Marie Moe, Eireann Leverett: Unpatchable

Not Synced

Angel: The next talk will start now
Not Synced

and will be "Unpatchable -
Not Synced

living with a vulnerable
implanted device"
Not Synced

by Dr. Marie Moe and Eireann Leverett.
Not Synced

Give them a warm round
of applause please.
Not Synced

applause
Not Synced

Heart Monitor Beep starts
Not Synced

So, we are here today
Not Synced

to talk to you about a subject
Not Synced

that is really close to my heart.
Not Synced

I have a medical implant.
Not Synced

A pacemaker, that is generating
Not Synced

every single beat of my heart.
Not Synced

But how can I trust my own heart,
Not Synced

when it's being controlled by a machine,
Not Synced

running a proprietary code,
Not Synced

and there is no transparency?
Not Synced

So I'm a patient,
Not Synced

but I'm also a security researcher.
Not Synced

I'm a hacker, because I like
Not Synced

to figure out how things work.
Not Synced

That's why I started a project
Not Synced

on breaking my own heart,
Not Synced

together with Eireann
Not Synced

and a couple of friends.
Not Synced

Because I really want to know
Not Synced

what protocols are running
Not Synced

in this machine inside my body.
Not Synced

Is the crypto correctly implemented?
Not Synced

Does it even have crypto?
Not Synced

So I'm here to inspire you today.
Not Synced

I want more people
to hack to save lives.
Not Synced

Because we are all becoming
Not Synced

more and more dependent on machines.
Not Synced

Maybe some of you in the audience
Not Synced

also have medical implants,
Not Synced

maybe you know someone
Not Synced

that's also depending on
medical implants
Not Synced

Imagine that this is your heartbeat
Not Synced

and it's being controlled by a device.
Not Synced

A device, that might fail.
Not Synced

Due to software bugs,
Not Synced

due to hardware failures.
Not Synced

Additional background sound:
real heartbeat
Not Synced

Wouldn't you also like to know
Not Synced

if it has security vulnerabilities?
Not Synced

If it can be trusted?
Not Synced

Sounds stop
Not Synced

beeeeep
Not Synced

Eireann: Something to think about, right?
Not Synced

Marie: Yeah.
Not Synced

Eireann: Marie is an incredibly
brave women.
Not Synced

When she asked me to give this talk
Not Synced

it made me nervous, right?
Not Synced

It's such a personal story.
Not Synced

Such a journey as well.
Not Synced

And she's gonna talk to you
Not Synced

about a lot of things, right?
Not Synced

Not just hacking medical devices
Not Synced

from a safety point of view
Not Synced

but also some of the
privacy concerns,
Not Synced

some of the transparency concerns,
Not Synced

some of the consent concerns.
Not Synced

So, there's a lot to get trough
Not Synced

in the next hour.
Not Synced

But I think you're gonna enjoy it
Not Synced

quite a lot.
Not Synced

Marie: So, let me tell you
Not Synced

the story about my heart.
Not Synced

So, 4 years ago
Not Synced

I got my medical implant.
Not Synced

It was a kind of emergency situation
Not Synced

because my heart was starting to beat
Not Synced

really slow,
Not Synced

so i needed to have the pacemaker.
Not Synced

I had no choice.
Not Synced

After I got the implant,
Not Synced

since I was a security researcher,
Not Synced

of course I started to
Not Synced

look up information about how it worked.
Not Synced

And I googled for information.
Not Synced

I found a technical manual
Not Synced

of my pacemaker
Not Synced

and I started to read it.
Not Synced

And i was quite surprised
Not Synced

when I learned that
Not Synced

my pacemaker has 2 wireless interfaces.
Not Synced

There is one interface, that is really
Not Synced

close field communication,
Not Synced

near field communication
Not Synced

that is being used when I'm at checkups
Not Synced

at the hospital,
Not Synced

where the technician,
Not Synced

the pacemaker technician or doctor
Not Synced

uses a programming device
Not Synced

and places it
Not Synced

really close to my pacemaker.
Not Synced

And it's possible to use that
Not Synced

communication to adjust the settings.
Not Synced

But it also has another
Not Synced

wireless interface,
Not Synced

that I was not aware of,
Not Synced

that I was not informed of
as a patient.
Not Synced

It has a possibility for remote monitoring
Not Synced

or telemetry,
Not Synced

where you can have an
access point in your house
Not Synced

that will communicate
Not Synced

with the pacemaker
Not Synced

at a couple of meters distance.
Not Synced

And it can collect logs from the pacemaker
Not Synced

and send them to a server
Not Synced

at the vendor.
Not Synced

And there is a web interface
Not Synced

where the doctor can log in
Not Synced

and retrieve my information.
Not Synced

And I have no access the data
Not Synced

that is being collected
Not Synced

by my device.
Not Synced

Eireann: So imagine for a moment
Not Synced

that you are buying a new phone
Not Synced

or buying a new laptop.
Not Synced

You would do your homework, right?
Not Synced

You would understand
what interfaces where there.
Not Synced

But in Marie's case she's just
Not Synced

given a device,
and then later she gets
Not Synced

to go and read the manual, right?
Not Synced

So she's the epitome
of a informed consumer
Not Synced

in the space
Not Synced

and we want a lot more informed consumers
Not Synced

in the space,
Not Synced

which is why we are giving this talk.
Not Synced

Now, I don't know about you,
Not Synced

but I'm used to hacking
Not Synced

industrial systems.
Not Synced

I haven't done as much medical research
Not Synced

in the past.
Not Synced

So, when I first started this project
Not Synced

I knew literally nothing
Not Synced

about Marie's heart.
Not Synced

Or even my own.
Not Synced

And she had to teach me
how the heart works
Not Synced

and how her pacemaker works.
Not Synced

So, would you mind explaining
Not Synced

some details to the audience
that will be relevant
Not Synced

through the rest of the presentation?
Not Synced

Marie: Actually I think we're going to
Not Synced

show you a video of
how the heart works.
