[Script Info]
Title: 
[Events]
Format: Layer, Start, End, Style, Name, MarginL, MarginR, MarginV, Effect, Text
Dialogue: 0,0:00:23.18,0:00:26.47,Default,,0000,0000,0000,,{\i1}Preroll music{\i0}
Dialogue: 0,0:00:26.47,0:00:30.59,Default,,0000,0000,0000,,Herald: Good evening, everybody. The\Nupcoming talk is titled "Listen to Your
Dialogue: 0,0:00:30.59,0:00:36.15,Default,,0000,0000,0000,,Heart: Security and Privacy of Implantable\NCardio Foo" and will be delivered by e7p,
Dialogue: 0,0:00:36.15,0:00:42.49,Default,,0000,0000,0000,,who is a Ph.D. student at the Max Planck\NInstitute. and Christoph Saatjohann who is
Dialogue: 0,0:00:42.49,0:00:47.19,Default,,0000,0000,0000,,also a Ph.D. student at the University of\NApplied Sciences Münster where he also
Dialogue: 0,0:00:47.19,0:00:53.54,Default,,0000,0000,0000,,teaches security in medical devices. This\Ntalk also be translated into German.
Dialogue: 0,0:00:53.54,0:01:00.66,Default,,0000,0000,0000,,Dieser Vortrag wird auch simultan\Nübersetzt in Deutsch. And that is also the
Dialogue: 0,0:01:00.66,0:01:05.03,Default,,0000,0000,0000,,extent of my German. I would say, e7p over\Nto you.
Dialogue: 0,0:01:05.03,0:01:09.56,Default,,0000,0000,0000,,e7p: Yeah, thanks a lot for the nice\Nintroduction. I hope you can all hear and
Dialogue: 0,0:01:09.56,0:01:15.33,Default,,0000,0000,0000,,see us. OK, so yeah,welcome to the talk\N"Listen to Your Heart: Security and
Dialogue: 0,0:01:15.33,0:01:22.89,Default,,0000,0000,0000,,Privacy of Implantable Cardio Foo". I'm\NEndres and as said I'm a Ph.D. student at
Dialogue: 0,0:01:22.89,0:01:27.28,Default,,0000,0000,0000,,the Max Planck Institute for Security and\NPrivacy. My main topic is embedded
Dialogue: 0,0:01:27.28,0:01:33.90,Default,,0000,0000,0000,,security. This topic is a funded project,\Nwhich is called MediSec. It's a
Dialogue: 0,0:01:33.90,0:01:37.86,Default,,0000,0000,0000,,cooperation between cyber security\Nresearchers in Bochum and Münster, as well
Dialogue: 0,0:01:37.86,0:01:42.63,Default,,0000,0000,0000,,as medical technology researchers and\Nstaff of the University Hospital in
Dialogue: 0,0:01:42.63,0:01:49.65,Default,,0000,0000,0000,,Münster. And this is funded research. So\Nto start off, we want to give a quick
Dialogue: 0,0:01:49.65,0:01:58.63,Default,,0000,0000,0000,,motivation what our topic is about. So we\Nchose these implantable cardiac
Dialogue: 0,0:01:58.63,0:02:05.14,Default,,0000,0000,0000,,defibrillators or other heart related\Nimplantable devices. And there are
Dialogue: 0,0:02:05.14,0:02:11.65,Default,,0000,0000,0000,,different kinds of these, so there's lots\Nof other classical heart pacemakers, which
Dialogue: 0,0:02:11.65,0:02:16.05,Default,,0000,0000,0000,,every one of you should already heard\Nabout. Then there's also implantable
Dialogue: 0,0:02:16.05,0:02:25.08,Default,,0000,0000,0000,,defibrillators, which have other\Napplications actually, and there are also
Dialogue: 0,0:02:25.08,0:02:31.00,Default,,0000,0000,0000,,heart monitors just for diagnosis. And\Nyeah, as these implants are inside your
Dialogue: 0,0:02:31.00,0:02:37.25,Default,,0000,0000,0000,,body, they pose a high risk for threats\Nand also they have communication
Dialogue: 0,0:02:37.25,0:02:44.55,Default,,0000,0000,0000,,interfaces that are similar to these of\Nthe Internet of Things. Also, we want to
Dialogue: 0,0:02:44.55,0:02:51.17,Default,,0000,0000,0000,,talk a bit about the ethical arguments. So\Nwhen asking: Why hacking medical devices?
Dialogue: 0,0:02:51.17,0:02:56.58,Default,,0000,0000,0000,,Well, first, the obvious thing is, yeah,\Nthere's a long device lifecycle in the
Dialogue: 0,0:02:56.58,0:03:02.52,Default,,0000,0000,0000,,medical sector, presumably because of the\Nstrong regulations and required
Dialogue: 0,0:03:02.52,0:03:11.78,Default,,0000,0000,0000,,certifications for medical products. So\Nit's more optimal to keep these devices as
Dialogue: 0,0:03:11.78,0:03:23.77,Default,,0000,0000,0000,,long as possible on the market. And for\Nthis reason, it's also sure that the, that
Dialogue: 0,0:03:23.77,0:03:38.57,Default,,0000,0000,0000,,the, that there are open bugs from old\Nhardware or software and, but the
Dialogue: 0,0:03:38.57,0:03:43.45,Default,,0000,0000,0000,,manufacturers need to know about the\Nissues to be able to do something about
Dialogue: 0,0:03:43.45,0:03:50.84,Default,,0000,0000,0000,,it. That's a disclaimer for affected\Npatients. It's independent to the decision
Dialogue: 0,0:03:50.84,0:03:58.09,Default,,0000,0000,0000,,for or against such a device what we talk\Nabout. Because after all, these devices
Dialogue: 0,0:03:58.09,0:04:09.06,Default,,0000,0000,0000,,can save your life. OK, let's get a bit\Nmore to the details. Also we want to talk
Dialogue: 0,0:04:09.06,0:04:15.31,Default,,0000,0000,0000,,shortly about the responsible disclosure\Nprocess. When we found out some bugs and
Dialogue: 0,0:04:15.31,0:04:22.89,Default,,0000,0000,0000,,vulnerabilities, we informed all the, the\Ninvolved companies at least six months
Dialogue: 0,0:04:22.89,0:04:32.93,Default,,0000,0000,0000,,ago. So from now on, it's maybe a year or.\NSo the companies took us serious. They
Dialogue: 0,0:04:32.93,0:04:39.13,Default,,0000,0000,0000,,acknowledged our results and ours and\Ntheir goal is not to worry any affected
Dialogue: 0,0:04:39.13,0:04:46.29,Default,,0000,0000,0000,,people but to improve the product\Nsecurity. Vulnerable devices are or will
Dialogue: 0,0:04:46.29,0:04:53.10,Default,,0000,0000,0000,,soon be replaced, or at least the firmware\Ngets updated. And yeah, whenever we do
Dialogue: 0,0:04:53.10,0:04:58.31,Default,,0000,0000,0000,,independent security research, it helps to\Nkeep the quality of the products higher,
Dialogue: 0,0:04:58.31,0:05:06.71,Default,,0000,0000,0000,,which is in both ours and their interests.\NAnd one note is, if you ever find out any
Dialogue: 0,0:05:06.71,0:05:12.52,Default,,0000,0000,0000,,bugs or vulnerabilities in some product\Nplease inform the companies first before
Dialogue: 0,0:05:12.52,0:05:19.56,Default,,0000,0000,0000,,publishing anything of it online or\Nanywhere else. OK, let's get started into
Dialogue: 0,0:05:19.56,0:05:27.08,Default,,0000,0000,0000,,the topic. First of all, I want to talk\Nabout all the devices in the environment
Dialogue: 0,0:05:27.08,0:05:34.58,Default,,0000,0000,0000,,around the implantable devices. First of\Nall, we have the implants himself. These
Dialogue: 0,0:05:34.58,0:05:40.92,Default,,0000,0000,0000,,little devices, they are not so heavy.\NThey are placed, I think, under the skin
Dialogue: 0,0:05:40.92,0:05:47.15,Default,,0000,0000,0000,,near the heart. I don't know. I'm not from\Nthe medical sector, but yeah, inside the
Dialogue: 0,0:05:47.15,0:05:57.92,Default,,0000,0000,0000,,body and they have one or multiple\Ncontacts which electrodes connect to. And
Dialogue: 0,0:05:57.92,0:06:04.60,Default,,0000,0000,0000,,these connect them to muscles or the\Norgans, and to their thing. But as there
Dialogue: 0,0:06:04.60,0:06:10.95,Default,,0000,0000,0000,,is no outside connection for configuring\Nor receiving test data or something like
