Return to Video

Marie Moe, Eireann Leverett: Unpatchable

  • Not Synced
    Angel: The next talk will start now
  • Not Synced
    and will be "Unpatchable -
  • Not Synced
    living with a vulnerable
    implanted device"
  • Not Synced
    by Dr. Marie Moe and Eireann Leverett.
  • Not Synced
    Give them a warm round
    of applause please.
  • Not Synced
    applause
  • Not Synced
    Heart Monitor Beep starts
  • Not Synced
    So, we are here today
  • Not Synced
    to talk to you about a subject
  • Not Synced
    that is really close to my heart.
  • Not Synced
    I have a medical implant.
  • Not Synced
    A pacemaker, that is generating
  • Not Synced
    every single beat of my heart.
  • Not Synced
    But how can I trust my own heart,
  • Not Synced
    when it's being controlled by a machine,
  • Not Synced
    running a proprietary code,
  • Not Synced
    and there is no transparency?
  • Not Synced
    So I'm a patient,
  • Not Synced
    but I'm also a security researcher.
  • Not Synced
    I'm a hacker, because I like
  • Not Synced
    to figure out how things work.
  • Not Synced
    That's why I started a project
  • Not Synced
    on breaking my own heart,
  • Not Synced
    together with Eireann
  • Not Synced
    and a couple of friends.
  • Not Synced
    Because I really want to know
  • Not Synced
    what protocols are running
  • Not Synced
    in this machine inside my body.
  • Not Synced
    Is the crypto correctly implemented?
  • Not Synced
    Does it even have crypto?
  • Not Synced
    So I'm here to inspire you today.
  • Not Synced
    I want more people
    to hack to save lives.
  • Not Synced
    Because we are all becoming
  • Not Synced
    more and more dependent on machines.
  • Not Synced
    Maybe some of you in the audience
  • Not Synced
    also have medical implants,
  • Not Synced
    maybe you know someone
  • Not Synced
    that's also depending on
    medical implants
  • Not Synced
    Imagine that this is your heartbeat
  • Not Synced
    and it's being controlled by a device.
  • Not Synced
    A device, that might fail.
  • Not Synced
    Due to software bugs,
  • Not Synced
    due to hardware failures.
  • Not Synced
    Additional background sound:
    real heartbeat
  • Not Synced
    Wouldn't you also like to know
  • Not Synced
    if it has security vulnerabilities?
  • Not Synced
    If it can be trusted?
  • Not Synced
    Sounds stop
  • Not Synced
    beeeeep
  • Not Synced
    Eireann: Something to think about, right?
  • Not Synced
    Marie: Yeah.
  • Not Synced
    Eireann: Marie is an incredibly
    brave women.
  • Not Synced
    When she asked me to give this talk
  • Not Synced
    it made me nervous, right?
  • Not Synced
    It's such a personal story.
  • Not Synced
    Such a journey as well.
  • Not Synced
    And she's gonna talk to you
  • Not Synced
    about a lot of things, right?
  • Not Synced
    Not just hacking medical devices
  • Not Synced
    from a safety point of view
  • Not Synced
    but also some of the
    privacy concerns,
  • Not Synced
    some of the transparency concerns,
  • Not Synced
    some of the consent concerns.
  • Not Synced
    So, there's a lot to get trough
  • Not Synced
    in the next hour.
  • Not Synced
    But I think you're gonna enjoy it
  • Not Synced
    quite a lot.
  • Not Synced
    Marie: So, let me tell you
  • Not Synced
    the story about my heart.
  • Not Synced
    So, 4 years ago
  • Not Synced
    I got my medical implant.
  • Not Synced
    It was a kind of emergency situation
  • Not Synced
    because my heart was starting to beat
  • Not Synced
    really slow,
  • Not Synced
    so i needed to have the pacemaker.
  • Not Synced
    I had no choice.
  • Not Synced
    After I got the implant,
  • Not Synced
    since I was a security researcher,
  • Not Synced
    of course I started to
  • Not Synced
    look up information about how it worked.
  • Not Synced
    And I googled for information.
  • Not Synced
    I found a technical manual
  • Not Synced
    of my pacemaker
  • Not Synced
    and I started to read it.
  • Not Synced
    And i was quite surprised
  • Not Synced
    when I learned that
  • Not Synced
    my pacemaker has 2 wireless interfaces.
  • Not Synced
    There is one interface, that is really
  • Not Synced
    close field communication,
  • Not Synced
    near field communication
  • Not Synced
    that is being used when I'm at checkups
  • Not Synced
    at the hospital,
  • Not Synced
    where the technician,
  • Not Synced
    the pacemaker technician or doctor
  • Not Synced
    uses a programming device
  • Not Synced
    and places it
  • Not Synced
    really close to my pacemaker.
  • Not Synced
    And it's possible to use that
  • Not Synced
    communication to adjust the settings.
  • Not Synced
    But it also has another
  • Not Synced
    wireless interface,
  • Not Synced
    that I was not aware of,
  • Not Synced
    that I was not informed of
    as a patient.
  • Not Synced
    It has a possibility for remote monitoring
  • Not Synced
    or telemetry,
  • Not Synced
    where you can have an
    access point in your house
  • Not Synced
    that will communicate
  • Not Synced
    with the pacemaker
  • Not Synced
    at a couple of meters distance.
  • Not Synced
    And it can collect logs from the pacemaker
  • Not Synced
    and send them to a server
  • Not Synced
    at the vendor.
  • Not Synced
    And there is a web interface
  • Not Synced
    where the doctor can log in
  • Not Synced
    and retrieve my information.
  • Not Synced
    And I have no access the data
  • Not Synced
    that is being collected
  • Not Synced
    by my device.
  • Not Synced
    Eireann: So imagine for a moment
  • Not Synced
    that you are buying a new phone
  • Not Synced
    or buying a new laptop.
  • Not Synced
    You would do your homework, right?
  • Not Synced
    You would understand
    what interfaces where there.
  • Not Synced
    But in Marie's case she's just
  • Not Synced
    given a device,
    and then later she gets
  • Not Synced
    to go and read the manual, right?
  • Not Synced
    So she's the epitome
    of a informed consumer
  • Not Synced
    in the space
  • Not Synced
    and we want a lot more informed consumers
  • Not Synced
    in the space,
  • Not Synced
    which is why we are giving this talk.
  • Not Synced
    Now, I don't know about you,
  • Not Synced
    but I'm used to hacking
  • Not Synced
    industrial systems.
  • Not Synced
    I haven't done as much medical research
  • Not Synced
    in the past.
  • Not Synced
    So, when I first started this project
  • Not Synced
    I knew literally nothing
  • Not Synced
    about Marie's heart.
  • Not Synced
    Or even my own.