Not Synced

So, it's a little bit of
biology introduction here
Not Synced

before we start
with the technical details.
Not Synced

So, this.. play the video.
Not Synced

Video: A normal heart beat rate
Not Synced

and rhythm is called
"Normal Sinus Rhythm".
Not Synced

The heart's pumping action
Not Synced

is driven by electrical stimulation
Not Synced

within the heart muscle.
Not Synced

the heart's electrical system
Not Synced

allows it to beat in an
Not Synced

organized, synchronized pattern.
Not Synced

Every normal heart beat
Not Synced

has 4 steps.
Not Synced

Step 1:
Not Synced

As blood flows into the heart
Not Synced

an electrical impulse
Not Synced

from an upper area of the right atrium
Not Synced

also known as the sinus node
Not Synced

causes the atria to contract.
Not Synced

When the atria contract
Not Synced

they squeeze the blood
Not Synced

into the ventricles.
Not Synced

Step 3:
Not Synced

There is a very short pause
Not Synced

only about a fraction of a second.
Not Synced

and Step 4:
Not Synced

The ventricles contract
Not Synced

pumping the blood to the body.
Not Synced

A heart normally beats
Not Synced

between 60-100 times/min.
Not Synced

Electrical signals in your heart
Not Synced

can become blocked or irregular,
Not Synced

causing a disruption
Not Synced

in your hearts normal rhythm.
Not Synced

When the heart's rhythm is too fast,
Not Synced

too slow or out of order,
Not Synced

an arrhythmia,
Not Synced

also called a rhythm disorder occurs.
Not Synced

When your heart beats out of rhythm,
Not Synced

it may not deliver enough blood
Not Synced

to your body.
Not Synced

Rhythm disorders can be caused
Not Synced

by a number of factors
Not Synced

including disease, heredity,
Not Synced

medications or other factors.
Not Synced

Eireann: So for those of you
who are already aware of that,
Not Synced

apologies.
Not Synced

But I needed to learn that.
Not Synced

I needed to learn the basics
Not Synced

before we even got started, right?
Not Synced

So...
Not Synced

Marie: So this is a diagram of the
Not Synced

electrical system of the heart.
Not Synced

So, as you see,
this is the sinus node
Not Synced

that is generating the pulse.
Not Synced

And in my case
Not Synced

I had a problem with the signal
Not Synced

being generated by the sinus node
Not Synced

not reaching the lower
heart chamber.
Not Synced

It's something called an AV block
or a heart block
Not Synced

So, occasionally this will cause
Not Synced

an arrhythmia that makes
the heart pause.
Not Synced

If you don't have a heart beat
Not Synced

for, like ... 8-10 seconds,
Not Synced

you lose your consciousness.
Not Synced

And that was, what happened to me.
Not Synced

I just suddenly found myself
Not Synced

lying on the floor
Not Synced

and I didn't remember how I got there.
Not Synced

And it turned out that it was my heart
Not Synced

that had taken a break.
Not Synced

So that's how I discovered
Not Synced

that I had this issue.
Not Synced

So, this is where the signal is blocked
Not Synced

on the way down to the lower heart chamber
Not Synced

But there's a backup function
Not Synced

in the heart that can make
Not Synced

a so called backup pulse.
Not Synced

And I had that backup pulse
Not Synced

when I went to the emergency room.
Not Synced

So I had a pulse around 30-40 beats/min.
Not Synced

And that's generated by some cells
Not Synced

in the lower heart chamber.
Not Synced

So, after I got the pacemaker
Not Synced

my heart started to become
Not Synced

a little bit more lazy.
Not Synced

So it is not certain,
Not Synced

that I will have this backup pulse
Not Synced

anymore if the pacemaker stops working.
Not Synced

So currently
Not Synced

my heart is 100% running
on the pacemaker.
Not Synced

So, let's also look at
how the pacemaker works.
Not Synced

I have another video of that.
Not Synced

So, this is my little friend
Not Synced

that is running my heart.
Not Synced

Video: A pacemaker
is a miniaturized computer
Not Synced

that is used to treat a slow heart beat.
Not Synced

It is about the size
Not Synced

of a couple of stacked silver dollars
Not Synced

and weights approximately 17-25 grams.
Not Synced

It is usually surgically placed
Not Synced

or implanted just under the skin
Not Synced

in the chest area.
Not Synced

The device sends a tiny electrical pulse
Not Synced

down a thin coated wire,
Not Synced

called a lead, into your heart.
Not Synced

This stimulates the heart to beat.
Not Synced

This impulses are very tiny
Not Synced

and most people do not feel them.
Not Synced

While the device helps your heart
Not Synced

maintain its rhythm,
Not Synced

it also stores information
Not Synced

about your heart that can be
Not Synced

retrieved by your doctor
Not Synced

to program the device.
Not Synced

Eireann: Remember that!
Not Synced

Marie: Yeah... Did you see
Not Synced

the ones and zeros at the end
Not Synced

of the video?
Not Synced

That's what we want to know
more about.
Not Synced

Because this information
Not Synced

that is being collected
by the pacemaker,
Not Synced

how it works,
Not Synced

how the code looks like,
Not Synced

it's all closed source,
Not Synced

it's all proprietary information.
Not Synced

And that's why we need more
Not Synced

security researchers,
Not Synced

we need more 3rd party testing,
Not Synced

to be sure that we can trust this code.
Not Synced

Eireann: And you can imagine that
Not Synced

we're doing some of this research as well.
Not Synced

But I'm not gonna break
Marie's heart on stage,
Not Synced

I'm not gonna drop (???)
Not Synced

on some medical devices,
Not Synced

so if you came for that,
Not Synced

it's not worth staying.
Not Synced

The rest of the presentation
Not Synced

will be about some of the things we found
Not Synced

and how this works and
Not Synced

how you might approach this research.
Not Synced

And some of the people
who did this research before,
Not Synced

because there's plenty of others,
Not Synced

and we like to give a shout-out
Not Synced

to those who've done
great research in advance.
Not Synced

But essentially this point is