Dialogue: 0,0:06:10.95,0:06:17.48,Default,,0000,0000,0000,,this or events. There is a programing\Ndevice which is usually located in the
Dialogue: 0,0:06:17.48,0:06:25.79,Default,,0000,0000,0000,,hospital or in the heart clinics. Then\Nthere's also a home monitoring station,
Dialogue: 0,0:06:25.79,0:06:32.23,Default,,0000,0000,0000,,which the patient takes home and puts at\Nthe bed table, for instance, so it can
Dialogue: 0,0:06:32.23,0:06:37.54,Default,,0000,0000,0000,,receive all the relevant data from the\Nimplant every day and transmit relevant
Dialogue: 0,0:06:37.54,0:06:44.57,Default,,0000,0000,0000,,data then to the doctor. This does not\Nhappen directly, but over the
Dialogue: 0,0:06:44.57,0:06:49.89,Default,,0000,0000,0000,,manufacturer's infrastructure, the\Nstructure and the transmission here is
Dialogue: 0,0:06:49.89,0:06:57.86,Default,,0000,0000,0000,,over the internet usually. But then the\Ndoctor can receive all the data over the
Dialogue: 0,0:06:57.86,0:07:06.41,Default,,0000,0000,0000,,internet again, and yeah, so that's all\Nthe four big spots where data is
Dialogue: 0,0:07:06.41,0:07:14.01,Default,,0000,0000,0000,,transmitted to and from. And if we have an\Nattacker here, he could try to attack or
Dialogue: 0,0:07:14.01,0:07:19.34,Default,,0000,0000,0000,,find vulnerabilities in any of these four\Ndevices, as well as their communication
Dialogue: 0,0:07:19.34,0:07:26.77,Default,,0000,0000,0000,,interfaces and protocols. OK, coming a bit\Nmore concrete. So in total, there are
Dialogue: 0,0:07:26.77,0:07:34.84,Default,,0000,0000,0000,,around five major vendors worldwide that\Ndevelop these implants and other devices
Dialogue: 0,0:07:34.84,0:07:46.45,Default,,0000,0000,0000,,around them, and we look. We try to\Nanalyze these three on top here, and yeah.
Dialogue: 0,0:07:46.45,0:07:53.05,Default,,0000,0000,0000,,So we go a bit more in detail what we\Nfound out and what we try to analyze here.
Dialogue: 0,0:07:53.05,0:08:01.41,Default,,0000,0000,0000,,So going back to the implants, I already\Nshowed it to you. That's maybe how it
Dialogue: 0,0:08:01.41,0:08:08.10,Default,,0000,0000,0000,,looks like from the inside. Not very good\Nto see, I think, with the camera, but
Dialogue: 0,0:08:08.10,0:08:15.49,Default,,0000,0000,0000,,there's also some picture in the slides.\NAnd yeah, first of all, these implants
Dialogue: 0,0:08:15.49,0:08:20.75,Default,,0000,0000,0000,,contain the desired functionality. For\Ninstance, defibrillator, pacemaker, heart
Dialogue: 0,0:08:20.75,0:08:26.40,Default,,0000,0000,0000,,recorder. And these features have\Ndifferent requirements. For instance, a
Dialogue: 0,0:08:26.40,0:08:34.19,Default,,0000,0000,0000,,defibrillator probably needs more power,\Nand so needs a larger battery or a huge
Dialogue: 0,0:08:34.19,0:08:40.91,Default,,0000,0000,0000,,capacitor, for instance. And a heart\Nmonitor doesn't need anything of these.
Dialogue: 0,0:08:40.91,0:08:45.40,Default,,0000,0000,0000,,And of course, all of these need this\Ncommunication interface, which is realized
Dialogue: 0,0:08:45.40,0:08:54.73,Default,,0000,0000,0000,,over radio frequency. But sometimes it's\Nalso only over the inductive coupling,
Dialogue: 0,0:08:54.73,0:09:03.03,Default,,0000,0000,0000,,which is maybe known from RFID. And when\Nlooking inside these devices, we see there
Dialogue: 0,0:09:03.03,0:09:09.79,Default,,0000,0000,0000,,are highly customized parts inside, which\Nmeans there are unlabeled chips, even
Dialogue: 0,0:09:09.79,0:09:16.15,Default,,0000,0000,0000,,unpackaged chips that are directly bonded\Nonto the PCBs. So analysis is quite hard
Dialogue: 0,0:09:16.15,0:09:21.99,Default,,0000,0000,0000,,and difficult. But all of these have in\Ncommon that there's a small microcomputer
Dialogue: 0,0:09:21.99,0:09:30.88,Default,,0000,0000,0000,,inside that handles everything and also\Nthe communication. Yeah. Then there are
Dialogue: 0,0:09:30.88,0:09:38.61,Default,,0000,0000,0000,,these home monitoring units, I just get\None here, looks like these, and as I said,
Dialogue: 0,0:09:38.61,0:09:48.31,Default,,0000,0000,0000,,they sit on the bed table and transmit the\Ndata on a daily basis to the doctors. They
Dialogue: 0,0:09:48.31,0:09:54.71,Default,,0000,0000,0000,,also need some wireless communication\Ninterface to the implant. And when they
Dialogue: 0,0:09:54.71,0:09:59.69,Default,,0000,0000,0000,,got the data, they need to transmit them\Nto the doctor. And this is usually done
Dialogue: 0,0:09:59.69,0:10:08.76,Default,,0000,0000,0000,,over a mobile to mobile GSM or UMTS\Nnetwork. And then the data is sent to the
Dialogue: 0,0:10:08.76,0:10:14.46,Default,,0000,0000,0000,,manufacturer server. And compared to the\Nimplants these are based on standard
Dialogue: 0,0:10:14.46,0:10:19.85,Default,,0000,0000,0000,,multipurpose hardware. That means often we\Nwill find there are Linux operating
Dialogue: 0,0:10:19.85,0:10:28.35,Default,,0000,0000,0000,,systems and lots of debug ports of serial\Ninterfaces or USB. So they are easily
Dialogue: 0,0:10:28.35,0:10:34.98,Default,,0000,0000,0000,,accessible for us. OK. And then we have\Nthis hospital programmer. They are used in
Dialogue: 0,0:10:34.98,0:10:41.31,Default,,0000,0000,0000,,the cardiology clinics, are able to\Nconfigure the implants and also use test
Dialogue: 0,0:10:41.31,0:10:47.46,Default,,0000,0000,0000,,modes in the implants. But also, like the\Nhome monitoring, they can read out the
Dialogue: 0,0:10:47.46,0:10:53.93,Default,,0000,0000,0000,,stored events or live data and. Yeah. So\Nthey are in the heart clinic and operated
Dialogue: 0,0:10:53.93,0:10:59.58,Default,,0000,0000,0000,,by doctors. And usually these are rented\Nto the hospitals or leased from the
Dialogue: 0,0:10:59.58,0:11:05.55,Default,,0000,0000,0000,,manufacturer. But, however, we could find\Nout that individuals could buy these
Dialogue: 0,0:11:05.55,0:11:13.65,Default,,0000,0000,0000,,second hand on specialized, yeah,\Nspecialized platforms similar to eBay, I
Dialogue: 0,0:11:13.65,0:11:21.55,Default,,0000,0000,0000,,would say, for medical devices. And now on\Nto our methodology when analyzing the
Dialogue: 0,0:11:21.55,0:11:28.79,Default,,0000,0000,0000,,devices. So first of all, we thought about\Ngoals of a potential attacker. First of
Dialogue: 0,0:11:28.79,0:11:39.60,Default,,0000,0000,0000,,all he mainly would like to influence the\Nimplantable device itself. And this can be
Dialogue: 0,0:11:39.60,0:11:45.86,Default,,0000,0000,0000,,done either. This can be mostly done over\Nthe interface that the programming device
Dialogue: 0,0:11:45.86,0:11:54.14,Default,,0000,0000,0000,,uses, so to inject malicious firmware in\Nthe implant could be one goal of the
Dialogue: 0,0:11:54.14,0:11:59.84,Default,,0000,0000,0000,,potential attacker. Another goal could be\Nto GSM spoof the connection of the home
Dialogue: 0,0:11:59.84,0:12:08.17,Default,,0000,0000,0000,,monitoring box and then dump some some\Nmedical data or also privacy related data.