  • Not Synced
    And she had to teach me
    how the heart works
  • Not Synced
    and how her pacemaker works.
  • Not Synced
    So, would you mind explaining
  • Not Synced
    some details to the audience
    that will be relevant
  • Not Synced
    through the rest of the presentation?
  • Not Synced
    Marie: Actually I think we're going to
  • Not Synced
    show you a video of
    how the heart works.
  • Not Synced
    So, it's a little bit of
    biology introduction here
  • Not Synced
    before we start
    with the technical details.
  • Not Synced
    So, this.. play the video.
  • Not Synced
    Video: A normal heart beat rate
  • Not Synced
    and rhythm is called
    "Normal Sinus Rhythm".
  • Not Synced
    The heart's pumping action
  • Not Synced
    is driven by electrical stimulation
  • Not Synced
    within the heart muscle.
  • Not Synced
    the heart's electrical system
  • Not Synced
    allows it to beat in an
  • Not Synced
    organized, synchronized pattern.
  • Not Synced
    Every normal heart beat
  • Not Synced
    has 4 steps.
  • Not Synced
    Step 1:
  • Not Synced
    As blood flows into the heart
  • Not Synced
    an electrical impulse
  • Not Synced
    from an upper area of the right atrium
  • Not Synced
    also known as the sinus node
  • Not Synced
    causes the atria to contract.
  • Not Synced
    When the atria contract
  • Not Synced
    they squeeze the blood
  • Not Synced
    into the ventricles.
  • Not Synced
    Step 3:
  • Not Synced
    There is a very short pause
  • Not Synced
    only about a fraction of a second.
  • Not Synced
    and Step 4:
  • Not Synced
    The ventricles contract
  • Not Synced
    pumping the blood to the body.
  • Not Synced
    A heart normally beats
  • Not Synced
    between 60-100 times/min.
  • Not Synced
    Electrical signals in your heart
  • Not Synced
    can become blocked or irregular,
  • Not Synced
    causing a disruption
  • Not Synced
    in your hearts normal rhythm.
  • Not Synced
    When the heart's rhythm is too fast,
  • Not Synced
    too slow or out of order,
  • Not Synced
    an arrhythmia,
  • Not Synced
    also called a rhythm disorder occurs.
  • Not Synced
    When your heart beats out of rhythm,
  • Not Synced
    it may not deliver enough blood
  • Not Synced
    to your body.
  • Not Synced
    Rhythm disorders can be caused
  • Not Synced
    by a number of factors
  • Not Synced
    including disease, heredity,
  • Not Synced
    medications or other factors.
  • Not Synced
    Eireann: So for those of you
    who are already aware of that,
  • Not Synced
    apologies.
  • Not Synced
    But I needed to learn that.
  • Not Synced
    I needed to learn the basics
  • Not Synced
    before we even got started, right?
  • Not Synced
    So...
  • Not Synced
    Marie: So this is a diagram of the
  • Not Synced
    electrical system of the heart.
  • Not Synced
    So, as you see,
    this is the sinus node
  • Not Synced
    that is generating the pulse.
  • Not Synced
    And in my case
  • Not Synced
    I had a problem with the signal
  • Not Synced
    being generated by the sinus node
  • Not Synced
    not reaching the lower
    heart chamber.
  • Not Synced
    It's something called an AV block
    or a heart block
  • Not Synced
    So, occasionally this will cause
  • Not Synced
    an arrhythmia that makes
    the heart pause.
  • Not Synced
    If you don't have a heart beat
  • Not Synced
    for, like ... 8-10 seconds,
  • Not Synced
    you lose your consciousness.
  • Not Synced
    And that was, what happened to me.
  • Not Synced
    I just suddenly found myself
  • Not Synced
    lying on the floor
  • Not Synced
    and I didn't remember how I got there.
  • Not Synced
    And it turned out that it was my heart
  • Not Synced
    that had taken a break.
  • Not Synced
    So that's how I discovered
  • Not Synced
    that I had this issue.
  • Not Synced
    So, this is where the signal is blocked
  • Not Synced
    on the way down to the lower heart chamber
  • Not Synced
    But there's a backup function
  • Not Synced
    in the heart that can make
  • Not Synced
    a so called backup pulse.
  • Not Synced
    And I had that backup pulse
  • Not Synced
    when I went to the emergency room.
  • Not Synced
    So I had a pulse around 30-40 beats/min.
  • Not Synced
    And that's generated by some cells
  • Not Synced
    in the lower heart chamber.
  • Not Synced
    So, after I got the pacemaker
  • Not Synced
    my heart started to become
  • Not Synced
    a little bit more lazy.
  • Not Synced
    So it is not certain,
  • Not Synced
    that I will have this backup pulse
  • Not Synced
    anymore if the pacemaker stops working.
  • Not Synced
    So currently
  • Not Synced
    my heart is 100% running
    on the pacemaker.
  • Not Synced
    So, let's also look at
    how the pacemaker works.
  • Not Synced
    I have another video of that.
  • Not Synced
    So, this is my little friend
  • Not Synced
    that is running my heart.
  • Not Synced
    Video: A pacemaker
    is a miniaturized computer
  • Not Synced
    that is used to treat a slow heart beat.
  • Not Synced
    It is about the size
  • Not Synced
    of a couple of stacked silver dollars
  • Not Synced
    and weights approximately 17-25 grams.
  • Not Synced
    It is usually surgically placed
  • Not Synced
    or implanted just under the skin
  • Not Synced
    in the chest area.
  • Not Synced
    The device sends a tiny electrical pulse
  • Not Synced
    down a thin coated wire,
  • Not Synced
    called a lead, into your heart.
  • Not Synced
    This stimulates the heart to beat.
  • Not Synced
    This impulses are very tiny
  • Not Synced
    and most people do not feel them.
  • Not Synced
    While the device helps your heart
  • Not Synced
    maintain its rhythm,
  • Not Synced
    it also stores information
  • Not Synced
    about your heart that can be
  • Not Synced
    retrieved by your doctor
  • Not Synced
    to program the device.
  • Not Synced
    Eireann: Remember that!
  • Not Synced
    Marie: Yeah... Did you see
  • Not Synced
    the ones and zeros at the end
  • Not Synced
    of the video?
  • Not Synced
    That's what we want to know
    more about.
  • Not Synced
    Because this information
  • Not Synced
    that is being collected
    by the pacemaker,
  • Not Synced
    how it works,
  • Not Synced
    how the code looks like,
  • Not Synced
    it's all closed source,
  • Not Synced
    it's all proprietary information.
  • Not Synced
    And that's why we need more
  • Not Synced
    security researchers,
  • Not Synced
    we need more 3rd party testing,
  • Not Synced
    to be sure that we can trust this code.
  • Not Synced
    Eireann: And you can imagine that
  • Not Synced
    we're doing some of this research as well.