Not Synced

very relevant.
Not Synced

That the internet of medical things
Not Synced

is already here.
Not Synced

And Marie is wired into it.
Not Synced

She's a bit younger than the average
Not Synced

pacemaker patient, but, you know,
Not Synced

she was thrust into this situation
Not Synced

where she had to think about things
Not Synced

in a very different way.
Not Synced

Like, you did a Masters,
breaking crypto,
Not Synced

and also a PHD in Information Security.
Not Synced

Did you imagine, that things you learned
Not Synced

about SSH and network security
Not Synced

might one day apply to your
heart and your own body?
Not Synced

Marie: No, I never
figured out that
Not Synced

my research would eventually
end up inside my own body.
Not Synced

That's something I never
thought about.
Not Synced

And also, there's a lot of
Not Synced

people that don't think about
Not Synced

how the medical devices
actually work.
Not Synced

So, when I asked this question
Not Synced

to health care professionals
Not Synced

they look at me like I'm crazy,
Not Synced

they don't ... they have never
thought about this before.
Not Synced

That there's actually code
inside my body
Not Synced

and someone has programmed it,
Not Synced

someone has written this code.
Not Synced

And, did they think about,
that this
Not Synced

would actually control
someone's life,
Not Synced

and be my own personal
critical infrastructure?
Not Synced

Eireann: Yeah, personal
infrastructure, right?
Not Synced

On a physical level.
Not Synced

And also, I think, it's...
Not Synced

You know, the point that you made
is important to reiterate,
Not Synced

that you go and see your doctor
Not Synced

and you ask these questions about
Not Synced

whether anyone can hack into my heart
Not Synced

and they probably look at you
and go like
Not Synced

'Don't you worry your pretty
little head about that', right?
Not Synced

But Marie used to head up
Not Synced

the Norwegian computer
emergency response team
Not Synced

for a couple of years
Not Synced

and knows a lot of hackers
Not Synced

and knows what she's
talking about, right?
Not Synced

So, when she asked her doctor
these questions,
Not Synced

they're very legitimate questions.
Not Synced

And the doctors probably
don't know anything about code,
Not Synced

but they need to move
towards a place
Not Synced

where they can answer
those questions with some
Not Synced

honesty and certainty and
treat them with the dignity
Not Synced

that they deserve.
Not Synced

Should we show them
a little bit more
Not Synced

about the total ecosystem
of devices
Not Synced

that we are talking about,
at least in this particular talk?
Not Synced

Marie: Yeah.
Not Synced

Eireann: So, this was
all new to me.
Not Synced

I mean I've moved around
in networks and done some
Not Synced

penetration testing and
some stuff in the past,
Not Synced

but I didn't know much about
implantable medical devices.
Not Synced

So, we've got a couple
of them there.
Not Synced

The ICD, which is the
in-cardio-defibrillator,
Not Synced

that's some of the work
that you saw from Barnaby Jack
Not Synced

which we will mention later,
Not Synced

was on those particular devices,
Not Synced

We've got the pacemakers
and of course other devices
Not Synced

could be in this diagram as well.
Not Synced

Like, we could be talking
about insulin pumps
Not Synced

or other things in the future.
Not Synced

The device itself speaks
to box number 2,
Not Synced

which we will tell you a little bit
more about in a moment,
Not Synced

using a protocol, commonly
referred to as 'MICS".
Not Synced

A number of different
devices use this
Not Synced

Medical Implant Communication Service.
Not Synced

And Marie shocked me yesterday
Not Synced

when she found
a couple devices
Not Synced

that potentially use Bluetooth.
Not Synced

sigh
laughing
Not Synced

So, would you like to tell them
a little bit more about the access point,
Not Synced

and I'll join in?
Not Synced

Marie: Yeah, so, the access
point is the device
Not Synced

that you can typically have
on your bed stand
Not Synced

and that will, depending
on your configuration,
Not Synced

contact your pacemaker
as regular intervals,
Not Synced

e.g. once during the night.
Not Synced

It will start a communication
with the pacemaker,
Not Synced

couple of meters distance,
Not Synced

and will start
collecting logs.
Not Synced

And this logs will
then be sent,
Not Synced

it can be via SMS
or other means,
Not Synced

to a server.
Not Synced

So, there's a lot of my
personal information
Not Synced

that can end up different
places in this diagram.
Not Synced

So, of course it's
in my own device,
Not Synced

it will be then communicated
via this access point
Not Synced

and also then
Not Synced

via the cellular network.
Not Synced

And then it will also be stored
in the telemetry server.
Not Synced

Potentially when I go
for the checkups
Not Synced

my personal information will
also end up in my
Not Synced

doctor workstation
Not Synced

or in the electronic
patient records.
Not Synced

And there's a lot of things
that can go wrong there.
Not Synced

Eireann: Yeah, you
can see, it's using
Not Synced

famously secure methods
of communication
Not Synced

that have never been backdoored
or compromised by anyone ever before,
Not Synced

even here at this conference,
probably even this time around.
Not Synced

So these are some things
that are concerning.
Not Synced

The data also travels often
to other countries
Not Synced

and so there are questions
about the jurisdiction
Not Synced

in terms of privacy laws
in terms of some of this data.
Not Synced

And some of you can go and
look deeper into that as well.
Not Synced

The telemetry store thing
I think is important,
Not Synced

some of this is a telemetry store,
such as the server at the vendor.
Not Synced

So the vendor owns some
machines somewhere
Not Synced

that collect data
from Marie's heart.
Not Synced

So you can imagine she goes to see her
doctor and the doctor is like:
Not Synced

'Hey, Marie, last weekend, did you, ...
run a half marathon or something?'
Not Synced