Dialogue: 0,0:12:08.17,0:12:15.01,Default,,0000,0000,0000,,And yeah, when looking at the programing\Ndevice, one could also think about direct
Dialogue: 0,0:12:15.01,0:12:25.19,Default,,0000,0000,0000,,misuse to use, for example, the test modes\Nalready included in the device. So what
Dialogue: 0,0:12:25.19,0:12:34.26,Default,,0000,0000,0000,,research questions do result in this? So\Nthe first question is: What is possible
Dialogue: 0,0:12:34.26,0:12:40.12,Default,,0000,0000,0000,,only with the direct interaction with\Ngenuine devices, which means that is non-
Dialogue: 0,0:12:40.12,0:12:48.98,Default,,0000,0000,0000,,invasive? And the second question is: How\Nsecure are these in general? Like, when
Dialogue: 0,0:12:48.98,0:12:54.60,Default,,0000,0000,0000,,also invasive attacks are allowed. And the\Nthird question is: Can we finally
Dialogue: 0,0:12:54.60,0:13:03.00,Default,,0000,0000,0000,,understand all communication protocols or\Nis this rather difficult to do? OK. So now
Dialogue: 0,0:13:03.00,0:13:10.43,Default,,0000,0000,0000,,we look more concretely on these attack\Nvectors, and we do this with the devices
Dialogue: 0,0:13:10.43,0:13:17.20,Default,,0000,0000,0000,,which we got from our partner hospital.\NAnd yeah, to start off, we looked at the
Dialogue: 0,0:13:17.20,0:13:24.37,Default,,0000,0000,0000,,Biotronik home monitoring unit. And what\Nwe did there was to run a rogue GSM cell.
Dialogue: 0,0:13:24.37,0:13:38.02,Default,,0000,0000,0000,,So we did GSM spoofing with OpenBTS. And\Nthis allowed us to intercept data. So this
Dialogue: 0,0:13:38.02,0:13:42.89,Default,,0000,0000,0000,,data, which we got then, was not\Nencrypted, so we could reveal the access
Dialogue: 0,0:13:42.89,0:13:50.48,Default,,0000,0000,0000,,credentials. And the same credentials you\Ncould also find out when dumping the
Dialogue: 0,0:13:50.48,0:13:57.28,Default,,0000,0000,0000,,firmware from the microcontroller. And\Nthis was then done over the JTAG
Dialogue: 0,0:13:57.28,0:14:03.42,Default,,0000,0000,0000,,interface. This firmware, which we got\Nthere, could be reverse engineered with
Dialogue: 0,0:14:03.42,0:14:10.11,Default,,0000,0000,0000,,Ghidra, which is an open source tool for\Nreverse engineering. And what we found
Dialogue: 0,0:14:10.11,0:14:16.00,Default,,0000,0000,0000,,there was also an AES cypher\Nimplementation, which is mainly used for
Dialogue: 0,0:14:16.00,0:14:23.41,Default,,0000,0000,0000,,authentication steps. Also, the firmware\Ncontained the credentials and thus the
Dialogue: 0,0:14:23.41,0:14:31.12,Default,,0000,0000,0000,,internet domain cm3-homemonitoring.de. But\Naccording to the manufacturer, this domain
Dialogue: 0,0:14:31.12,0:14:37.67,Default,,0000,0000,0000,,is only used as an authentication realm.\NHowever, they were kind of surprised when
Dialogue: 0,0:14:37.67,0:14:44.98,Default,,0000,0000,0000,,we told them that actually they are using\Nthe same domain for other services. But I
Dialogue: 0,0:14:44.98,0:14:54.13,Default,,0000,0000,0000,,hope they won't do this anymore. So, yeah,\Nthis should be fine. OK. Next up is the
Dialogue: 0,0:14:54.13,0:14:58.24,Default,,0000,0000,0000,,Medtronic home monitoring unit, the\Napproach there was similar to the
Dialogue: 0,0:14:58.24,0:15:05.40,Default,,0000,0000,0000,,Biotronik home monitoring unit. What we\Nfound there was that a spoofing attack was
Dialogue: 0,0:15:05.40,0:15:13.00,Default,,0000,0000,0000,,not quite possible because this Medtronic\Nhome monitoring unit uses a mobile to
Dialogue: 0,0:15:13.00,0:15:21.83,Default,,0000,0000,0000,,mobile SIM card, which is on a intranet,\Nnot done on an internet or a VPN, could
Dialogue: 0,0:15:21.83,0:15:30.50,Default,,0000,0000,0000,,think about this. And so we couldn't get a\Nconnection to the original service. And
Dialogue: 0,0:15:30.50,0:15:39.59,Default,,0000,0000,0000,,however, we found also on a web blog post\Na documented method to find out about the
Dialogue: 0,0:15:39.59,0:15:45.69,Default,,0000,0000,0000,,encryption password because the firmware\Nof the device is encrypted. And, yeah,
Dialogue: 0,0:15:45.69,0:15:51.67,Default,,0000,0000,0000,,turned out that it was a Linux embedded\NLinux system, which we could also
Dialogue: 0,0:15:51.67,0:15:58.39,Default,,0000,0000,0000,,influence when opening up and tearing down\Nthe device. Taking out, I think it was an
Dialogue: 0,0:15:58.39,0:16:04.28,Default,,0000,0000,0000,,SD card and then overwriting some, some\Nfiles. And here in the picture, you can
Dialogue: 0,0:16:04.28,0:16:12.20,Default,,0000,0000,0000,,also see where we could display an image\Non the screen of the device. This was done
Dialogue: 0,0:16:12.20,0:16:20.72,Default,,0000,0000,0000,,using some DBus messages because it was an\Nembedded linux really. So here we've got
Dialogue: 0,0:16:20.72,0:16:28.83,Default,,0000,0000,0000,,also the server backend addresses also in\Nthe firmware. But more to that later. The
Dialogue: 0,0:16:28.83,0:16:34.56,Default,,0000,0000,0000,,third device which we analyzed was this\NBoston scientific programing device. You
Dialogue: 0,0:16:34.56,0:16:43.09,Default,,0000,0000,0000,,can switch the camera so we can see it\Nmore clearly here. Yeah. So this rather
Dialogue: 0,0:16:43.09,0:16:53.80,Default,,0000,0000,0000,,huge device we could buy for around 2.000\NU.S. dollars from this auction platform.
