using Shodan on the internet.

This were not pacemakers,
but other types of

different medical devices.

There are, like, hospital networks
that are completely open

and you can access
the medical equipment

using default passwords that
you can find in the manuals.

And the vendors claim that

no, these are not hard coded,
these are default,

but then the manuals say:
Do not change this password...

E: Because they want to
integrate with other stuff, right? So...

I've heard that excuse from SCADA,
so I wasn't having it.

M: They also put up some
medical device honeypots

to see if there were
targeted hacking attempts

but they only picked up regular malware
on them, which is also ...

E: Only!
M: ... of course of a concern <i>laughing</i>

E: Anything else,
about prior art, Kevin?

M: I guess we should mention
that the academic research

on hacking pacemakers,
which was started by

a group led by Kevin Fu

and they had this
first paper in 2008

that they also followed up
with more academic research

and they showed that it's
possible to hack a pacemaker.

They showed that...
this was possible on a, like

a couple of centimeters
distance only,

so, like, the attack scenario
would be, if you have a

device similar to the
programmers device

and you attack me with it
you can <i>laughing</i>

turn off my pacemaker.

That's not really scary,

but then we have the research
by Barnaby Jack

where this range of the attack
is extended to several meters

so you have someone with
an antenna in a room

scanning for pacemakers

and starting to program them.

E: We have a saying
at Cambridge about that.

Some of the other people at the
university have been doing attacks

a lot longer than I have, and
one of the things they say is:

'Attacks only get worse,
they never get better.'

So, the range might be short one year,
then a couple of years later it's worse.

M: The worst case scenario
I think would be remotely,

via the internet being able to
hack pacemakers.

but there's no research so far
indicating that that's possible.

E: And we don't wanna
hype that up. We don't wanna...

M: No.
E: ... get that kind of an angle

on this talk. We wanna make the
point that hacking can save lives,

that hackers are global citizen's
resource to save lives, right? So...

M: Yeah, so, this is the result
of hacking of the drug infusion pumps.

Earlier this year

the FDA actually issued the first ever
recall of a medical device

based on cyber security concerns.

E: I think that's amazing, right?
They've recalled products

because of cyber security concerns. They
used to have to wait until someone died.

In fact, they had to show
something like 500 deaths

before you could recall a product.
So now they can ...

the FDA, at least in the US,
they can recall products

just based on security
considerations.

M: So, this is also,

I guess the first example
of that type of pro-active

security research,
where you can

make a proof of concept
without killing any patients

and then that closes
the security holes.

And that potentially
saves lives.

And no one has been hurt
in the research.

I think that's great.

E: I'm also really excited
because we give a lot of presentations

about security that are filled with
doom and gloom and depression,

so it's nice to have two major victories
in medical device research

in the last few years.
One being the DMCA exemptions

and the other being
actual product recalls.

M: Yeah, and the FDA are starting
to take these issues seriously and

they are really focusing on the cyber
security of medical implants now.

I'm going to go to a workshop
arranged by the FDA in January

and participate on a panel discussing
cyber security of medical implants.

And it's great to have this
type of interaction between

the security committee, medical
device vendors and the regulators.

So, things are happening.

E: Yeah. How do you feel
as an audience,

are you glad that she's going to be
your representative in Washington

for some of these issues?

<i>applause</i>

And we want you to get
involved as well, right?

This is not just about Marie
and myself and the other people

who worked on this
project, it's meant say

you too can do this research.
And you should be.

You have to be a little sensitive,
a little bit precise and articulate

about concerns.

We take some inspiration from the
former research around hygiene.

Imagine the first time some scientist
went to some other scientist and said

'There is this invisible stuff,
and it's on your hands,

and if you don't wash your hands
people get infections!'

And everyone thought
they were crazy.

Well, it's kind of the same with us
talking about industrial systems

or talking about medical devices
or talking about hacking in general.

People just didn't, sort of,
believe it was possible at first.

And so we have to articulate ourselves
very, very carefully.

So, we draw inspiration from
that early hygiene movement

where they had a couple simple rules
that started to save people's lives

while they explained germ theory
to the masses.

M: Yeah, so, this type of research
is kind of low hanging fruits

where you just, so...

what we show here is an example,

where there's a lot of medical
device networks in hospitals

that are open to the internet
and that can get infected

by normal type of malware,
like banking trojans or whatever.