  • Not Synced
    But I'm not gonna break
    Marie's heart on stage,
  • Not Synced
    I'm not gonna drop (???)
  • Not Synced
    on some medical devices,
  • Not Synced
    so if you came for that,
  • Not Synced
    it's not worth staying.
  • Not Synced
    The rest of the presentation
  • Not Synced
    will be about some of the things we found
  • Not Synced
    and how this works and
  • Not Synced
    how you might approach this research.
  • Not Synced
    And some of the people
    who did this research before,
  • Not Synced
    because there's plenty of others,
  • Not Synced
    and we like to give a shout-out
  • Not Synced
    to those who've done
    great research in advance.
  • Not Synced
    But essentially this point is
  • Not Synced
    very relevant.
  • Not Synced
    That the internet of medical things
  • Not Synced
    is already here.
  • Not Synced
    And Marie is wired into it.
  • Not Synced
    She's a bit younger than the average
  • Not Synced
    pacemaker patient, but, you know,
  • Not Synced
    she was thrust into this situation
  • Not Synced
    where she had to think about things
  • Not Synced
    in a very different way.
  • Not Synced
    Like, you did a Masters,
    breaking crypto,
  • Not Synced
    and also a PHD in Information Security.
  • Not Synced
    Did you imagine, that things you learned
  • Not Synced
    about SSH and network security
  • Not Synced
    might one day apply to your
    heart and your own body?
  • Not Synced
    Marie: No, I never
    figured out that
  • Not Synced
    my research would eventually
    end up inside my own body.
  • Not Synced
    That's something I never
    thought about.
  • Not Synced
    And also, there's a lot of
  • Not Synced
    people that don't think about
  • Not Synced
    how the medical devices
    actually work.
  • Not Synced
    So, when I asked this question
  • Not Synced
    to health care professionals
  • Not Synced
    they look at me like I'm crazy,
  • Not Synced
    they don't ... they have never
    thought about this before.
  • Not Synced
    That there's actually code
    inside my body
  • Not Synced
    and someone has programmed it,
  • Not Synced
    someone has written this code.
  • Not Synced
    And, did they think about,
    that this
  • Not Synced
    would actually control
    someone's life,
  • Not Synced
    and be my own personal
    critical infrastructure?
  • Not Synced
    Eireann: Yeah, personal
    infrastructure, right?
  • Not Synced
    On a physical level.
  • Not Synced
    And also, I think, it's...
  • Not Synced
    You know, the point that you made
    is important to reiterate,
  • Not Synced
    that you go and see your doctor
  • Not Synced
    and you ask these questions about
  • Not Synced
    whether anyone can hack into my heart
  • Not Synced
    and they probably look at you
    and go like
  • Not Synced
    'Don't you worry your pretty
    little head about that', right?
  • Not Synced
    But Marie used to head up
  • Not Synced
    the Norwegian computer
    emergency response team
  • Not Synced
    for a couple of years
  • Not Synced
    and knows a lot of hackers
  • Not Synced
    and knows what she's
    talking about, right?
  • Not Synced
    So, when she asked her doctor
    these questions,
  • Not Synced
    they're very legitimate questions.
  • Not Synced
    And the doctors probably
    don't know anything about code,
  • Not Synced
    but they need to move
    towards a place
  • Not Synced
    where they can answer
    those questions with some
  • Not Synced
    honesty and certainty and
    treat them with the dignity
  • Not Synced
    that they deserve.
  • Not Synced
    Should we show them
    a little bit more
  • Not Synced
    about the total ecosystem
    of devices
  • Not Synced
    that we are talking about,
    at least in this particular talk?
  • Not Synced
    Marie: Yeah.
  • Not Synced
    Eireann: So, this was
    all new to me.
  • Not Synced
    I mean I've moved around
    in networks and done some
  • Not Synced
    penetration testing and
    some stuff in the past,
  • Not Synced
    but I didn't know much about
    implantable medical devices.
  • Not Synced
    So, we've got a couple
    of them there.
  • Not Synced
    The ICD, which is the
    in-cardio-defibrillator,
  • Not Synced
    that's some of the work
    that you saw from Barnaby Jack
  • Not Synced
    which we will mention later,
  • Not Synced
    was on those particular devices,
  • Not Synced
    We've got the pacemakers
    and of course other devices
  • Not Synced
    could be in this diagram as well.
  • Not Synced
    Like, we could be talking
    about insulin pumps
  • Not Synced
    or other things in the future.
  • Not Synced
    The device itself speaks
    to box number 2,
  • Not Synced
    which we will tell you a little bit
    more about in a moment,
  • Not Synced
    using a protocol, commonly
    referred to as 'MICS".
  • Not Synced
    A number of different
    devices use this
  • Not Synced
    Medical Implant Communication Service.
  • Not Synced
    And Marie shocked me yesterday
  • Not Synced
    when she found
    a couple devices
  • Not Synced
    that potentially use Bluetooth.
  • Not Synced
    sigh
    laughing
  • Not Synced
    So, would you like to tell them
    a little bit more about the access point,
  • Not Synced
    and I'll join in?
  • Not Synced
    Marie: Yeah, so, the access
    point is the device
  • Not Synced
    that you can typically have
    on your bed stand
  • Not Synced
    and that will, depending
    on your configuration,
  • Not Synced
    contact your pacemaker
    as regular intervals,
  • Not Synced
    e.g. once during the night.
  • Not Synced
    It will start a communication
    with the pacemaker,
  • Not Synced
    couple of meters distance,
  • Not Synced
    and will start
    collecting logs.
  • Not Synced
    And this logs will
    then be sent,
  • Not Synced
    it can be via SMS
    or other means,
  • Not Synced
    to a server.
  • Not Synced
    So, there's a lot of my
    personal information
  • Not Synced
    that can end up different
    places in this diagram.
  • Not Synced
    So, of course it's
    in my own device,
  • Not Synced
    it will be then communicated
    via this access point
  • Not Synced
    and also then
  • Not Synced
    via the cellular network.
  • Not Synced
    And then it will also be stored
    in the telemetry server.
  • Not Synced
    Potentially when I go
    for the checkups
  • Not Synced
    my personal information will
    also end up in my
  • Not Synced
    doctor workstation
  • Not Synced
    or in the electronic
    patient records.
  • Not Synced
    And there's a lot of things
    that can go wrong there.
  • Not Synced
    Eireann: Yeah, you
    can see, it's using
  • Not Synced
    famously secure methods
    of communication
  • Not Synced
    that have never been backdoored
    or compromised by anyone ever before,
  • Not Synced
    even here at this conference,
    probably even this time around.
  • Not Synced
    So these are some things
    that are concerning.