Dialogue: 0,0:16:53.80,0:17:00.00,Default,,0000,0000,0000,,And we could also tear this down because\Nit's never used any more for real
Dialogue: 0,0:17:00.00,0:17:09.83,Default,,0000,0000,0000,,productive cases. And there we found a\Nhard disk inside. And there is also a
Dialogue: 0,0:17:09.83,0:17:17.64,Default,,0000,0000,0000,,Linux system on it, which I think is from\N2002, in the slides. And the device itself
Dialogue: 0,0:17:17.64,0:17:24.36,Default,,0000,0000,0000,,is a Intel Pentium based device, which is\Ndesigned in 2004, and the software is from
Dialogue: 0,0:17:24.36,0:17:34.06,Default,,0000,0000,0000,,2011. So quite old, right? But yeah. So\Nthat's I think the thing about this
Dialogue: 0,0:17:34.06,0:17:41.44,Default,,0000,0000,0000,,device. The Linux kernel, sorry, the Linux\Nsystem in the device also contained a
Dialogue: 0,0:17:41.44,0:17:51.94,Default,,0000,0000,0000,,window manager, the tiling window manager\Nand using the modifying files or shell
Dialogue: 0,0:17:51.94,0:17:59.08,Default,,0000,0000,0000,,scripts on the hard disk allowed us to\Nalso start the twm, the tiling window
Dialogue: 0,0:17:59.08,0:18:05.93,Default,,0000,0000,0000,,manager on certain actions. So from there\Non, we could simply open up an xterm shell
Dialogue: 0,0:18:05.93,0:18:15.71,Default,,0000,0000,0000,,and then have root rights. OK. So maybe I\Nwill show it in the live demonstration
Dialogue: 0,0:18:15.71,0:18:23.37,Default,,0000,0000,0000,,later. Also, we found some region lock\Nconfiguration file, which we could also
Dialogue: 0,0:18:23.37,0:18:33.14,Default,,0000,0000,0000,,alter to allow to connect to the radio\Nfrequency, which implants used around the
Dialogue: 0,0:18:33.14,0:18:39.92,Default,,0000,0000,0000,,world. And as the Linux kernel is so old,\Nprobably further exploits are likely
Dialogue: 0,0:18:39.92,0:18:47.87,Default,,0000,0000,0000,,possible. But the device is luckily being\Nreplaced right now. That's what Boston
Dialogue: 0,0:18:47.87,0:18:57.45,Default,,0000,0000,0000,,Scientific told us. One nice thing about\Nthis device is that we found also a x86
Dialogue: 0,0:18:57.45,0:19:04.62,Default,,0000,0000,0000,,binary, which is called "checkDongle" on\Nthe hard disk and this checkDongle is more
Dialogue: 0,0:19:04.62,0:19:10.88,Default,,0000,0000,0000,,binary. It just looks for direct\Nconnections on the printer port. And when
Dialogue: 0,0:19:10.88,0:19:15.13,Default,,0000,0000,0000,,reverse engineering the direct\Nconnections, we could rebuild a genuine
Dialogue: 0,0:19:15.13,0:19:24.26,Default,,0000,0000,0000,,dongle. OK. So with this dongle we were\Nthen able to also change this RF region
Dialogue: 0,0:19:24.26,0:19:34.03,Default,,0000,0000,0000,,setting inside the general menu of the\Ndevice, but we could also boot into either
Dialogue: 0,0:19:34.03,0:19:41.01,Default,,0000,0000,0000,,the integrated firmware upgrade utility\Nover some special USB drive additionally,
Dialogue: 0,0:19:41.01,0:19:51.42,Default,,0000,0000,0000,,or we could access the BIOS configuration\Nand boot from different devices. This, of
Dialogue: 0,0:19:51.42,0:19:56.77,Default,,0000,0000,0000,,course, could leak stored treatment data\Nand personal data of the patients that are
Dialogue: 0,0:19:56.77,0:20:05.45,Default,,0000,0000,0000,,stored, maybe on the hard disk itself or\Nlater on when something is modified. OK,
Dialogue: 0,0:20:05.45,0:20:11.59,Default,,0000,0000,0000,,so now I have prepared a little live\Ndemonstration with this programing device.
Dialogue: 0,0:20:11.59,0:20:18.95,Default,,0000,0000,0000,,Maybe the guys from the camera operation\Ncan switch to the live feed from the
Dialogue: 0,0:20:18.95,0:20:26.21,Default,,0000,0000,0000,,device itself. We will see what I see\Nhere. And first of all, I will quickly
Dialogue: 0,0:20:26.21,0:20:37.25,Default,,0000,0000,0000,,show how the device itself works and I\Njust put this antenna on one implant and
Dialogue: 0,0:20:37.25,0:20:44.39,Default,,0000,0000,0000,,then the interrogate button leads to\Nstarting the specific software for the
Dialogue: 0,0:20:44.39,0:20:50.99,Default,,0000,0000,0000,,implant. As you already see the tiling\Nwindow manager also started, so when we
Dialogue: 0,0:20:50.99,0:20:56.58,Default,,0000,0000,0000,,want to, we can start a xterm terminal and\Nwhen connected to a keyboard, we can also
Dialogue: 0,0:20:56.58,0:21:08.37,Default,,0000,0000,0000,,type in something and we are root. Also in\Nthis standard interface now we can access
Dialogue: 0,0:21:08.37,0:21:13.52,Default,,0000,0000,0000,,some test modes or settings of the\Nimplant, but I'm not really into it, so
Dialogue: 0,0:21:13.52,0:21:22.06,Default,,0000,0000,0000,,let's skip this part when setting or doing\Nsome stuff here. But what else we could do
Dialogue: 0,0:21:22.06,0:21:31.79,Default,,0000,0000,0000,,now is this security dongle. I just plug\Nit in and then started again with an
Dialogue: 0,0:21:31.79,0:21:44.71,Default,,0000,0000,0000,,attached flash drive. Then it starts this\Nnormal BIOS post. And when this is done it
Dialogue: 0,0:21:44.71,0:21:50.12,Default,,0000,0000,0000,,simply boots from this USB flash drive.\NOne special thing about this flash drive
Dialogue: 0,0:21:50.12,0:21:58.31,Default,,0000,0000,0000,,is I had to find one which supports USB\N1.1 because the hardware is so old. But
Dialogue: 0,0:21:58.31,0:22:06.85,Default,,0000,0000,0000,,finally, I got it working to boot from\Nthis USB drive. And after some while, when
Dialogue: 0,0:22:06.85,0:22:13.99,Default,,0000,0000,0000,,loading all the data, you see, it simply\Nstarts a FreeDOS operating system and then
Dialogue: 0,0:22:13.99,0:22:22.60,Default,,0000,0000,0000,,starts Doom. Now we can simply play doom\Non this programing device from a hospital,
Dialogue: 0,0:22:22.60,0:22:31.13,Default,,0000,0000,0000,,so. Quite interesting, right? OK, I think\Nyou can switch back to the slides, please.