And this is potentially a safety issue.

So, if your MR scanner or some other

more life-critical device
is being unavailable because of

a virus on it,

that's a real concern for patient
security and safety.

So we need to think more about
the hygiene also in terms of

computer viruses, not only
just normal viruses.

E: Yeah. So, you know, some
times people will treat you like

this is an entirely theoretical
concern, but

I think this is one of the best
illustrations that we've found

of how that should
be a concern,

and I think all of you will get it,

but I wanna give you a moment to kind of
read what's about to come up on the slides.

So I'll just let you enjoy
that for a moment.

So if it's not clear or it's not your
first language or something,

this guy basically sharded patient data
across a bunch of amazon clusters.

And then it was unavailable.
And they were very concerned

about the unavailability of their
costumer patient data

sharded across amazon instances.

He was complaining to support, like
'Can I get support to fix this?' <i>laughing</i>

M: So, all the data of the ...

... the monitoring data of the cardiac
patients is unavailable to them

because of the service
being downed.

And, well, do you want to outsource your
patient's safety to the cloud? Really?

I don't want that.
Okay.

E: I wanna get into some other details.
We have sort of 10 min left if we can ...

so we can have a lot of questions,
and I'm sure there will be some.

But I want you to talk to them about
this very personal story.

This is... Remember before, when we
said, is this stuff theoretical?

I want you to pay a lot of
attention to this story.

It really moved me
when she first told me.

M: I know how it feels to have
my body controlled by a device

that is not working correctly.

So, I think it was around 2 or 3
weeks after I had the surgery.

I felt fine.

But I hadn't really done
any exercise yet.

The surgery was pretty easy,
I only had 2 weeks sick leave

and then I came back to work

and I went to London

to participate in a course
in ethical hacking and

I did take the London Underground
together with some of my colleges

and we went of at this station
at Covent Garden

And I don't know if you
have been there but

that particular station is
really low underground.

They have elevators that you
can use to get up,

but usually there are, like,
long queues to the elevators...

E: You always have to do
things the hard way, right?

M: You had to take the stairs, or

they were just heading for the stairs
and I was following them and

we were starting to climb the stairs and
I didn't read this warning sign, which is:

'Those with luggage, pushchairs &amp; heart
conditions, please use the lift' <i>laughing</i>

Because I was feeling fine,

and this was the first time that I
figured out there's something wrong

with my pacemaker or with my heart.

Because I came like
half way up this stairs

and I felt like I was going to die.

It was a really horrible feeling.

I didn't have any more breath left,

I felt like I wasn't able
to complete the stairs.

I didn't know what was
happening to me, but

somehow I managed to
drag myself up the stairs

and my heart was really...

it didn't feel right.

So, first thing when I came
back from this course

I went to my doctor

and we started to try
debug me, tried to find out

what was wrong with my pacemaker.

And this is how that looks like.
E: <i>laughing</i>

M: So, there's a stack
of different programmers

- this is not me by the way, but it's
a very similar situation.

E: And we'll come back to those
programmers in a moment.

M: Yeah.
E: But the bit I want you

to focus on is, like, they're
debugging your pacemaker?

Inside you?
M: Yeah, I didn't know

what was happening
at the time.

We were just trying to
get the settings right

and it took like 2 or 3 months before
we figured out what was wrong.

And what happened was, that my
operate limit was set to low for me,

for my age. So, the normal pacemaker
patient is maybe around 80 years old

and the default operate
limit was 160 beats/min.

And that's pretty low for
a young person.

E: So, imagine, like, you're younger
and you're really fit and you know

how to do something really well,
like swimming or skiing or skateboarding

or whatever. You're fantastic at it.
And then a couple years go past

and you know, you gain some weight
and you're not as good at it, right?

But now imagine that
happens in 3 seconds.

While you're walking
up a set of stairs.

M: So, what happens is that
the pacemaker detects

'Oh, you have a really high pulse'.
And there's a safety mechanism

that will cut your pulse in half ...
E: In half!

<i>laughter</i>
M: <i>laughing</i> So in my case it went

from 160 beats/min to 80 beats/min.
In a second, or less than a second,

and that felt really, really horrible.