And she hasn't told him, right?
Not Synced

Like, he just can look
at the data and see,
Not Synced

that her heart rate was up
for a couple hours.
Not Synced

That's true though, right? You
did actually run a half marathon.
Not Synced

Marie: Yeah, I did run a half marathon.
laugh
Not Synced

Eireann: So, the telemetry
store is one part,
Not Synced

but there's also the
doctors work station
Not Synced

which contains a lot of
this medical data.
Not Synced

So, from privacy perspective
that's part of the attack surface.
Not Synced

But there's also the programmers, right?
Not Synced

There's the device's programmers.
Not Synced

So that's an interesting point, that
I hope a lot of you are interested in
Not Synced

already, that there
is a programmer
Not Synced

for these devices.
Not Synced

Marie: So, we actually
went shopping on eBay
Not Synced

and we found some
of these devices.
Not Synced

Eireann: You can buy them on eBay?
Not Synced

Marie: Yeah.
Eireann: laugh
Not Synced

Marie: So, I found
a programmer
Not Synced

that can program
my device, on eBay
Not Synced

and I bought it.
Not Synced

And I also found a couple of
these access points.
Not Synced

So, that's what we're
now starting to look at.
Not Synced

Eireann: We just wanna to give
you an overview of this system,
Not Synced

and it's fairly similar across the
different device vendors,
Not Synced

and we're not going to talk
about individual vendors.
Not Synced

But if you're gonna go and
do this kind of research
Not Synced

you can see that some of the research
you've already done in the past
Not Synced

applies to different parts
of this process.
Not Synced

Marie: And talking about
patient privacy,
Not Synced

when we got the
programmer from ebay
Not Synced

it actually contained
patient information.
Not Synced

So, that's the
really bad thing.
Not Synced

Eireann: So, I found
this very odd.
Not Synced

I had a similar reaction
to yourselves because
Not Synced

I usually do industrial
system stuff.
Not Synced

One of my friends picked up
some PLCs recently and
Not Synced

they had data from the nuclear plant,
that the PLCs had been used in.
Not Synced

So, decommissioning is a problem
in industrial systems
Not Synced

but it turns out also
in medical devices, right?
Not Synced

I guess that's a useful point
to make as well,
Not Synced

about the costs of doing
this kind of research.
Not Synced

It is possible to get some
devices, some implants
Not Synced

from people who have sadly
passed on,
Not Synced

but that comes with a very high
cost of biomedical decontamination.
Not Synced

So that raises the cost
of doing this research
Not Synced

on the implants themselves,
not necessarily on the rest
Not Synced

of the devices.
Not Synced

Marie: Yeah, so, also want
to say, that in this research
Not Synced

I had not *** with my own device.
Not Synced

So, that would not be a good thing ...
Not Synced

Eireann: You're not gonna let me,
like, SSH in your heart and just ...
Not Synced