Dialogue: 0,0:22:31.13,0:22:41.68,Default,,0000,0000,0000,,OK. So now that was this programming\Ncomputer. What else is missing, is the
Dialogue: 0,0:22:41.68,0:22:48.64,Default,,0000,0000,0000,,server infrastructure between the home\Nmonitoring and the doctor. First of all,
Dialogue: 0,0:22:48.64,0:22:55.83,Default,,0000,0000,0000,,we looked at the home monitoring access to\Nthe manufacturer and when looking at the
Dialogue: 0,0:22:55.83,0:23:03.14,Default,,0000,0000,0000,,credentials or rather the HTTP domain or\NIP address, I don't know, in the home
Dialogue: 0,0:23:03.14,0:23:09.92,Default,,0000,0000,0000,,monitoring system of Medtronic, we were\Nable to access the HTTP web server, which
Dialogue: 0,0:23:09.92,0:23:16.36,Default,,0000,0000,0000,,the data is, I think, using a POST request\Nis transmitted to the server. However,
Dialogue: 0,0:23:16.36,0:23:25.51,Default,,0000,0000,0000,,whatever we sent to the server resulted in\Na blank page with the status code 200. So
Dialogue: 0,0:23:25.51,0:23:29.71,Default,,0000,0000,0000,,no matter what we sent, right? We could\Nalso send some really, really incorrect
Dialogue: 0,0:23:29.71,0:23:38.03,Default,,0000,0000,0000,,data. But it doesn't matter. It just keeps\Nthis blank page. So this seems to be a
Dialogue: 0,0:23:38.03,0:23:46.20,Default,,0000,0000,0000,,measure against this misuse. And maybe\Nit's not so bad it like this. However, I
Dialogue: 0,0:23:46.20,0:23:52.95,Default,,0000,0000,0000,,don't know if we looked for any encrypted\Nstuff there. Probably it's only TLS
Dialogue: 0,0:23:52.95,0:24:01.34,Default,,0000,0000,0000,,encrypted or something. OK, and then the\Ndoctor also gets the data from the
Dialogue: 0,0:24:01.34,0:24:07.43,Default,,0000,0000,0000,,manufacturer server. So this is also\Nusually done over a Web interface, which
Dialogue: 0,0:24:07.43,0:24:13.89,Default,,0000,0000,0000,,we learned from our partnering hospital.\NAnd when looking around there, we thought
Dialogue: 0,0:24:13.89,0:24:19.98,Default,,0000,0000,0000,,it's not that bad because there's a\Ntypical login username password
Dialogue: 0,0:24:19.98,0:24:27.61,Default,,0000,0000,0000,,authentication included. And then we\Nstopped there because these are productive
Dialogue: 0,0:24:27.61,0:24:32.76,Default,,0000,0000,0000,,systems and we wouldn't want to do some\NSQL injections or something like this
Dialogue: 0,0:24:32.76,0:24:39.47,Default,,0000,0000,0000,,because it's a really productive system\Nand probably life-depending monitoring is
Dialogue: 0,0:24:39.47,0:24:45.39,Default,,0000,0000,0000,,running there. So we didn't want to risk\Nanything. Right. So better stop there and
Dialogue: 0,0:24:45.39,0:24:56.05,Default,,0000,0000,0000,,let it be. OK. So but from the first look,\Nit looked quite okayish. OK, so a quick
Dialogue: 0,0:24:56.05,0:25:02.41,Default,,0000,0000,0000,,summary about all these findings on the\Ntechnical aspect. There are several
Dialogue: 0,0:25:02.41,0:25:10.09,Default,,0000,0000,0000,,security vulnerabilities in different\Ndevices. Yeah, sure, patients could be
Dialogue: 0,0:25:10.09,0:25:16.11,Default,,0000,0000,0000,,harmed, when therapy relevant data was\Nmanipulated. However, usually there is a
Dialogue: 0,0:25:16.11,0:25:21.99,Default,,0000,0000,0000,,doctor in between. So whenever the doctor\Ngets some information that something's
Dialogue: 0,0:25:21.99,0:25:29.42,Default,,0000,0000,0000,,wrong or something like this, and probably\Nhe would look and find out what is wrong.
Dialogue: 0,0:25:29.42,0:25:37.30,Default,,0000,0000,0000,,And yeah, we also found out that it's\Npossible to access medical devices. So,
Dialogue: 0,0:25:37.30,0:25:43.11,Default,,0000,0000,0000,,yeah, we got this programing computer for\N2.000 U.S. dollars, which clearly shows
Dialogue: 0,0:25:43.11,0:25:51.54,Default,,0000,0000,0000,,that maybe not a good practice to simply\Nrent or lease these devices, but maybe
Dialogue: 0,0:25:51.54,0:26:00.49,Default,,0000,0000,0000,,design these at most secure as possible.\NAnd maybe some countermeasures, what can
Dialogue: 0,0:26:00.49,0:26:08.65,Default,,0000,0000,0000,,be done to make it better? First of all,\Nregular software update maintenance could
Dialogue: 0,0:26:08.65,0:26:14.39,Default,,0000,0000,0000,,resolve most of these issues. Also, it\Nwould be nice to include some medical
Dialogue: 0,0:26:14.39,0:26:19.01,Default,,0000,0000,0000,,professionals in a product engineering\Nphase, because some test modes maybe
Dialogue: 0,0:26:19.01,0:26:25.04,Default,,0000,0000,0000,,aren't that relevant when the implant is\Nfinally inserted in the body after
Dialogue: 0,0:26:25.04,0:26:33.80,Default,,0000,0000,0000,,surgery, so then nobody needs these test\Nmodes anymore, for example. And last of
Dialogue: 0,0:26:33.80,0:26:42.13,Default,,0000,0000,0000,,all, but not least. Please make use of\Nstate of the art cryptography and PKIs and
Dialogue: 0,0:26:42.13,0:26:49.12,Default,,0000,0000,0000,,maybe also open protocols to improve the\Nsecurity and develop something that is as
Dialogue: 0,0:26:49.12,0:26:55.03,Default,,0000,0000,0000,,secure as it gets. OK, so this is, I\Nthink, the technical part, and I would
Dialogue: 0,0:26:55.03,0:27:00.75,Default,,0000,0000,0000,,like to hand over to Christoph, who will\Ntell us something about the GDPR request
Dialogue: 0,0:27:00.75,0:27:07.91,Default,,0000,0000,0000,,and responses and nightmares.\NChristoph Saatjohann: Yeah, thank you. So
Dialogue: 0,0:27:07.91,0:27:11.03,Default,,0000,0000,0000,,my name is Christoph Saatjohann from\NMünster University of applied sciences,
Dialogue: 0,0:27:11.03,0:27:16.03,Default,,0000,0000,0000,,and I will tell you something about the\Nprivaciy part, so privacy stuff, because
Dialogue: 0,0:27:16.03,0:27:20.13,Default,,0000,0000,0000,,as you already heard, there is a lot of\Ndata included in this complete ecosystem.
Dialogue: 0,0:27:20.13,0:27:24.13,Default,,0000,0000,0000,,So there is some data flowing from the\Nimplantable device to the home monitoring
Dialogue: 0,0:27:24.13,0:27:28.92,Default,,0000,0000,0000,,service and then going farther to the\Ninternet to the company of devices here.