And it took a long time
to figure out what was wrong.

It wasn't until they put me on
an exercise bike and

had me on monitoring that they
figured out what was wrong, because

the thing was, that what was displayed
on the pacemaker technician's view

was not the same settings that
my pacemaker actually had.

There was a software bug in the
programmer, that caused this problem.

E: So they thought they had updated
her settings to be that of a young person.

They were like
'Oh, we've already changed it'.

But they lost the view. They couldn't
see the actual state of the pacemaker.

And the only way to figure that out
was to put her on a bike

and let her cycle until her
heart rate was high enough.

You know, literally physically
debugging her to figure out

what was wrong.

Now stop and think about whether or not
you would trust your doctor

to debug software.

<i>laughter</i>

So, say a little bit more about those
programmers and then we'll move on

towards the future.

M: Yeah, so, we got hold of one of these
programmers, as mentioned

and looked inside it.

And, well, we named this talk
'Unpatchable', because

originally my hypothesis was that,
if you find a bug in a pacemaker

it will be hard to patch it.

Maybe it would require surgery.

But then when we looked
inside the programmer

and we saw that it contained firmware
for pacemakers we realized that

it's possible to actually patch the
pacemaker via this programmer.

E: One of the other researchers
finds these firmware blobs inside

the programmer code and, like,
my heart stopped at that point, right?

I was just going 'Really, you can just
update the code on someones pacemaker?'

We also wanna say something
about standardization.

Look at all those
different programmers.

Someone goes into a hospital
with one of these devices

they have may different programmers
so they have to make an estimation

of which... you know, which
programmer for which device.

Like, which one are you running.

And, so, some standardization
would be an option <i>laughing</i>

perhaps, in this case.
M: Yeah.

E: Alright. So, we gonna need
to move quickly through

the next few slides to talk
to you about the future,

but I hope that drives home that
this is a very real issue for real people.

M: So, pacemakers are evolving and
they are getting smaller

and this is the type of pacemaker
that you can actually implant

inside the heart.

So, the pacemaker I have today
is outside the heart and it has

leads that are wired to my heart.

But in future they are getting
smaller and more sophisticated and

I think this is exciting!

I think that a lot of you,
also in the audience will

benefit from having this type of
technology when you grow older

and we can have longer lives and
we can live more healthier lives

because of the technology
E: And keep in mind, right?

Some of you may already have devices
and already have this issues,

but others of you will think 'Ah, that
won't happen to me for quite a long time'

But it can be a sudden thing, that,
you know, you don't necessarily

have a choice to run code
inside your body.

Which OS do you wanna implant?
<i>laughing</i>

You wanna tell them about the..

M: This is also a quite exciting

maybe future type of implants
that you can have.

So, this is actually a cardiac sock,
it's 3D-printed and it's making

a rabbit's heart beat outside
the body of the rabbit.

So, there's a lot of technology
and sensors and things that

are going to be implanted
in our bodies

and I think more of you will become
cyborgs like me in the future

E: And there's a lot of work
that you could be doing.

You know, 3D-printing
this devices,

and open sourcing as much
of this as possible.

There's a lot to say here, right?

I think it's time to address
the really scary issue.

The informed consent issue
around patching, right?

Remember earlier we were
talking about the programmers

and we pointed out that there
were firmware blobs in there

and that these people,
you know, your doctor or nurse

could upgrade the code
running on your medical implant.

Now, is there a legal requirement
for them to inform you,

before they alter the code
that's running inside your body?

As far as we can tell

- and we need to look at a lot of
different countries at the same time,

so we gonna ask you to help us -

as far as we can tell there are not
laws requiring your doctor

to tell you that they are upgrading
the firmware in your device.

M: Yeah, think about that <i> laughs</i>

It's a quite scary thing.

I want to know what's happening
to my implant, the code,

if someone wants to alter the code
inside my body, I would like to know

and I would like to make
an informed decision on that

and give my consent
before it happens.

E: You might even choose a device
where that's possible or not possible

because you're making a risk-based
decision and you're an informed consumer

but how do we help people,
who don't wanna understand

software and firmware and upgrades
make those decisions in the future as well.

Alright.

M: So now, if we're going to go through

all this, but there's a lot of reasons
why we're in the situations of having

insecure medical devices.