  • Not Synced
    The data also travels often
    to other countries
  • Not Synced
    and so there are questions
    about the jurisdiction
  • Not Synced
    in terms of privacy laws
    in terms of some of this data.
  • Not Synced
    And some of you can go and
    look deeper into that as well.
  • Not Synced
    The telemetry store thing
    I think is important,
  • Not Synced
    some of this is a telemetry store,
    such as the server at the vendor.
  • Not Synced
    So the vendor owns some
    machines somewhere
  • Not Synced
    that collect data
    from Marie's heart.
  • Not Synced
    So you can imagine she goes to see her
    doctor and the doctor is like:
  • Not Synced
    'Hey, Marie, last weekend, did you, ...
    run a half marathon or something?'
  • Not Synced
    And she hasn't told him, right?
  • Not Synced
    Like, he just can look
    at the data and see,
  • Not Synced
    that her heart rate was up
    for a couple hours.
  • Not Synced
    That's true though, right? You
    did actually run a half marathon.
  • Not Synced
    Marie: Yeah, I did run a half marathon.
    laugh
  • Not Synced
    Eireann: So, the telemetry
    store is one part,
  • Not Synced
    but there's also the
    doctors work station
  • Not Synced
    which contains a lot of
    this medical data.
  • Not Synced
    So, from privacy perspective
    that's part of the attack surface.
  • Not Synced
    But there's also the programmers, right?
  • Not Synced
    There's the device's programmers.
  • Not Synced
    So that's an interesting point, that
    I hope a lot of you are interested in
  • Not Synced
    already, that there
    is a programmer
  • Not Synced
    for these devices.
  • Not Synced
    Marie: So, we actually
    went shopping on eBay
  • Not Synced
    and we found some
    of these devices.
  • Not Synced
    Eireann: You can buy them on eBay?
  • Not Synced
    Marie: Yeah.
    Eireann: laugh
  • Not Synced
    Marie: So, I found
    a programmer
  • Not Synced
    that can program
    my device, on eBay
  • Not Synced
    and I bought it.
  • Not Synced
    And I also found a couple of
    these access points.
  • Not Synced
    So, that's what we're
    now starting to look at.
  • Not Synced
    Eireann: We just wanna to give
    you an overview of this system,
  • Not Synced
    and it's fairly similar across the
    different device vendors,
  • Not Synced
    and we're not going to talk
    about individual vendors.
  • Not Synced
    But if you're gonna go and
    do this kind of research
  • Not Synced
    you can see that some of the research
    you've already done in the past
  • Not Synced
    applies to different parts
    of this process.
  • Not Synced
    Marie: And talking about
    patient privacy,
  • Not Synced
    when we got the
    programmer from ebay
  • Not Synced
    it actually contained
    patient information.
  • Not Synced
    So, that's the
    really bad thing.
  • Not Synced
    Eireann: So, I found
    this very odd.
  • Not Synced
    I had a similar reaction
    to yourselves because
  • Not Synced
    I usually do industrial
    system stuff.
  • Not Synced
    One of my friends picked up
    some PLCs recently and
  • Not Synced
    they had data from the nuclear plant,
    that the PLCs had been used in.
  • Not Synced
    So, decommissioning is a problem
    in industrial systems
  • Not Synced
    but it turns out also
    in medical devices, right?
  • Not Synced
    I guess that's a useful point
    to make as well,
  • Not Synced
    about the costs of doing
    this kind of research.
  • Not Synced
    It is possible to get some
    devices, some implants
  • Not Synced
    from people who have sadly
    passed on,
  • Not Synced
    but that comes with a very high
    cost of biomedical decontamination.
  • Not Synced
    So that raises the cost
    of doing this research
  • Not Synced
    on the implants themselves,
    not necessarily on the rest
  • Not Synced
    of the devices.
  • Not Synced
    Marie: Yeah, so, also want
    to say, that in this research
  • Not Synced
    I had not *** with my own device.
  • Not Synced
    So, that would not be a good thing ...
  • Not Synced
    Eireann: You're not gonna let me,
    like, SSH in your heart and just ...
  • Not Synced
    Marie: Um.. No.
    Eireann: ... just delete some stuff.. No?
  • Not Synced
    Marie: No.
    Eireann: I wouldn't do it anyway,
  • Not Synced
    but it's an interesting point, right?
  • Not Synced
    So, like, there are a lot of
    safety percussions
  • Not Synced
    that we and the rest
    of the team have to take
  • Not Synced
    when we are doing this research.
  • Not Synced
    And one of them is
    not pairing Marie's pacemaker
  • Not Synced
    with any of the devices
    that are under test.
  • Not Synced
    Do you wanna say a bit more
    about connectivity and vulnerability?
  • Not Synced
    Marie: Yeah, so...
  • Not Synced
    I was worried
    when I discovered that
  • Not Synced
    I had this possible connectivity
    to the medical internet of things.
  • Not Synced
    In my case this is switched off
    in the configurations
  • Not Synced
    but it's there.
  • Not Synced
    It's possible to turn it on,
    it's possible for me to be
  • Not Synced
    hooked up to the,
    this internet of medical things.
  • Not Synced
    And for some patients
    this is really benefit.
  • Not Synced
    So you always have to make
    a *** decision
  • Not Synced
    on whether or not to
    make use of this
  • Not Synced
    connectivity.
  • Not Synced
    But I think it's really important
    that you make an informed decision
  • Not Synced
    about that and that the patient
  • Not Synced
    is informed and has given
    his or her consent
  • Not Synced
    to have this feature.
  • Not Synced
    The battery lifetime of my pacemaker
    is around 10 years.
  • Not Synced
    So in 6 years time
  • Not Synced
    I will have to have a
    replacement surgery
  • Not Synced
    and I'm going to be
    a really difficult patient.
  • Not Synced
    laughs
    audience laughing
  • Not Synced
    So, ...
    applause
  • Not Synced
    Eireann: Right on
  • Not Synced
    Marie: I really want to know
  • Not Synced
    how the devices work
    by then and
  • Not Synced
    I want to make an informed
    decision on whether or not
  • Not Synced
    to have this connectivity.
  • Not Synced
    But of course for lot of patients
    the benefit of having this
  • Not Synced
    outweighs the risk.
  • Not Synced
    Because people that had other
    heart problems than me
  • Not Synced
    they have to go for more
    frequent checkups.
  • Not Synced
    I only have to go once a year.
  • Not Synced
    So, for patients that need to go
    frequently for checkups,
  • Not Synced
    it's really good for them
    to have the possibility
  • Not Synced
    of having telemetry and
    having connectivity to
  • Not Synced
    have remote patient monitoring.
  • Not Synced
    Eireann: Yeah, imagine you
    have mobility problems or
  • Not Synced
    you even just live far
  • Not Synced
    from a major city.