Dialogue: 0,0:27:28.92,0:27:35.52,Default,,0000,0000,0000,,Now my question was, OK, what can we do\Nhere? How can we take a look into the data
Dialogue: 0,0:27:35.52,0:27:39.11,Default,,0000,0000,0000,,processing here? How can we look into the\Nprocesses of the company? What would they
Dialogue: 0,0:27:39.11,0:27:44.59,Default,,0000,0000,0000,,do with our data or with the patient data?\NAnd we used the GDPR for this, so the GDPR
Dialogue: 0,0:27:44.59,0:27:49.54,Default,,0000,0000,0000,,is the General Data Protection Regulation,\Nit was put in force in 2018. So it's not
Dialogue: 0,0:27:49.54,0:27:54.46,Default,,0000,0000,0000,,so new. During our study it was two or\Nthree years old. So we thought the
Dialogue: 0,0:27:54.46,0:28:02.63,Default,,0000,0000,0000,,companies are still, are already prepared\Nfor such stuff. Mrs. GDPR, the user in our
Dialogue: 0,0:28:02.63,0:28:07.38,Default,,0000,0000,0000,,case, or the patient, can obtain some\Ninformation about the processed data and
Dialogue: 0,0:28:07.38,0:28:12.78,Default,,0000,0000,0000,,with the Article 15 of the GDPR the\Npatient can ask about the purpose of the
Dialogue: 0,0:28:12.78,0:28:17.63,Default,,0000,0000,0000,,processing, the categories of the data and\Nthe recipients. So, for example, some
Dialogue: 0,0:28:17.63,0:28:23.58,Default,,0000,0000,0000,,subcontracts who will get the data from\Nthe patient and compute something that
Dialogue: 0,0:28:23.58,0:28:29.42,Default,,0000,0000,0000,,just to convert it to some PDF or put it\Non the web interface for the doctors. So
Dialogue: 0,0:28:29.42,0:28:35.28,Default,,0000,0000,0000,,that's some typical part, typical tasks\Nfor some subcontractors, so some other
Dialogue: 0,0:28:35.28,0:28:41.27,Default,,0000,0000,0000,,recipients who will get the data. With\NArticle 20, it is possible to get a copy
Dialogue: 0,0:28:41.27,0:28:46.32,Default,,0000,0000,0000,,of the data itself. The patient could ask\Nthe company,: Yeah, please give me a copy
Dialogue: 0,0:28:46.32,0:28:50.29,Default,,0000,0000,0000,,of all my own data. I want to look into it\Nor I want to move it to a different
Dialogue: 0,0:28:50.29,0:28:57.14,Default,,0000,0000,0000,,company. And for this moving from one\Ncompany to a different company, it's
Dialogue: 0,0:28:57.14,0:29:03.86,Default,,0000,0000,0000,,called data portability, the data must be\Nprovided in a commonly used, machine
Dialogue: 0,0:29:03.86,0:29:08.95,Default,,0000,0000,0000,,readable format and machine readable\Nformat does not mean PDF, for example. For
Dialogue: 0,0:29:08.95,0:29:17.49,Default,,0000,0000,0000,,our topic here, for the measurable things,\Ncommonly used formats may be DICOM or HL7
Dialogue: 0,0:29:17.49,0:29:24.35,Default,,0000,0000,0000,,and not PDF. The GDPR also defines the\Nmaximum answer time. So every request from
Dialogue: 0,0:29:24.35,0:29:29.92,Default,,0000,0000,0000,,a customer should be answered in a maximum\Nof four weeks. If it's a real complex
Dialogue: 0,0:29:29.92,0:29:34.42,Default,,0000,0000,0000,,thing, a complex request or something like\Nthis, it might be extended up to three
Dialogue: 0,0:29:34.42,0:29:39.67,Default,,0000,0000,0000,,months in total , but the customer has to\Nbe informed about the extension and also
Dialogue: 0,0:29:39.67,0:29:46.15,Default,,0000,0000,0000,,the reasons for the extension. The last\Npoint is said, so GDPR defines two
Dialogue: 0,0:29:46.15,0:29:50.46,Default,,0000,0000,0000,,important roles for the following parts.\NAlso talk here. First is the data
Dialogue: 0,0:29:50.46,0:29:55.09,Default,,0000,0000,0000,,controller. That means the data controller\Nis responsible for the complete data
Dialogue: 0,0:29:55.09,0:29:59.86,Default,,0000,0000,0000,,process. He might want to share this data\Nwith some other recipients or
Dialogue: 0,0:29:59.86,0:30:05.59,Default,,0000,0000,0000,,subcontractors or subsidiaries of the\Ncompany. And then the other recipient is
Dialogue: 0,0:30:05.59,0:30:11.69,Default,,0000,0000,0000,,called the data processor and he processes\Nthe data. But responsible for this process
Dialogue: 0,0:30:11.69,0:30:15.66,Default,,0000,0000,0000,,is the data controller. So the important\Nthing here, the data controller is
Dialogue: 0,0:30:15.66,0:30:22.18,Default,,0000,0000,0000,,responsible. Whatever happens, he will,\Nyeah, he has to answer the request. So
Dialogue: 0,0:30:22.18,0:30:31.17,Default,,0000,0000,0000,,with these GDPR, yeah, methods here, we\Nthought about: What can we do? And our
Dialogue: 0,0:30:31.17,0:30:35.73,Default,,0000,0000,0000,,thing was that we acquired some patients\Nwith some implanted devices and we sent
Dialogue: 0,0:30:35.73,0:30:41.66,Default,,0000,0000,0000,,some GDPR inquiries in their names. It was\Na company, so we told the company: OK, we
Dialogue: 0,0:30:41.66,0:30:46.27,Default,,0000,0000,0000,,are patient xy and we want to know\Nsomething about our data and we want to
Dialogue: 0,0:30:46.27,0:30:51.38,Default,,0000,0000,0000,,have a copy of our own data. And of\Ncourse, now you can argue, OK, now we are
Dialogue: 0,0:30:51.38,0:30:57.33,Default,,0000,0000,0000,,handing some very sensitive medical data\Nhere, so we have to keep our study here,
Dialogue: 0,0:30:57.33,0:31:02.08,Default,,0000,0000,0000,,our case study itself GDPR compliant. So\Nwe talked to our data protection officer,
Dialogue: 0,0:31:02.08,0:31:07.37,Default,,0000,0000,0000,,told our study design here. We set up some\Ncontracts with the patients so that we are
Dialogue: 0,0:31:07.37,0:31:15.04,Default,,0000,0000,0000,,self GDPR compliant. Hopefully, it works\Nout. So no one, so we haven't got sued. So
Dialogue: 0,0:31:15.04,0:31:20.63,Default,,0000,0000,0000,,I think that worked out. At the end we\Nwere waiting for the answers of the
Dialogue: 0,0:31:20.63,0:31:24.41,Default,,0000,0000,0000,,companies and the hospitals and of course,\Nanalyze the results. So we looked on the
Dialogue: 0,0:31:24.41,0:31:29.80,Default,,0000,0000,0000,,completeness, we thought about: This\Ndataset, is it complete? Or have the
Dialogue: 0,0:31:29.80,0:31:33.61,Default,,0000,0000,0000,,companies some other data which were not\Nprovided? We also looked on the data
Dialogue: 0,0:31:33.61,0:31:40.18,Default,,0000,0000,0000,,security, especially: How is the data\Ntransmitted? Do we get this via plain text
Dialogue: 0,0:31:40.18,0:31:46.59,Default,,0000,0000,0000,,email, perhaps like ZIP files or some CD-\NROMs? So we looked on this process here,
Dialogue: 0,0:31:46.59,0:31:50.34,Default,,0000,0000,0000,,and of course, we look on the time of the\Nanswer. So remember, four weeks is the
Dialogue: 0,0:31:50.34,0:31:55.22,Default,,0000,0000,0000,,maximum time. In some cases, perhaps three\Nmonths, but standard would be four weeks.