Marie: Um.. No.
Eireann: ... just delete some stuff.. No?
Not Synced

Marie: No.
Eireann: I wouldn't do it anyway,
Not Synced

but it's an interesting point, right?
Not Synced

So, like, there are a lot of
safety percussions
Not Synced

that we and the rest
of the team have to take
Not Synced

when we are doing this research.
Not Synced

And one of them is
not pairing Marie's pacemaker
Not Synced

with any of the devices
that are under test.
Not Synced

Do you wanna say a bit more
about connectivity and vulnerability?
Not Synced

Marie: Yeah, so...
Not Synced

I was worried
when I discovered that
Not Synced

I had this possible connectivity
to the medical internet of things.
Not Synced

In my case this is switched off
in the configurations
Not Synced

but it's there.
Not Synced

It's possible to turn it on,
it's possible for me to be
Not Synced

hooked up to the,
this internet of medical things.
Not Synced

And for some patients
this is really benefit.
Not Synced

So you always have to make
a *** decision
Not Synced

on whether or not to
make use of this
Not Synced

connectivity.
Not Synced

But I think it's really important
that you make an informed decision
Not Synced

about that and that the patient
Not Synced

is informed and has given
his or her consent
Not Synced

to have this feature.
Not Synced

The battery lifetime of my pacemaker
is around 10 years.
Not Synced

So in 6 years time
Not Synced

I will have to have a
replacement surgery
Not Synced

and I'm going to be
a really difficult patient.
Not Synced

laughs
audience laughing
Not Synced

So, ...
applause
Not Synced

Eireann: Right on
Not Synced

Marie: I really want to know
Not Synced

how the devices work
by then and
Not Synced

I want to make an informed
decision on whether or not
Not Synced

to have this connectivity.
Not Synced

But of course for lot of patients
the benefit of having this
Not Synced

outweighs the risk.
Not Synced

Because people that had other
heart problems than me
Not Synced

they have to go for more
frequent checkups.
Not Synced

I only have to go once a year.
Not Synced

So, for patients that need to go
frequently for checkups,
Not Synced

it's really good for them
to have the possibility
Not Synced

of having telemetry and
having connectivity to
Not Synced

have remote patient monitoring.
Not Synced

Eireann: Yeah, imagine you
have mobility problems or
Not Synced

you even just live far
Not Synced

from a major city.
Not Synced

And making the journey
to the hospital is quite arduous,
Not Synced

then this kind of remote
telemetry allows your doctor
Not Synced

to keep track of
what's going on.
Not Synced

And that's very important,
we don't wanna, like...
Not Synced

have a big scary testosterone
filled talk where we, like,
Not Synced

hack some pacemakers.
Not Synced

We wanna talk about
how there's a dual use thing
Not Synced

going on here.
Not Synced

And that there is a lot of value
in having this devices
Not Synced

but we also want them to be save
and secure and preserve our privacy
Not Synced

and a lot of other things.
Not Synced

So, these are some
of the issues.
Not Synced

Of course the last one,
the remote assassination scenario,
Not Synced

that' s everyone favorite one
to fantasize about
Not Synced

or talk about, or make
movies about, but
Not Synced

we think there's a lot of
other issues in here
Not Synced

that are more interesting,
Not Synced

some quality issues even, right,
Not Synced

that we'll talk about
in a little bit.
Not Synced

Battery exhaustion,
Not Synced

again something many people
don't think about. But...
Not Synced

I'm very interested in
cyber-physical exploitation
Not Synced

and so some of this elements
were interesting to me
Not Synced

that you might use the device
in a way that wasn't expected.
Not Synced

Marie: So personally I'm not afraid
of being remotely assassinated.
Not Synced

Eireann: I've actually never known
you to be afraid of anything
Not Synced

Marie: laughs
Not Synced

I'm more worried about
software bugs in my device,
Not Synced

the things that can malfunction,
Not Synced

Eireann: Is that just theoretical?
Not Synced

Marie: No, actually software bugs
Not Synced

have killed people.
Not Synced

So, think about that!
Not Synced

People that are not here,
Not Synced

they don't have their voice
and they can't really
Not Synced

give there story.
Not Synced

But there are stories about persons
depending on medical devices
Not Synced

dying because their
device malfunctioned.
Not Synced

Eireann: There's even some
great research
Not Synced

from academics about
how the user interface design
Not Synced

of medical devices can have
an impact on patients safety
Not Synced

and how designing UX
Not Synced

much more clearly
and concisely
Not Synced

specifically for the
medical profession
Not Synced

might improve
the care of patients.
Not Synced

Do you wanna say more
about this slide or should we
Not Synced

go on to the previous work,
should we... go ahead!
Not Synced

Marie: Yeah, I think it's really
important also to...
Not Synced

the issue of trusting the vendors.
Not Synced

So, as a patient I'm
expected to just, you know,
Not Synced

trust, that my device
is working correctly,
Not Synced

every security vulnerability
has been corrected by the vendor
Not Synced

and it's safe.
Not Synced

But I want to have more
third party testing,
Not Synced

I want to have more security
research on medical implants.
Not Synced

And as a lot things, like ...
history has shown
Not Synced

we can't always trust that
the vendors do the right thing.
Not Synced

Eireann: I think this is a good
opportunity for us to ask
Not Synced

a very fun question, which is:
Not Synced

Any fans of DMCA in the room?
Not Synced

laughter from the audience
Not Synced

No? No fans? Alright.
Not Synced

Well, you then you'll really enjoy this.
Not Synced

Marie has some very exiting news
about DMCA exceptions.
Not Synced

Maire: Yeah, so... October, this year
Not Synced

there was a ruling of
an DMCA exemption for
Not Synced

security research
on medical devices
Not Synced

also for *** security research.
Not Synced

So, this means, that
Not Synced

as researchers you can
Not Synced

actually do reverse engineering
of medical implants
Not Synced

without infringing copyright laws.
Not Synced

It will take effect
I think October next year.
Not Synced

Eireann: Yeah.
Marie: That is really a big
Not Synced

step forward in my opinion.
Not Synced

And I hope that this will
encourage more research.
Not Synced

And I also want to mention
that there are
Not Synced

fellow activist patients
like myself
Not Synced

that was behind that proposal
of having this exemptions.
Not Synced

So, Jay Radcliff who hacked
his own insulin pump,
Not Synced

Karen Sandler, who is a free and
open software advocat.
Not Synced

And Hugo Campos, who has
an ICD implant, he is very ...
Not Synced

he wants to have access
to his own data
Not Synced

for quantified self reasons.
Not Synced

So this patients,
they actually
Not Synced

made this happen,
that you're allowed to do
Not Synced

security research
on medical devices.
Not Synced

I think that's really great.
Not Synced

applause
Not Synced

Eireann: Do you wanna say something
about Scott Erven's presentation
Not Synced

that you saw at DEF CON?
Not Synced

Marie: Yeah, that was a really
interesting presentation about
Not Synced

how medical devices have
really poor security.
Not Synced

And they have, like,
hard coded credentials,
Not Synced

and you can find them
using *** on the internet.
Not Synced

This were not pacemakers,
but other types of
Not Synced

different medical devices.
Not Synced

There are, like, hospital networks
that are completely open
Not Synced

and you can access
the medical equipment
Not Synced

using default passwords that
you can find in the manuals.
Not Synced

And the vendors claim that
Not Synced

no, these are not hard coded,
these are default,
Not Synced

but then the manuals say:
Do not change this password...
Not Synced

Eireann: Because they want to
integrate with other stuff, right? So...
Not Synced

I've heard that excuse from SCADA,
so I wasn't having it.
Not Synced

Marie: They also put up some
medical device honeypots
Not Synced

to see if they were *** targeted(?)
hacking attempts
Not Synced

but they only picked up malware
on them, which is also ...
Not Synced

Eireann: Only!
Marie: ... of course of a concern laughs
Not Synced

Eireann: Anything else,
about prior(?), Kevin?
Not Synced

Marie: I guess we should mention
that the academic research
Not Synced

on hacking pacemakers,
which was started by
Not Synced

a group led by Kevin Fu
Not Synced

and they had this
first paper in 2008
Not Synced

that they also followed up
with more academic research
Not Synced

and they showed that it's
possible to hack a pacemaker.
Not Synced

They showed that...
this was possible on a, like
Not Synced

a couple of centimeters
distance only,
Not Synced

so, like, the attack scenario
would be, if you have a
Not Synced

device similar to the
programmers device
Not Synced

and you attack me with it
you can laughs
Not Synced

turn off my pacemaker.
Not Synced

That's not really scary,
Not Synced

but then we have the research
by Barnaby Jack
Not Synced

where this range of the attack
is extended to several meters
Not Synced

so you have someone with
an antenna in a room
Not Synced

scanning for pacemakers
Not Synced

and starting to program them.
Not Synced

Eireann: We have a saying
at Cambridge about that.
Not Synced

Some of the other people at the
university have been doing attacks
Not Synced

a lot longer than I have, and
one of the things they say is:
Not Synced

'Attacks only get worse,
they never get better.'
Not Synced

So, the range might be short one year,
then a couple of years later it's worse.
Not Synced

Marie: The worst case scenario
I think would be remotely,
Not Synced

via the internet being able to
hack pacemakers.
Not Synced

but there's no research so far
indicating that that's possible.
Not Synced

Eireann: And we don't wanna
hype that up. We don't wanna...
Not Synced

Marie: No.
Eireann: ... get that kind of an angle
Not Synced

on this talk. We wanna make the
point that hacking can save lives,
Not Synced

that hackers are global citizen's
resource to save lives, right? So...
Not Synced

Marie: Yeah, so, this is the result
of hacking of the drug infusion pumps.
Not Synced