There's a lot of legacy technology because
there's a long lifetime of this devices

and it takes a long time
to get them on the market.

And they can be patched,
but in some cases

they are not patched or there are
no software updates applied to them.

We don't have any third party
security testing of the devices,

and that's really needed in my opinion.

E: Right, an underwriters laboratory

or consumer laboratory that's there
to check some of these details.

And I don't think that's unreasonable,
right? That sort of approach.

M: And there's a lack of regulations,
also. So there's a lot of things

that should be worked on.

E: So, there's a lot of
ways to solve this

and we're not gonna give you
<i>the</i> answer, because we're not

geniuses, so we're
gonna say that

these are some different
approaches that we see all

playing in a solution space.

So, vendor awareness is
obviously important, but

that's not the only thing.
A lot of the vendors have been

very supportive and
very open to discussion,

of transparency, that needs to
happen more in the future, right?

Security risk monitoring,
I've been working in the field

of cyber insurance, which I'm sure
sounds like insanity to the rest of you,

and it is, there are bad days.
But that could play a part

in this risk equation in the future.

What about medical incidence response,
right? Or medical device forensics.

M: If I suddenly drop dead
I really would like to have

a forensic analysis
of my pacemaker, to ...

E: Please remember that, all of you!
Like, if anything is going to happen

to Marie... everyone asked that, right?
Like, 'Aren't you afraid of giving this talk?'

And we thought about it,
we talked about it a lot and

she's got a lot of support
from her husband and her son

and her family and a bunch of us.
If anything happens to this woman

I hope that we will all be doing
forensic analysis

of everything.

<i>applause</i>

Cool. So, we'll say a little bit about
'I Am The Cavalry' and social contract

and then we'll wrap it up, okay?

So, 'I Am The Cavalry' does
a lot of grassroots research

and support and lobbying and
tries to articulate these messages.

They have a medical implant
arm that has a bunch of

different researchers doing
this kind of stuff.

Do you wanna say more about them?

M: Yeah, so we are both
part of the Cavalry,

because no one is coming
to save us from the future

of being more depended on
trusting our lives on machines

so, that's why we need to step up
and do the research and

encourage and inspire the research.

So, that's why I joined
'I Am The Cavalry'

and I think it's a
good thing to have

a collaboration effort between
researchers, between the vendors

and the regulators, as they are,
or we are working with.

E: We also think that even if you
don't do reverse engineering

or you're not interested in
security details or the opcodes

that are inside the firmwares
or whatever,

this question is a question that
any of you here can talk about

for the rest of the congress and
going forward into the future.

Right?

This is Marie's, so go ahead.

M: Yeah, so, I really want to know
what code is running inside my body.

And I want to know ...

or I want to have a social contract
with my medical doctors and

my physician that is giving me
this implants.

It needs to be based on a
patient-to-doctor trust relationship.

And also between
me and the vendors.

So I really want to know that
I can trust this machine inside...

E: And we think many of you will
be facing similar questions

to these in the future.

I have questions.
Some of my questions are serious,

some of my questions are
not serious, like this one:

Is the code on your dress
from your pacemaker?

M: No, actually it's from the
computer game 'Doom'.

But ...
<i>laughter</i>

once I have the <i>laughing</i>
code of my pacemaker

I'm going to make a custom-
ordered dress and get it...

E: Which is pretty cool, right?
M: ... get it with my own code.

<i>applause</i>

So, let's wrap up with... what we
want to have of future research.

So, we encourage more research,
and these are some things that

could be looked into.

Like open source medical devices,
that doesn't really exist,

at least not for pacemakers.

But I think that's one way
of going forward.

E: I think it's also an opportunity
for us to mention a really scary idea,

which is, you know, should anyone
have a golden key to Marie's heart,

should there be backdoored
encryption inside of her heart?

We think no <i>laughing</i>
but that...

M: I don't see any reason why
the NSA should be able to

have a back door to my heart,
do you?

E: You would be an extremist,
that's why you don't want them

to have a back door to your heart.
But this is a serious question, right?

If you start backdooring
any kind of crypto anywhere,

how do you know,
where it's gonna end up.

It might end up in medical devices
and we think that's unacceptable.

<i>applause</i>

M: And we should also mention
that we're not doing this alone,

we have other researchers
helping us forward doing this.