  • Not Synced
    And making the journey
    to the hospital is quite arduous,
  • Not Synced
    then this kind of remote
    telemetry allows your doctor
  • Not Synced
    to keep track of
    what's going on.
  • Not Synced
    And that's very important,
    we don't wanna, like...
  • Not Synced
    have a big scary testosterone
    filled talk where we, like,
  • Not Synced
    hack some pacemakers.
  • Not Synced
    We wanna talk about
    how there's a dual use thing
  • Not Synced
    going on here.
  • Not Synced
    And that there is a lot of value
    in having this devices
  • Not Synced
    but we also want them to be save
    and secure and preserve our privacy
  • Not Synced
    and a lot of other things.
  • Not Synced
    So, these are some
    of the issues.
  • Not Synced
    Of course the last one,
    the remote assassination scenario,
  • Not Synced
    that' s everyone favorite one
    to fantasize about
  • Not Synced
    or talk about, or make
    movies about, but
  • Not Synced
    we think there's a lot of
    other issues in here
  • Not Synced
    that are more interesting,
  • Not Synced
    some quality issues even, right,
  • Not Synced
    that we'll talk about
    in a little bit.
  • Not Synced
    Battery exhaustion,
  • Not Synced
    again something many people
    don't think about. But...
  • Not Synced
    I'm very interested in
    cyber-physical exploitation
  • Not Synced
    and so some of this elements
    were interesting to me
  • Not Synced
    that you might use the device
    in a way that wasn't expected.
  • Not Synced
    Marie: So personally I'm not afraid
    of being remotely assassinated.
  • Not Synced
    Eireann: I've actually never known
    you to be afraid of anything
  • Not Synced
    Marie: laughs
  • Not Synced
    I'm more worried about
    software bugs in my device,
  • Not Synced
    the things that can malfunction,
  • Not Synced
    Eireann: Is that just theoretical?
  • Not Synced
    Marie: No, actually software bugs
  • Not Synced
    have killed people.
  • Not Synced
    So, think about that!
  • Not Synced
    People that are not here,
  • Not Synced
    they don't have their voice
    and they can't really
  • Not Synced
    give there story.
  • Not Synced
    But there are stories about persons
    depending on medical devices
  • Not Synced
    dying because their
    device malfunctioned.
  • Not Synced
    Eireann: There's even some
    great research
  • Not Synced
    from academics about
    how the user interface design
  • Not Synced
    of medical devices can have
    an impact on patients safety
  • Not Synced
    and how designing UX
  • Not Synced
    much more clearly
    and concisely
  • Not Synced
    specifically for the
    medical profession
  • Not Synced
    might improve
    the care of patients.
  • Not Synced
    Do you wanna say more
    about this slide or should we
  • Not Synced
    go on to the previous work,
    should we... go ahead!
  • Not Synced
    Marie: Yeah, I think it's really
    important also to...
  • Not Synced
    the issue of trusting the vendors.
  • Not Synced
    So, as a patient I'm
    expected to just, you know,
  • Not Synced
    trust, that my device
    is working correctly,
  • Not Synced
    every security vulnerability
    has been corrected by the vendor
  • Not Synced
    and it's safe.
  • Not Synced
    But I want to have more
    third party testing,
  • Not Synced
    I want to have more security
    research on medical implants.
  • Not Synced
    And as a lot things, like ...
    history has shown
  • Not Synced
    we can't always trust that
    the vendors do the right thing.
  • Not Synced
    Eireann: I think this is a good
    opportunity for us to ask
  • Not Synced
    a very fun question, which is:
  • Not Synced
    Any fans of DMCA in the room?
  • Not Synced
    laughter from the audience
  • Not Synced
    No? No fans? Alright.
  • Not Synced
    Well, you then you'll really enjoy this.
  • Not Synced
    Marie has some very exiting news
    about DMCA exceptions.
  • Not Synced
    Maire: Yeah, so... October, this year
  • Not Synced
    there was a ruling of
    an DMCA exemption for
  • Not Synced
    security research
    on medical devices
  • Not Synced
    also for *** security research.
  • Not Synced
    So, this means, that
  • Not Synced
    as researchers you can
  • Not Synced
    actually do reverse engineering
    of medical implants
  • Not Synced
    without infringing copyright laws.
  • Not Synced
    It will take effect
    I think October next year.
  • Not Synced
    Eireann: Yeah.
    Marie: That is really a big
  • Not Synced
    step forward in my opinion.
  • Not Synced
    And I hope that this will
    encourage more research.
  • Not Synced
    And I also want to mention
    that there are
  • Not Synced
    fellow activist patients
    like myself
  • Not Synced
    that was behind that proposal
    of having this exemptions.
  • Not Synced
    So, Jay Radcliff who hacked
    his own insulin pump,
  • Not Synced
    Karen Sandler, who is a free and
    open software advocat.
  • Not Synced
    And Hugo Campos, who has
    an ICD implant, he is very ...
  • Not Synced
    he wants to have access
    to his own data
  • Not Synced
    for quantified self reasons.
  • Not Synced
    So this patients,
    they actually
  • Not Synced
    made this happen,
    that you're allowed to do
  • Not Synced
    security research
    on medical devices.
  • Not Synced
    I think that's really great.
  • Not Synced
    applause
  • Not Synced
    Eireann: Do you wanna say something
    about Scott Erven's presentation
  • Not Synced
    that you saw at DEF CON?
  • Not Synced
    Marie: Yeah, that was a really
    interesting presentation about
  • Not Synced
    how medical devices have
    really poor security.
  • Not Synced
    And they have, like,
    hard coded credentials,
  • Not Synced
    and you can find them
    using *** on the internet.
  • Not Synced
    This were not pacemakers,
    but other types of
  • Not Synced
    different medical devices.
  • Not Synced
    There are, like, hospital networks
    that are completely open
  • Not Synced
    and you can access
    the medical equipment
  • Not Synced
    using default passwords that
    you can find in the manuals.
  • Not Synced
    And the vendors claim that
  • Not Synced
    no, these are not hard coded,
    these are default,
  • Not Synced
    but then the manuals say:
    Do not change this password...
  • Not Synced
    Eireann: Because they want to
    integrate with other stuff, right? So...
  • Not Synced
    I've heard that excuse from SCADA,
    so I wasn't having it.
  • Not Synced
    Marie: They also put up some
    medical device honeypots
  • Not Synced
    to see if they were *** targeted(?)
    hacking attempts
  • Not Synced
    but they only picked up malware
    on them, which is also ...
  • Not Synced
    Eireann: Only!
    Marie: ... of course of a concern laughs
  • Not Synced
    Eireann: Anything else,
    about prior(?), Kevin?