Earlier this year
Not Synced

the FDA actually issued the first ever
recall of a medical device
Not Synced

based on cyber security concerns.
Not Synced

Eireann: I think that's amazing, right?
They've recalled products
Not Synced

because of cyber security concerns. They
used to have to wait until someone died.
Not Synced

In fact, they had to show
something like 500 deaths
Not Synced

before you could recall a product.
So now they can ...
Not Synced

the FDA, at least in the US,
they can recall products
Not Synced

just based on security
considerations.
Not Synced

Marie: So, this is also,
Not Synced

I guess the first example
of that type of pro-active
Not Synced

security research,
where you can
Not Synced

make a proof of concept
without killing any patients
Not Synced

and then that closes
the security holes.
Not Synced

And that potentially
saves lives.
Not Synced

And no one has been hurt
in the research.
Not Synced

I think that's great.
Not Synced

Eireann: I'm also really excited
because we give a lot of presentations
Not Synced

about security that are filled with
*** and depression,
Not Synced

so it's nice to have two major victories
in medical device research
Not Synced

in the last few years.
One being the DMCA exemptions
Not Synced

and the other being
actual product recalls.
Not Synced

Marie: Yeah, and the FDA are starting
to take these issues seriously and
Not Synced

they are really focusing on the cyber
security of medical implants now.
Not Synced

I'm going to go to a workshop
arranged by the FDA in January
Not Synced

and participate on a panel discussing
cyber security of medical implants.
Not Synced

And it's great to have this
type of interaction between
Not Synced

the security committee, medical
device vendors and the regulators.
Not Synced

So, things are happening.
Not Synced

Eireann: Yeah. How do you feel
as an audience,
Not Synced

are you glad that she's going to be
your representative in Washington
Not Synced

for some of these issues?
Not Synced

applause
Not Synced

And we want you to get
involved as well, right?
Not Synced

This is not just about Marie
and myself and the other people
Not Synced

who worked on this
project, it's meant say
Not Synced

you too can do this research.
And you should be.
Not Synced

You have to be a little sensitive,
a little bit precise and articulate
Not Synced

about concerns.
Not Synced

We take some inspiration from the
former research around hygiene.
Not Synced

Imagine the first time some scientist
went to some other scientist and said
Not Synced

'There is this invisible stuff,
and it's on your hands,
Not Synced

and if you don't wash your hands
people get infections!"
Not Synced

And everyone thought
they were crazy.
Not Synced

Well, it's kind of the same with us
talking about industrial systems
Not Synced

or talking about medical devices
or talking about hacking in general.
Not Synced

People just didn't, sort of,
believe it was possible at first.
Not Synced

And so we have to articulate ourselves
very, very carefully.
Not Synced

So, we draw inspiration from
that early hygiene movement
Not Synced

where they had a couple simple rules
that started to save people's lives
Not Synced

while they explained germ theory
to the masses.
Not Synced

M: Yeah, so, this type of research
is kind of low hanging fruits
Not Synced

where you just, so...
Not Synced

*** is an example, where
Not Synced

there's a lot of medical
device networks in hospitals
Not Synced

that are open to the internet
and that can get infected
Not Synced

by normal type of malware,
like *** trojans or whatever.
Not Synced

And this is potentially a safety issue.
Not Synced

So, if your MR scanner or some other
Not Synced

more life-critical device
is being unavailable because of
Not Synced

a virus on it,
Not Synced

that's a real concern for patient
security and safety.
Not Synced

So we need to think more about
the hygiene also in terms of
Not Synced

computer viruses, not only
just normal viruses.
Not Synced

E: Yeah. So, you know, some
times people will treat you like
Not Synced

this is an entirely theoretical
concern, but
Not Synced

I think this is one of the best
illustrations that we've found
Not Synced

of how that should
be a concern,
Not Synced

and I think all of you will get it,
Not Synced

but I wanna give you a moment to kind of
read what's about to come up on the slides.
Not Synced

So I'll just let you enjoy
that for a moment.
Not Synced

So if it's not clear or it's not your
first language or something,
Not Synced

this guy basically *** patient data
across a bunch of amazon clusters.
Not Synced

And then it was unavailable.
And they were very concerned
Not Synced

about the unavailability of their
costumer patient data
Not Synced

*** across amazon instances.
Not Synced

He was complaining to support, like
'Can I get support to fix this?' laughs
Not Synced

M: So, all the data of the ...
Not Synced

... the monitoring data of the cardiac
patients is unavailable to them
Not Synced

because of the service
being downed.
Not Synced

And, well, do you want to outsource your
patient's safety to the cloud? Really?
Not Synced

I don't want that.
Okay.
Not Synced

E: I wanna get into some other details.
We have sort of 10 min left if we can ...
Not Synced

so we can have a lot of questions,
and I'm sure there will be some.
Not Synced

But I want you to talk to them about
this very personal story.
Not Synced

This is... Remember before, when we
said, is this stuff theoretical?
Not Synced

I want you to pay a lot of
attention to this story.
Not Synced

It really moved me
when she first told me.
Not Synced

M: I know how it feels to have
my body controlled by a device
Not Synced

that is not working correctly.
Not Synced

So, I think it was around 2 or 3
weeks after I had the surgery.
Not Synced

I felt fine.
Not Synced

But I hadn't really done
any exercise yet.
Not Synced

The surgery was pretty easy,
I only had 2 sick leave
Not Synced

and then I came back to work
Not Synced

and I went to London
Not Synced

to participate in a course
in ethical hacking and
Not Synced

I did take the London Underground
together with some of my colleges
Not Synced

and we went of at this station
at Covent Garden
Not Synced

And I don't know if you
have been there but
Not Synced

that particular station is
really low underground.
Not Synced

They have elevators that you
can use to get up,
Not Synced

but usually there are, like,
long queues to the elevators...
Not Synced

E: You always have to do
things the hard way, right?
Not Synced

You had to take the stairs, or
Not Synced

they were just heading for the stairs
and I was following them and
Not Synced

we're starting to climb the stairs and
I didn't read this warning sign, which is:
Not Synced

'Those with luggage, pushchairs & heart
conditions, please use the lift' laughs
Not Synced