Dialogue: 0,0:31:55.22,0:32:01.85,Default,,0000,0000,0000,,And of course, if required, we sent some\Nfollow up queries. Yes. And, as already
Dialogue: 0,0:32:01.85,0:32:06.54,Default,,0000,0000,0000,,said, we are some responsible researchers\Nhere, so we also do this responsible
Dialogue: 0,0:32:06.54,0:32:10.83,Default,,0000,0000,0000,,disclosure stuff. So we talked to the\Ncompanies and discussed some methods, some
Dialogue: 0,0:32:10.83,0:32:16.58,Default,,0000,0000,0000,,process improvements, what can they do or\Nat least what should they do or must do to
Dialogue: 0,0:32:16.58,0:32:23.76,Default,,0000,0000,0000,,be GDPR compliant. So let's take a look at\Nthe results here, what we get from our
Dialogue: 0,0:32:23.76,0:32:29.67,Default,,0000,0000,0000,,case study. First vendor was the Biotronik\Nand we sent the first inquiry to the
Dialogue: 0,0:32:29.67,0:32:35.57,Default,,0000,0000,0000,,Biotronik subsidiary, but we learned that\Nwe have a wrong contact. So we just took a
Dialogue: 0,0:32:35.57,0:32:39.83,Default,,0000,0000,0000,,data privacy contact from some documents\Nfrom the hospital. But they wrote back:
Dialogue: 0,0:32:39.83,0:32:43.27,Default,,0000,0000,0000,,Ah, sorry, we are the wrong company, where\Njust the sales company from Biotronik.
Dialogue: 0,0:32:43.27,0:32:47.69,Default,,0000,0000,0000,,Please refer to the different company.\NThen we wrote a second letter to the
Dialogue: 0,0:32:47.69,0:32:51.40,Default,,0000,0000,0000,,different company. And we got an answer\Nafter two months and, now remember, four
Dialogue: 0,0:32:51.40,0:32:56.46,Default,,0000,0000,0000,,weeks, it's not two months, so it was\Ndelayed. Sure. But the answer itself was
Dialogue: 0,0:32:56.46,0:33:02.20,Default,,0000,0000,0000,,also a bit unsatisfying for us because\NBiotronik told us: The device was never
Dialogue: 0,0:33:02.20,0:33:06.60,Default,,0000,0000,0000,,connected to any home monitoring system\Nhere, so no personal data is stored at
Dialogue: 0,0:33:06.60,0:33:11.71,Default,,0000,0000,0000,,Biotronik. We asked the patient: Do you\Never have some of these home monitoring
Dialogue: 0,0:33:11.71,0:33:17.20,Default,,0000,0000,0000,,devices? And he told us: No, never got\Nthis device. So this is a classic example
Dialogue: 0,0:33:17.20,0:33:22.34,Default,,0000,0000,0000,,of a good study design or, in this case, a\Nbad study design. So first of all, get
Dialogue: 0,0:33:22.34,0:33:29.28,Default,,0000,0000,0000,,your context right. And secondly, choose\Ngood participants of your study. So this
Dialogue: 0,0:33:29.28,0:33:36.01,Default,,0000,0000,0000,,might be a future work item here. Perhaps\Nchoose another different patient, perhaps.
Dialogue: 0,0:33:36.01,0:33:41.12,Default,,0000,0000,0000,,Next company, we wrote to, was Medtronic.\NYou already know it from the other devices
Dialogue: 0,0:33:41.12,0:33:47.45,Default,,0000,0000,0000,,here. And the answer was that we have to\Nsend a copy of the ID card, so they wanted
Dialogue: 0,0:33:47.45,0:33:54.61,Default,,0000,0000,0000,,to have an identification verification.\NThe GDPR does not define a really strict
Dialogue: 0,0:33:54.61,0:33:59.35,Default,,0000,0000,0000,,method for the verification or when it is\Nrequired, when it's mandatory or when not
Dialogue: 0,0:33:59.35,0:34:06.23,Default,,0000,0000,0000,,but in the GDPR it says, it is possible in\Nsome cases and we think here we are
Dialogue: 0,0:34:06.23,0:34:10.00,Default,,0000,0000,0000,,dealing here with very sensitive medical\Npersonal data. We think this is totally
Dialogue: 0,0:34:10.00,0:34:14.25,Default,,0000,0000,0000,,fine. So identification verification is\Nfine for us, and we think this is a good
Dialogue: 0,0:34:14.25,0:34:20.00,Default,,0000,0000,0000,,thing here that they really check it, that\Nwe are the person who is telling the
Dialogue: 0,0:34:20.00,0:34:27.11,Default,,0000,0000,0000,,person. They also recommend us to use the\NMedtronic secure email system, and first
Dialogue: 0,0:34:27.11,0:34:32.03,Default,,0000,0000,0000,,of all, we had a good impression because\Nit's much better than have some plain text
Dialogue: 0,0:34:32.03,0:34:36.17,Default,,0000,0000,0000,,email and if they are hosting some secure\Nemail system on their servers, we said:
Dialogue: 0,0:34:36.17,0:34:39.78,Default,,0000,0000,0000,,OK, that's a good idea, right? We have a\NTLS secure connection here. Looks
Dialogue: 0,0:34:39.78,0:34:44.54,Default,,0000,0000,0000,,perfectly fine. Let me send some tests\Nemails, but we saw on the email headers
Dialogue: 0,0:34:44.54,0:34:50.78,Default,,0000,0000,0000,,that email is routed to some US servers\Nfrom the Proofpoint company in the USA.
Dialogue: 0,0:34:50.78,0:34:55.40,Default,,0000,0000,0000,,And here we would say, OK, that's not\Nreally good because normally if I'm a
Dialogue: 0,0:34:55.40,0:35:00.54,Default,,0000,0000,0000,,German customer or a European customer and\Nsending some GDPR request to the
Dialogue: 0,0:35:00.54,0:35:07.88,Default,,0000,0000,0000,,Medtronic, Germany or any other EU\NMedtronic subsidiary, I'm not sure about
Dialogue: 0,0:35:07.88,0:35:13.29,Default,,0000,0000,0000,,or I have no knowledge about that email is\Nrouted through the US. And also for the
Dialogue: 0,0:35:13.29,0:35:19.56,Default,,0000,0000,0000,,GDPR compliance we are not sure if this is\Nactually allowed because there are some
Dialogue: 0,0:35:19.56,0:35:23.51,Default,,0000,0000,0000,,discussions about the Safe Harbor thing.\NSo that might be not really GDPR
Dialogue: 0,0:35:23.51,0:35:28.71,Default,,0000,0000,0000,,compliant. In the least it's not good for\Nthe user. It's a bad user experience here.