  • Not Synced
    Marie: I guess we should mention
    that the academic research
  • Not Synced
    on hacking pacemakers,
    which was started by
  • Not Synced
    a group led by Kevin Fu
  • Not Synced
    and they had this
    first paper in 2008
  • Not Synced
    that they also followed up
    with more academic research
  • Not Synced
    and they showed that it's
    possible to hack a pacemaker.
  • Not Synced
    They showed that...
    this was possible on a, like
  • Not Synced
    a couple of centimeters
    distance only,
  • Not Synced
    so, like, the attack scenario
    would be, if you have a
  • Not Synced
    device similar to the
    programmers device
  • Not Synced
    and you attack me with it
    you can laughs
  • Not Synced
    turn off my pacemaker.
  • Not Synced
    That's not really scary,
  • Not Synced
    but then we have the research
    by Barnaby Jack
  • Not Synced
    where this range of the attack
    is extended to several meters
  • Not Synced
    so you have someone with
    an antenna in a room
  • Not Synced
    scanning for pacemakers
  • Not Synced
    and starting to program them.
  • Not Synced
    Eireann: We have a saying
    at Cambridge about that.
  • Not Synced
    Some of the other people at the
    university have been doing attacks
  • Not Synced
    a lot longer than I have, and
    one of the things they say is:
  • Not Synced
    'Attacks only get worse,
    they never get better.'
  • Not Synced
    So, the range might be short one year,
    then a couple of years later it's worse.
  • Not Synced
    Marie: The worst case scenario
    I think would be remotely,
  • Not Synced
    via the internet being able to
    hack pacemakers.
  • Not Synced
    but there's no research so far
    indicating that that's possible.
  • Not Synced
    Eireann: And we don't wanna
    hype that up. We don't wanna...
  • Not Synced
    Marie: No.
    Eireann: ... get that kind of an angle
  • Not Synced
    on this talk. We wanna make the
    point that hacking can save lives,
  • Not Synced
    that hackers are global citizen's
    resource to save lives, right? So...
  • Not Synced
    Marie: Yeah, so, this is the result
    of hacking of the drug infusion pumps.
  • Not Synced
    Earlier this year
  • Not Synced
    the FDA actually issued the first ever
    recall of a medical device
  • Not Synced
    based on cyber security concerns.
  • Not Synced
    Eireann: I think that's amazing, right?
    They've recalled products
  • Not Synced
    because of cyber security concerns. They
    used to have to wait until someone died.
  • Not Synced
    In fact, they had to show
    something like 500 deaths
  • Not Synced
    before you could recall a product.
    So now they can ...
  • Not Synced
    the FDA, at least in the US,
    they can recall products
  • Not Synced
    just based on security
    considerations.
  • Not Synced
    Marie: So, this is also,
  • Not Synced
    I guess the first example
    of that type of pro-active
  • Not Synced
    security research,
    where you can
  • Not Synced
    make a proof of concept
    without killing any patients
  • Not Synced
    and then that closes
    the security holes.
  • Not Synced
    And that potentially
    saves lives.
  • Not Synced
    And no one has been hurt
    in the research.
  • Not Synced
    I think that's great.
  • Not Synced
    Eireann: I'm also really excited
    because we give a lot of presentations
  • Not Synced
    about security that are filled with
    *** and depression,
  • Not Synced
    so it's nice to have two major victories
    in medical device research
  • Not Synced
    in the last few years.
    One being the DMCA exemptions
  • Not Synced
    and the other being
    actual product recalls.
  • Not Synced
    Marie: Yeah, and the FDA are starting
    to take these issues seriously and
  • Not Synced
    they are really focusing on the cyber
    security of medical implants now.
  • Not Synced
    I'm going to go to a workshop
    arranged by the FDA in January
  • Not Synced
    and participate on a panel discussing
    cyber security of medical implants.
  • Not Synced
    And it's great to have this
    type of interaction between
  • Not Synced
    the security committee, medical
    device vendors and the regulators.
  • Not Synced
    So, things are happening.
  • Not Synced
    Eireann: Yeah. How do you feel
    as an audience,
  • Not Synced
    are you glad that she's going to be
    your representative in Washington
  • Not Synced
    for some of these issues?
  • Not Synced
    applause
  • Not Synced
    And we want you to get
    involved as well, right?
  • Not Synced
    This is not just about Marie
    and myself and the other people
  • Not Synced
    who worked on this
    project, it's meant say
  • Not Synced
    you too can do this research.
    And you should be.
  • Not Synced
    You have to be a little sensitive,
    a little bit precise and articulate
  • Not Synced
    about concerns.
  • Not Synced
    We take some inspiration from the
    former research around hygiene.
  • Not Synced
    Imagine the first time some scientist
    went to some other scientist and said
  • Not Synced
    'There is this invisible stuff,
    and it's on your hands,
  • Not Synced
    and if you don't wash your hands
    people get infections!"
  • Not Synced
    And everyone thought
    they were crazy.
  • Not Synced
    Well, it's kind of the same with us
    talking about industrial systems
  • Not Synced
    or talking about medical devices
    or talking about hacking in general.
  • Not Synced
    People just didn't, sort of,
    believe it was possible at first.
  • Not Synced
    And so we have to articulate ourselves
    very, very carefully.
  • Not Synced
    So, we draw inspiration from
    that early hygiene movement
  • Not Synced
    where they had a couple simple rules
    that started to save people's lives
  • Not Synced
    while they explained germ theory
    to the masses.
  • Not Synced
    M: Yeah, so, this type of research
    is kind of low hanging fruits
  • Not Synced
    where you just, so...
  • Not Synced
    *** is an example, where
  • Not Synced
    there's a lot of medical
    device networks in hospitals
  • Not Synced
    that are open to the internet
    and that can get infected
  • Not Synced
    by normal type of malware,
    like *** trojans or whatever.
  • Not Synced
    And this is potentially a safety issue.
  • Not Synced
    So, if your MR scanner or some other
  • Not Synced
    more life-critical device
    is being unavailable because of
  • Not Synced
    a virus on it,
  • Not Synced
    that's a real concern for patient
    security and safety.
  • Not Synced
    So we need to think more about
    the hygiene also in terms of
  • Not Synced
    computer viruses, not only
    just normal viruses.
  • Not Synced
    E: Yeah. So, you know, some
    times people will treat you like
  • Not Synced
    this is an entirely theoretical
    concern, but
  • Not Synced
    I think this is one of the best
    illustrations that we've found
  • Not Synced
    of how that should
    be a concern,
  • Not Synced
    and I think all of you will get it,
  • Not Synced
    but I wanna give you a moment to kind of
    read what's about to come up on the slides.
  • Not Synced
    So I'll just let you enjoy
    that for a moment.
  • Not Synced
    So if it's not clear or it's not your
    first language or something,
  • Not Synced
    this guy basically *** patient data
    across a bunch of amazon clusters.