Because I was feeling fine,
Not Synced

and this was the first time that I
figured out there's something wrong
Not Synced

with my pacemaker or with my heart.
Not Synced

Because I came like
half way up this stairs
Not Synced

and I felt like I was going to die.
Not Synced

It was a really horrible feeling.
Not Synced

I didn't have any more breath left,
Not Synced

I felt like I wasn't able
to complete the stairs.
Not Synced

I didn't know what was
happening to me, but
Not Synced

somehow I managed to
drag myself up the stairs
Not Synced

and my heart was really...
Not Synced

it didn't feel right.
Not Synced

So, first thing when I came
back from this course
Not Synced

I went to my doctor
Not Synced

and we started to try
debug me, tried to find out
Not Synced

what was wrong with my pacemaker.
Not Synced

And this is how that looks like.
E: laughs
Not Synced

M: So, there's a stack
of different programmers
Not Synced

- this is not me by the way, but it's
a very similar situation.
Not Synced

E: And we'll come back to those
programmers in a moment.
Not Synced

M: Yeah.
E: But the bit I want you
Not Synced

to focus on is, like, they're
debugging your pacemaker?
Not Synced

Inside you?
M: Yeah, I didn't know
Not Synced

what was happening
at the time.
Not Synced

We were just trying to
get the settings right
Not Synced

and it took like 2 or 3 months before
we figured out what was wrong.
Not Synced

And what happened was, that my
operate limit was set to low for me,
Not Synced

for my age. So, the normal pacemaker
patient is maybe around 80 years old
Not Synced

and the default operate
limit was 160 beats/min.
Not Synced

And that's pretty low for
a young person.
Not Synced

E: So, imagine, like, you're younger
and you're really fit and you know
Not Synced

how to do something really well,
like swimming or skiing or skateboarding
Not Synced

or whatever. You're fantastic at it.
And then a couple years go past
Not Synced

and you know, you gain some weight
and you're not as good at it, right?
Not Synced

But now imagine that
happens in 3 seconds.
Not Synced

While you're walking
up a set of stairs.
Not Synced

M: So, what happens is that
the pacemaker detects
Not Synced

'Oh, you have a really high pulse'.
And there's a safety mechanism
Not Synced

that will cut your pulse in half ...
E: In half!
Not Synced

laughing
M: laughs So in my case it went
Not Synced

from 160 beats/min to 80 beats/min.
In a second, or less than a second,
Not Synced

and that felt really, really horrible.
Not Synced

And it took a long time
to figure out what was wrong.
Not Synced

It wasn't until they put me on
an exercise bike and
Not Synced

had me on monitoring that they
figured out what was wrong, because
Not Synced

the thing was, that what was displayed
on the pacemaker technician's view
Not Synced

was not the same settings that
my pacemaker actually had.
Not Synced

There was a software bug in the
programmer, that caused this problem.
Not Synced

E: So they thought they had updated
her settings to be that of a young person.
Not Synced

They were like
'Oh, we've already changed it'.
Not Synced

But they lost the view. They couldn't
see the actual state of the pacemaker.
Not Synced

And the only way to figure that out
was to put her on a bike
Not Synced

and let her cycle until her
heart rate was high enough.
Not Synced

You know, literally physically
debugging her to figure out
Not Synced

what was wrong.
Not Synced

Now stop and think about whether or not
you would trust your doctor
Not Synced

to debug software.
Not Synced

laughing
Not Synced

So, say a little bit more about those
programmers and then we'll move on
Not Synced

towards the future.
Not Synced

M: Yeah, so, we got one of these
programmers, as mentioned
Not Synced

and looked inside it.
Not Synced

And, well, we named this talk
'Unpatchable', because
Not Synced

originally my hypothesis was that,
if you find a bug in a pacemaker
Not Synced

it will be hard to patch it.
Not Synced

Maybe it would require surgery.
Not Synced

But then when we looked
inside the programmer
Not Synced

and we saw that it contained firmware
for pacemakers we realized that
Not Synced

it's possible to actually patch the
pacemaker via this programmer.
Not Synced

E: One of the other researchers
finds these firmware blobs inside
Not Synced

the programmer code and, like,
my heart stopped at that point, right?
Not Synced

I was just going 'Really, you can just
update the code on someones pacemaker?'
Not Synced

We also wanna say something
about standardization.
Not Synced

Look at all those
different programmers.
Not Synced

Someone goes into a hospital
with one of these devices
Not Synced

they have may different programmers
so they have to make an estimation
Not Synced

of which... you know, which
programmer for which device.
Not Synced

Like, which one are you running.
Not Synced

And, so, some standardization
would be an option laughs
Not Synced

perhaps, in this case.
M: Yeah.
Not Synced

E: Alright. So, we gonna need
to move quickly through
Not Synced

the next few slides to talk
to you about the future,
Not Synced

but I hope that drives home that
this is a very real issue for real people.
Not Synced

M: So, pacemakers are evolving and
they are getting smaller
Not Synced

and this is the type of pacemaker
that you can actually implant
Not Synced

inside the heart.
Not Synced

So, the pacemaker I have today
is outside the heart and it has
Not Synced

leads that are wired to my heart.
Not Synced

But in future they are getting
smaller and more sophisticated and
Not Synced

I think this is exiting!
Not Synced

I think that a lot of you,
also in the audience will
Not Synced

benefit from having this type of
technology when you grow older
Not Synced

and we can have longer lives and
we can live more healthier lives
Not Synced

because of the technology
E: And keep in mind, right?
Not Synced

Some of you may already have devices
and already have this issues,
Not Synced

but others of you will think 'Ah, that
won't happen to me for quite a long time"
Not Synced