Angel: So, thank you very much
for this thrilling talk,

we're now doing a little
Q&amp;A for 10 min,

and for the Q&amp;A please keep in mind
to respect Marie's privacy, so

don't ask for details about

the implant or
something like that.

E: Yeah, the brands and stuff.

We're gonna tell you, what OS
she's running.

Angel: People, who are now leaving
the room, they will not be able

to come back in, because

of measures <i>laughing</i>
<i>laughter</i>

So, let's start with the Q&amp;A!
Let's start with this microphone there.

Q: Hi, first of all thank you very much
for a very fascinating talk.

I'm not going to ask you
about specific vendors.

However, I thought it was very
interesting what you said, that

most vendors were really supportive
I would like to know whether

there have been
exceptions to that rule,

not who it was or anything like that
but what kind of arguments

you may have heard from vendors
e. g. have they referred to anything

such as trade secrets or copyright
or any other legal reasons

why not to give you,
or not to give public access

to information about devices?
Thank you.

E: So, we haven't had any legal
issues so far in this research.

And in general they haven't been
concerned about copyright.

I think they're more concerned
about press, bad press,

and a hype, you know, what
they would see as hype.

they don't wanna see us scaring
people away from these things

with, you know, these stories.

M: Yeah, that's also something
I'm concerned of, of course,

as a patient. I don't want to
scare my fellow patients

from having life-critical
implants in their body.

Because a lot of people need
them, like me, to survive.

So, the benefit clearly
outweighs the risk in my case.

E: But that seems to be their
main concern, like, you know,

'Don't give us too
much bad press'

Angel: Ok, next question
from over there.

Q: Hello. I wanted to ask you, if you
know about any existing initiatives

on open sourcing
the medical devices,

on mandating the open sourcing
of the software and firmware

through the legal system,
in European Union, in United States

because I think I've read
about such initiatives

about 1 year ago or so,
but it was just a glimpse.

M: So, there are some patients
that have reverse engineered their

<i>no audio</i>

(insu)lin pumps. I know, that
there are groups of patients

like the parents of children
with insulin pumps.

They have created
software to be able...

to have an app on their
mobile phone to be able

to monitor their child's
blood sugar levels.

So that's one way of
doing this open source

and I think that's great.

Q: But nothing
in the legal systems,

no initiatives to mandate this,
e.g. on European level?

E: Not so far that we've seen,

but that's something that
can be discussed now, right?

M: I think it's really interesting,
you could look into the legal

aspects and the regulations
around this, yeah.

Q: Thank you.

Angel: Ok, can we have
a question from the internet?

Q: Yes, from the IRC someone asks:

'Does your pacemaker
have a biofeedback,

so in case something bad
happens it starts to defibrillate?

M: No, I don't have an ICD,
so in my case I'm not getting a shock

in case my heart stops.
Because I have a different condition

I only need to have
my rhythm corrected.

But there are other
types of conditions,

that require pacemakers
that can deliver shocks.

Angel: Ok, one question
from that microphone there.

Q: Thank you very much.
At one point you mentioned

that the connectivity in you
pacemaker is off. For now.

And, is that something, that patients
are asked during the process,

or is that something,
patients have to require?

And generally: What role
do you see for the choice

not to have any connectivity
or any security for that matter,

that technology would
make available to you?

So, how do you see the possibility
to choose a more risky life

in terms of trading in
for privacy, whatever?

M: Yeah, I think that's
really a relevant question.

As we mentioned
in the social contract,

I really would like, that the doctors
informed patients about

their different wireless interfaces
and that there's an informed decision

whether or not to switch it on.

So, in my case, I don't
have it switched on and ...

I don't need it, so there's no reason
why I need to have it switched on.

But then, again, why did I get
an implant that has this capability?

I should have had the option of
opting out of it, but I didn't get that.

They didn't ask me, or they
didn't inform me of that,

before I got the implant.
It was chosen for me.

And at that time I hadn't looked
into the security of medical devices,

and I needed to
have the implant,

so I couldn't really make
an informed decision.

A lot of patients that are,
like, older and not so...

that don't really understand
the technology,

they can't make that
informed decision, like I can.

So, it's really a
complex issue

and something that we
need to discuss more.