  • Not Synced
    And then it was unavailable.
    And they were very concerned
  • Not Synced
    about the unavailability of their
    costumer patient data
  • Not Synced
    *** across amazon instances.
  • Not Synced
    He was complaining to support, like
    'Can I get support to fix this?' laughs
  • Not Synced
    M: So, all the data of the ...
  • Not Synced
    ... the monitoring data of the cardiac
    patients is unavailable to them
  • Not Synced
    because of the service
    being downed.
  • Not Synced
    And, well, do you want to outsource your
    patient's safety to the cloud? Really?
  • Not Synced
    I don't want that.
    Okay.
  • Not Synced
    E: I wanna get into some other details.
    We have sort of 10 min left if we can ...
  • Not Synced
    so we can have a lot of questions,
    and I'm sure there will be some.
  • Not Synced
    But I want you to talk to them about
    this very personal story.
  • Not Synced
    This is... Remember before, when we
    said, is this stuff theoretical?
  • Not Synced
    I want you to pay a lot of
    attention to this story.
  • Not Synced
    It really moved me
    when she first told me.
  • Not Synced
    M: I know how it feels to have
    my body controlled by a device
  • Not Synced
    that is not working correctly.
  • Not Synced
    So, I think it was around 2 or 3
    weeks after I had the surgery.
  • Not Synced
    I felt fine.
  • Not Synced
    But I hadn't really done
    any exercise yet.
  • Not Synced
    The surgery was pretty easy,
    I only had 2 sick leave
  • Not Synced
    and then I came back to work
  • Not Synced
    and I went to London
  • Not Synced
    to participate in a course
    in ethical hacking and
  • Not Synced
    I did take the London Underground
    together with some of my colleges
  • Not Synced
    and we went of at this station
    at Covent Garden
  • Not Synced
    And I don't know if you
    have been there but
  • Not Synced
    that particular station is
    really low underground.
  • Not Synced
    They have elevators that you
    can use to get up,
  • Not Synced
    but usually there are, like,
    long queues to the elevators...
  • Not Synced
    E: You always have to do
    things the hard way, right?
  • Not Synced
    You had to take the stairs, or
  • Not Synced
    they were just heading for the stairs
    and I was following them and
  • Not Synced
    we're starting to climb the stairs and
    I didn't read this warning sign, which is:
  • Not Synced
    'Those with luggage, pushchairs & heart
    conditions, please use the lift' laughs
  • Not Synced
    Because I was feeling fine,
  • Not Synced
    and this was the first time that I
    figured out there's something wrong
  • Not Synced
    with my pacemaker or with my heart.
  • Not Synced
    Because I came like
    half way up this stairs
  • Not Synced
    and I felt like I was going to die.
  • Not Synced
    It was a really horrible feeling.
  • Not Synced
    I didn't have any more breath left,
  • Not Synced
    I felt like I wasn't able
    to complete the stairs.
  • Not Synced
    I didn't know what was
    happening to me, but
  • Not Synced
    somehow I managed to
    drag myself up the stairs
  • Not Synced
    and my heart was really...
  • Not Synced
    it didn't feel right.
  • Not Synced
    So, first thing when I came
    back from this course
  • Not Synced
    I went to my doctor
  • Not Synced
    and we started to try
    debug me, tried to find out
  • Not Synced
    what was wrong with my pacemaker.
  • Not Synced
    And this is how that looks like.
    E: laughs
  • Not Synced
    M: So, there's a stack
    of different programmers
  • Not Synced
    - this is not me by the way, but it's
    a very similar situation.
  • Not Synced
    E: And we'll come back to those
    programmers in a moment.
  • Not Synced
    M: Yeah.
    E: But the bit I want you
  • Not Synced
    to focus on is, like, they're
    debugging your pacemaker?
  • Not Synced
    Inside you?
    M: Yeah, I didn't know
  • Not Synced
    what was happening
    at the time.
  • Not Synced
    We were just trying to
    get the settings right
  • Not Synced
    and it took like 2 or 3 months before
    we figured out what was wrong.
  • Not Synced
    And what happened was, that my
    operate limit was set to low for me,
  • Not Synced
    for my age. So, the normal pacemaker
    patient is maybe around 80 years old
  • Not Synced
    and the default operate
    limit was 160 beats/min.
  • Not Synced
    And that's pretty low for
    a young person.
  • Not Synced
    E: So, imagine, like, you're younger
    and you're really fit and you know
  • Not Synced
    how to do something really well,
    like swimming or skiing or skateboarding
  • Not Synced
    or whatever. You're fantastic at it.
    And then a couple years go past
  • Not Synced
    and you know, you gain some weight
    and you're not as good at it, right?
  • Not Synced
    But now imagine that
    happens in 3 seconds.
  • Not Synced
    While you're walking
    up a set of stairs.
  • Not Synced
    M: So, what happens is that
    the pacemaker detects
  • Not Synced
    'Oh, you have a really high pulse'.
    And there's a safety mechanism
  • Not Synced
    that will cut your pulse in half ...
    E: In half!
  • Not Synced
    laughing
    M: laughs So in my case it went
  • Not Synced
    from 160 beats/min to 80 beats/min.
    In a second, or less than a second,
  • Not Synced
    and that felt really, really horrible.
  • Not Synced
    And it took a long time
    to figure out what was wrong.
  • Not Synced
    It wasn't until they put me on
    an exercise bike and
  • Not Synced
    had me on monitoring that they
    figured out what was wrong, because
  • Not Synced
    the thing was, that what was displayed
    on the pacemaker technician's view
  • Not Synced
    was not the same settings that
    my pacemaker actually had.
  • Not Synced
    There was a software bug in the
    programmer, that caused this problem.
  • Not Synced
    E: So they thought they had updated
    her settings to be that of a young person.
  • Not Synced
    They were like
    'Oh, we've already changed it'.
  • Not Synced
    But they lost the view. They couldn't
    see the actual state of the pacemaker.
  • Not Synced
    And the only way to figure that out
    was to put her on a bike
  • Not Synced
    and let her cycle until her
    heart rate was high enough.
  • Not Synced
    You know, literally physically
    debugging her to figure out
  • Not Synced
    what was wrong.
  • Not Synced
    Now stop and think about whether or not
    you would trust your doctor
  • Not Synced
    to debug software.
  • Not Synced
    laughing
  • Not Synced
    So, say a little bit more about those
    programmers and then we'll move on
  • Not Synced
    towards the future.
  • Not Synced
    M: Yeah, so, we got one of these
    programmers, as mentioned
  • Not Synced
    and looked inside it.
  • Not Synced
    And, well, we named this talk
    'Unpatchable', because
  • Not Synced
    originally my hypothesis was that,
    if you find a bug in a pacemaker
  • Not Synced
    it will be hard to patch it.