But it can be a sudden thing, that,
you know, you don't necessarily
Not Synced

have a choice to run code
inside your body.
Not Synced

Which OS do you wanna implant?
laughing
Not Synced

E: You wanna tell them about the..
M: This is also a quite exciting
Not Synced

maybe future type of implants
that you can have.
Not Synced

So, this is actually a cardiac sock,
it's 3D-printed and it's making
Not Synced

a rabbit's heart beat outside
the body of the rabbit.
Not Synced

So, there's a lot of technology
and sensors and things that
Not Synced

are going to be implanted ***
and I think more of you
Not Synced

will become cyborgs like me
in the future
Not Synced

E: And there's a lot of work
that you could be doing.
Not Synced

You know, 3D-printing
this devices,
Not Synced

and open sourcing as much
of this as possible.
Not Synced

There's a lot to say here, right?
Not Synced

I think it's time to address
the really scary issue.
Not Synced

The informed consent issue
around patching, right?
Not Synced

Remember earlier we were
talking about the programmers
Not Synced

and we pointed out that there
were firmware blobs in there
Not Synced

and that these people,
you know, your doctor or nurse
Not Synced

could upgrade the code
running on your medical implant.
Not Synced

Now, is there a legal requirement
for them to inform you,
Not Synced

before they alter the code
that's running inside your body?
Not Synced

As far as we can tell
Not Synced

- and we need to look at a lot of
different countries at the same time,
Not Synced

so we gonna ask you to help us -
Not Synced

as far as we can tell there are not
laws requiring your doctor
Not Synced

to tell you that they are upgrading
the firmware in your device.
Not Synced

M: Yeah, think about that laughs
Not Synced

It's a quite scary thing.
Not Synced

I want to know what's happening
to my implant, the code,
Not Synced

if someone wants to alter the code
inside my body, I would like to know
Not Synced

and I would like to make
an informed decision on that
Not Synced

and give my consent
before it happens.
Not Synced

E: You might even choose a device
where that's possible or not possible
Not Synced

because you're making a risk-based
decision and you're an informed consumer
Not Synced

but how do we help people,
who don't wanna understand
Not Synced

software and firmware and upgrades
make those decisions in the future as well.
Not Synced

Alright.
M: So now, if we're going to go through
Not Synced

all this, but there's a lot of reasons
why we're in the situations of having
Not Synced

insecure medical devices.
Not Synced

There's a lot of legacy technology because
there's a long lifetime of this devices
Not Synced

and it takes a long time
to get them on the market.
Not Synced

And they can be patched,
but in some cases
Not Synced

they are not patched or there are
no software updates applied to them.
Not Synced

We don't have any third party
security testing of the devices,
Not Synced

and that's really needed in my opinion.
E: Right, an underwriters laboratory
Not Synced

or consumer laboratory that's there
to check some of these details.
Not Synced

And I don't think that's unreasonable,
right? That sort of approach.
Not Synced

M: And there's a lack of regulations,
also. So there's a lot of things
Not Synced

that should be worked on.
Not Synced

E: So, there's a lot of
ways to solve this
Not Synced

and we're not gonna give you
the answer, because we're not
Not Synced

geniuses, so we're
gonna say that
Not Synced

these are some different
approaches that we see all
Not Synced

playing in a solution space.
Not Synced

So, vendor awareness is
obviously important, but
Not Synced

that's not the only thing.
A lot of the vendors have been
Not Synced

very supportive and
very open to discussion,
Not Synced

of transparency, that needs to
happen more in the future, right?
Not Synced

Security risk monitoring,
I've been working in the field
Not Synced

of cyber insurance, which I'm sure
sounds like insanity to the rest of you,
Not Synced

and it is, there are bad days.
But that could play a part
Not Synced

in this risk *** in the future.
Not Synced

What about medical incidence response,
right? Or medical device forensics.

Title:: Marie Moe, Eireann Leverett: Unpatchable
Description:: more » « less
Video Language:: English
Duration:: 01:00:16

	C3Subtitles edited English subtitles for Marie Moe, Eireann Leverett: Unpatchable
	Bar Sch edited English subtitles for Marie Moe, Eireann Leverett: Unpatchable
	Bar Sch edited English subtitles for Marie Moe, Eireann Leverett: Unpatchable
	Bar Sch edited English subtitles for Marie Moe, Eireann Leverett: Unpatchable
	Bar Sch edited English subtitles for Marie Moe, Eireann Leverett: Unpatchable
	Bar Sch edited English subtitles for Marie Moe, Eireann Leverett: Unpatchable
	Anna Sternchen edited English subtitles for Marie Moe, Eireann Leverett: Unpatchable
	Anna Sternchen edited English subtitles for Marie Moe, Eireann Leverett: Unpatchable

Show all

English subtitles

Revisions Compare revisions

Revision 27 Edited

C3Subtitles
Revision 26 Edited

Bar Sch
Revision 25 Edited

Bar Sch
Revision 24 Edited

Bar Sch
Revision 23 Edited

Bar Sch
Revision 22 Edited

Bar Sch
Revision 21 Edited

Anna Sternchen
Revision 20 Edited

Anna Sternchen
Revision 19 Edited

Anna Sternchen
Revision 18 Edited

Anna Sternchen
Revision 17 Edited

-pika-
Revision 16 Uploaded

C3Subtitles
Revision 15 Edited

Sciencekompass
Revision 14 Edited

-pika-
Revision 13 Edited

-pika-
Revision 12 Edited

-pika-
Revision 11 Edited

-pika-
Revision 10 Edited

-pika-
Revision 9 Edited

-pika-
Revision 8 Edited

-pika-
Revision 7 Edited

-pika-
Revision 6 Edited

-pika-
Revision 5 Edited

-pika-
Revision 4 Edited

-pika-
Revision 3 Edited

-pika-
Revision 2 Edited

-pika-
Revision 1 Edited

-pika-

	Revision Number	Author	Created
	27	C3Subtitles
	26	Bar Sch
	25	Bar Sch
	24	Bar Sch
	23	Bar Sch
	22	Bar Sch
	21	Anna Sternchen
	20	Anna Sternchen
	19	Anna Sternchen
	18	Anna Sternchen
	17	-pika-
	16	C3Subtitles
	15	Sciencekompass
	14	-pika-
	13	-pika-
	12	-pika-
	11	-pika-
	10	-pika-
	9	-pika-
	8	-pika-
	7	-pika-
	6	-pika-
	5	-pika-
	4	-pika-
	3	-pika-
	2	-pika-
	1	-pika-