Angel: Ok, another
question from there.

Q: Yeah, thanks.

As a hacker, connected personally

and professionally
to the medical world:

How can I educate doctors,
nurses, medical people

about the security risks presented
by connected medical devices?

What can I tell them?
Do you have something

from your own experience
I could somehow ...

M: Yeah, so, the issue of
software bugs in the devices

I think is a real scenario
that can happen and ...

E: Yeah, if you can repeat
that story of debugging her,

like, I think, that makes the point.
And then try in adopt that

hygiene-metaphor that we
had before, where, you know,

people didn't believe in germs,
and these problems before,

we're in that sort of era,
and we're still figuring out

what the scope of potential
security and privacy problems are

for medical devices.
In the meantime

please be open to new research
on this subject, right?

And that story is
a fantastic illustration,

that we don't need evil hacker
typer, you know, bond villain,

we just need failure to debug
programming station, properly, right?

Q: Thank you very much.

Angel: Ok, another question
from the internet.

Q: Yes, from the IRC:

'20 years ago it was common,
that a magnet had to be placed

on the patients chest to activate the
pacemakers remote configuration interface.

Is that no longer the case today?'

E: It's still the case with some devices,
but not with all of them I think.

M: Yeah, it varies between the devices,
how they are programmed and

how long distance you
can be from the device.

Q: Thank you for the talk.
I've some medical devices

in myself to, an insulin pump and
sensors to measure the blood sugar levels,

I'm busy with hacking that and
to write the software for myself,

because the *** doesn't
have the software.

Have you ever think about it, to write
your own software for your pacemaker?

E: <i>laughing</i>
M: <i>laughing</i>

M: No, I haven't thought about
that until now. No. <i>laughing</i>

E: Fantastic, I think that deserves
a round of applause, though,

because that's exactly
what we're talking about.

<i>applause</i>

Angel: Another question
from there.

Q: First off, I want to say thank you
that you gave this talk, because

once it's quite interesting,
but it's not that talk,

anyone of that is effected could hold,

so, it takes quiet some courage and

I want to say thank you. So

<i>applause</i>

Secondly, thank you for giving me the

update. I started medical technology but

I finished ten years ago and I didn't work

in the area and it's quiet interesting to

see what happened in the meantime, but

now for my actual question:

You said you got devices on ebay, is it

possible to get the hole

communication chain?

So you can make a sandbox test or ..

M: Yes it's possible to get devices,

it's not so easy to get the pacemaker

itself , it's quite expensive.

E: And even when we get one,

we have some paring issues and like

Marie can't be in the same room , when

we were doing a curtain types of testing

and right, so that last piece is difficult

but the rest of the chain is pretty

available for the research.

Q: Ok, thank you.

Angel: So, time is running out, so we,

only time left for one question and from

there please.

Q: Thank you. I'm also involved in

software quality checks and software qs

here in Germany also
with medical developments

and as far as I know, it is the most

restricted area of developing products

I think in the world,

it's just easier to manipulate software

in a car X-source system or breaking guard

or something like this, where you don't

have to show any testing certificate or

something like this, the FDA is a very

high regulation part there.

Do you have the feeling that it's a

general issue that patients do not have

access to these FDA compliant tests and

software q-a-systems?

M: Yeah, I think that we should have

more openness and more transparency

about, around this issues , really.

E: I mean, it's fantastic you do quality

assurance, i used to be in quality assurance

at a large cooperation and I got tiered

and landed in strategy and pen testing and

then I just thought of myself as paramilitary

quality assurence , ..

now I just do it on ever I wanne test, so

thank you for doing q-a and keep doing it

and hopefull you don't have to many regulations

but companies sharing more of this

information, its really the transparency

and the discussion, the open dialogue

with patients and doctor and a vendor is

really what we wanna focus on and make

our final note ?
M: Yeah.

M: We see some problems already

the last year, the MI Undercover Group has

had some great progress on having good

discussions with the FDA and also involving

the medical device vendors in the discussions

about cyber security of medical devices

and implants. so thats great and I hope

that this will be even better the next year.

E: And I think you wanne to say

one more thing to congress before we leave

which is:

M: Hack to save lives!

<i>applaus</i>

♪ postroll music ♪

subtitles created by c3subtitles.de
Join, and help us!