  • Not Synced
    Maybe it would require surgery.
  • Not Synced
    But then when we looked
    inside the programmer
  • Not Synced
    and we saw that it contained firmware
    for pacemakers we realized that
  • Not Synced
    it's possible to actually patch the
    pacemaker via this programmer.
  • Not Synced
    E: One of the other researchers
    finds these firmware blobs inside
  • Not Synced
    the programmer code and, like,
    my heart stopped at that point, right?
  • Not Synced
    I was just going 'Really, you can just
    update the code on someones pacemaker?'
  • Not Synced
    We also wanna say something
    about standardization.
  • Not Synced
    Look at all those
    different programmers.
  • Not Synced
    Someone goes into a hospital
    with one of these devices
  • Not Synced
    they have may different programmers
    so they have to make an estimation
  • Not Synced
    of which... you know, which
    programmer for which device.
  • Not Synced
    Like, which one are you running.
  • Not Synced
    And, so, some standardization
    would be an option laughs
  • Not Synced
    perhaps, in this case.
    M: Yeah.
  • Not Synced
    E: Alright. So, we gonna need
    to move quickly through
  • Not Synced
    the next few slides to talk
    to you about the future,
  • Not Synced
    but I hope that drives home that
    this is a very real issue for real people.
  • Not Synced
    M: So, pacemakers are evolving and
    they are getting smaller
  • Not Synced
    and this is the type of pacemaker
    that you can actually implant
  • Not Synced
    inside the heart.
  • Not Synced
    So, the pacemaker I have today
    is outside the heart and it has
  • Not Synced
    leads that are wired to my heart.
  • Not Synced
    But in future they are getting
    smaller and more sophisticated and
  • Not Synced
    I think this is exiting!
  • Not Synced
    I think that a lot of you,
    also in the audience will
  • Not Synced
    benefit from having this type of
    technology when you grow older
  • Not Synced
    and we can have longer lives and
    we can live more healthier lives
  • Not Synced
    because of the technology
    E: And keep in mind, right?
  • Not Synced
    Some of you may already have devices
    and already have this issues,
  • Not Synced
    but others of you will think 'Ah, that
    won't happen to me for quite a long time"
  • Not Synced
    But it can be a sudden thing, that,
    you know, you don't necessarily
  • Not Synced
    have a choice to run code
    inside your body.
  • Not Synced
    Which OS do you wanna implant?
    laughing
  • Not Synced
    E: You wanna tell them about the..
    M: This is also a quite exciting
  • Not Synced
    maybe future type of implants
    that you can have.
  • Not Synced
    So, this is actually a cardiac sock,
    it's 3D-printed and it's making
  • Not Synced
    a rabbit's heart beat outside
    the body of the rabbit.
  • Not Synced
    So, there's a lot of technology
    and sensors and things that
  • Not Synced
    are going to be implanted ***
    and I think more of you
  • Not Synced
    will become cyborgs like me
    in the future
  • Not Synced
    E: And there's a lot of work
    that you could be doing.
  • Not Synced
    You know, 3D-printing
    this devices,
  • Not Synced
    and open sourcing as much
    of this as possible.
  • Not Synced
    There's a lot to say here, right?
  • Not Synced
    I think it's time to address
    the really scary issue.
  • Not Synced
    The informed consent issue
    around patching, right?
  • Not Synced
    Remember earlier we were
    talking about the programmers
  • Not Synced
    and we pointed out that there
    were firmware blobs in there
  • Not Synced
    and that these people,
    you know, your doctor or nurse
  • Not Synced
    could upgrade the code
    running on your medical implant.
  • Not Synced
    Now, is there a legal requirement
    for them to inform you,
  • Not Synced
    before they alter the code
    that's running inside your body?
  • Not Synced
    As far as we can tell
  • Not Synced
    - and we need to look at a lot of
    different countries at the same time,
  • Not Synced
    so we gonna ask you to help us -
  • Not Synced
    as far as we can tell there are not
    laws requiring your doctor
  • Not Synced
    to tell you that they are upgrading
    the firmware in your device.
  • Not Synced
    M: Yeah, think about that laughs
  • Not Synced
    It's a quite scary thing.
  • Not Synced
    I want to know what's happening
    to my implant, the code,
  • Not Synced
    if someone wants to alter the code
    inside my body, I would like to know
  • Not Synced
    and I would like to make
    an informed decision on that
  • Not Synced
    and give my consent
    before it happens.
  • Not Synced
    E: You might even choose a device
    where that's possible or not possible
  • Not Synced
    because you're making a risk-based
    decision and you're an informed consumer
  • Not Synced
    but how do we help people,
    who don't wanna understand
  • Not Synced
    software and firmware and upgrades
    make those decisions in the future as well.
  • Not Synced
    Alright.
    M: So now, if we're going to go through
  • Not Synced
    all this, but there's a lot of reasons
    why we're in the situations of having
  • Not Synced
    insecure medical devices.
  • Not Synced
    There's a lot of legacy technology because
    there's a long lifetime of this devices
  • Not Synced
    and it takes a long time
    to get them on the market.
  • Not Synced
    And they can be patched,
    but in some cases
  • Not Synced
    they are not patched or there are
    no software updates applied to them.
  • Not Synced
    We don't have any third party
    security testing of the devices,
  • Not Synced
    and that's really needed in my opinion.
    E: Right, an underwriters laboratory
  • Not Synced
    or consumer laboratory that's there
    to check some of these details.
  • Not Synced
    And I don't think that's unreasonable,
    right? That sort of approach.
  • Not Synced
    M: And there's a lack of regulations,
    also. So there's a lot of things
  • Not Synced
    that should be worked on.
  • Not Synced
    E: So, there's a lot of
    ways to solve this
  • Not Synced
    and we're not gonna give you
    the answer, because we're not
  • Not Synced
    geniuses, so we're
    gonna say that
  • Not Synced
    these are some different
    approaches that we see all
  • Not Synced
    playing in a solution space.
  • Not Synced
    So, vendor awareness is
    obviously important, but
  • Not Synced
    that's not the only thing.
    A lot of the vendors have been
  • Not Synced
    very supportive and
    very open to discussion,
  • Not Synced
    of transparency, that needs to
    happen more in the future, right?
  • Not Synced
    Security risk monitoring,
    I've been working in the field
  • Not Synced
    of cyber insurance, which I'm sure
    sounds like insanity to the rest of you,
  • Not Synced
    and it is, there are bad days.
    But that could play a part
  • Not Synced
    in this risk *** in the future.
  • Not Synced
    What about medical incidence response,
    right? Or medical device forensics.
Title:
Marie Moe, Eireann Leverett: Unpatchable
Description:

more » « less
Video Language:
English
Duration:
01:00:16

English subtitles

Revisions Compare revisions