Dialogue: 0,0:35:28.71,0:35:36.52,Default,,0000,0000,0000,,But OK, we will use this anyway, because\Nwe think such a device, such a platform is
Dialogue: 0,0:35:36.52,0:35:40.70,Default,,0000,0000,0000,,better than plaintext email, so we sent\Nour inquiry about the system. And the next
Dialogue: 0,0:35:40.70,0:35:45.09,Default,,0000,0000,0000,,point was really surprising to us. So we\Nwere waiting for the results. And I looked
Dialogue: 0,0:35:45.09,0:35:50.90,Default,,0000,0000,0000,,into my yeah, we created a GMX free web\Nemail service account for this
Dialogue: 0,0:35:50.90,0:35:56.38,Default,,0000,0000,0000,,communication and suddenly I got an email\Nin this system in the GMX email. So the
Dialogue: 0,0:35:56.38,0:36:00.67,Default,,0000,0000,0000,,response from Medtronic was not sent via\Nthe secure channel. It was just sending in
Dialogue: 0,0:36:00.67,0:36:05.88,Default,,0000,0000,0000,,plaintext email and we said: OK, what's\Nthe point here? So you recommend us to use
Dialogue: 0,0:36:05.88,0:36:10.01,Default,,0000,0000,0000,,the secure system, but they use plaintext\Nemail. So this is a thing they really have
Dialogue: 0,0:36:10.01,0:36:17.39,Default,,0000,0000,0000,,to change, sure. Then it goes a bit back\Nand forth, we wrote some emails and they
Dialogue: 0,0:36:17.39,0:36:21.63,Default,,0000,0000,0000,,wanted to have some more information about\Nus. What device do we have, what serial
Dialogue: 0,0:36:21.63,0:36:28.11,Default,,0000,0000,0000,,number and what services we use. And in\Nthe end, we got a doc file. So a standard
Dialogue: 0,0:36:28.11,0:36:32.81,Default,,0000,0000,0000,,Word file as attachment of an email and we\Nshould write some information in it and
Dialogue: 0,0:36:32.81,0:36:38.02,Default,,0000,0000,0000,,send it back. And from a security point of\Nview, so from our security researcher site
Dialogue: 0,0:36:38.02,0:36:43.25,Default,,0000,0000,0000,,here, we would say that's not the best way\Nto do it because Doc files in the email
Dialogue: 0,0:36:43.25,0:36:48.39,Default,,0000,0000,0000,,attachment, this is a classical use for\Nransomware or phishing email. So we did
Dialogue: 0,0:36:48.39,0:36:53.67,Default,,0000,0000,0000,,this to get the final data as a final\Nanswer, but we would propose to change the
Dialogue: 0,0:36:53.67,0:36:59.32,Default,,0000,0000,0000,,system here. Where we got now the final\Ndata. And so we thought, OK, now we really
Dialogue: 0,0:36:59.32,0:37:04.43,Default,,0000,0000,0000,,got some data now. So that's the point\Nwhere we got some really good stuff here.
Dialogue: 0,0:37:04.43,0:37:09.10,Default,,0000,0000,0000,,But in the end, after this forth and back\Nand creating some accounts on some
Dialogue: 0,0:37:09.10,0:37:13.00,Default,,0000,0000,0000,,systems, they just stated: Oh, so we were\Nthe wrong contact. The hospital is
Dialogue: 0,0:37:13.00,0:37:17.98,Default,,0000,0000,0000,,responsible. We are just a data controller\Nin this case. And of course, this was a
Dialogue: 0,0:37:17.98,0:37:23.01,Default,,0000,0000,0000,,bit unsatisfying because we thought: OK,\Nwe are now close to the to get the data.
Dialogue: 0,0:37:23.01,0:37:30.87,Default,,0000,0000,0000,,But never got happened. Yeah, so\Nanalyzizing, so in the end, in GDPR
Dialogue: 0,0:37:30.87,0:37:36.32,Default,,0000,0000,0000,,compliant might be OK. So we are not into\Nthis relationship between Medtronic and
Dialogue: 0,0:37:36.32,0:37:41.07,Default,,0000,0000,0000,,the hospital. So it might be that they\Nhave an agreement: Who is the controller,
Dialogue: 0,0:37:41.07,0:37:45.26,Default,,0000,0000,0000,,who was responsible? We couldn't check it\Nas a patient, but of course, the user
Dialogue: 0,0:37:45.26,0:37:49.49,Default,,0000,0000,0000,,experience is not good because you have so\Nmany emails and at the end you will get
Dialogue: 0,0:37:49.49,0:37:56.84,Default,,0000,0000,0000,,nothing. But the third one is Boston\NScientific. You know Boston Scientific
Dialogue: 0,0:37:56.84,0:38:05.62,Default,,0000,0000,0000,,from the nice Doom device here. And we\Nsent an inquiry to BSC, and we got a
Dialogue: 0,0:38:05.62,0:38:09.57,Default,,0000,0000,0000,,response that they want to have an\Nidentification verification, so the same
Dialogue: 0,0:38:09.57,0:38:15.40,Default,,0000,0000,0000,,as Medtronic. So we said, yeah, that's\Nfine, sounds legit. They said also, yeah,
Dialogue: 0,0:38:15.40,0:38:19.78,Default,,0000,0000,0000,,you can use plaintext email. Just send an\Nemail to this email address or you can use
Dialogue: 0,0:38:19.78,0:38:25.53,Default,,0000,0000,0000,,our online tool and our patient chooses\Nthe email. So from security side, we would
Dialogue: 0,0:38:25.53,0:38:31.98,Default,,0000,0000,0000,,use a platform or a secure platform now.\NBut I can totally understand the patient
Dialogue: 0,0:38:31.98,0:38:37.64,Default,,0000,0000,0000,,because it was a hard copy letter, so a\Nreal letter by snake postal mail. And he
Dialogue: 0,0:38:37.64,0:38:43.34,Default,,0000,0000,0000,,should type this really long link, the\Nlong URL with some random data. And if you
Dialogue: 0,0:38:43.34,0:38:47.92,Default,,0000,0000,0000,,type one character wrong, you have to do\Nit again and so on. And from the customer
Dialogue: 0,0:38:47.92,0:38:52.30,Default,,0000,0000,0000,,point of view, so the user experience is\Nalso very bad here. So no one wants to
Dialogue: 0,0:38:52.30,0:38:57.46,Default,,0000,0000,0000,,really type this in your browser and see\Nif it's correct or not. So Boston
Dialogue: 0,0:38:57.46,0:39:02.46,Default,,0000,0000,0000,,Scientific should use a different system\Nhere, some short link system or just have
Dialogue: 0,0:39:02.46,0:39:11.26,Default,,0000,0000,0000,,a short domain and a very short access\Ncode, but something better like this one
Dialogue: 0,0:39:11.26,0:39:16.35,Default,,0000,0000,0000,,here. But then we got an email. So it was\Na plain text email, so not good, of
Dialogue: 0,0:39:16.35,0:39:21.09,Default,,0000,0000,0000,,course, medical data via plain text email\Nnot good. So some can now argue: OK, but
Dialogue: 0,0:39:21.09,0:39:27.75,Default,,0000,0000,0000,,our patient started to do it. Our patient\Nstarted to wrote a plaintext email. But
Dialogue: 0,0:39:27.75,0:39:32.59,Default,,0000,0000,0000,,the common understanding for the GDPR is\Nthat even if the customer is asking via
Dialogue: 0,0:39:32.59,0:39:37.57,Default,,0000,0000,0000,,plain text email, the company cannot\Nrespond in plain text email. You have to
Dialogue: 0,0:39:37.57,0:39:42.52,Default,,0000,0000,0000,,do something special, something secure. So\Nthis is also a thing Boston Scientific
Dialogue: 0,0:39:42.52,0:39:47.01,Default,,0000,0000,0000,,sure changed. But hey, we got seven PDF\Nreports. So our first data now in this
Dialogue: 0,0:39:47.01,0:39:52.28,Default,,0000,0000,0000,,case study after I don't know how many\Nemails and letters, but we got some data.
Dialogue: 0,0:39:52.28,0:39:57.12,Default,,0000,0000,0000,,Then we thought, OK, seven PDF reports and\Nthe device is active for three years. That
Dialogue: 0,0:39:57.12,0:40:02.95,Default,,0000,0000,0000,,sounds not OK, that sounds a bit, a bit\Nless for seven, for three years. So we
Dialogue: 0,0:40:02.95,0:40:08.45,Default,,0000,0000,0000,,contacted the doctor, of course, with the\Nconsent of the patient, and the doctor
Dialogue: 0,0:40:08.45,0:40:12.66,Default,,0000,0000,0000,,looked into this online portal and saw a\Nlot of data, there were a lot of raw data,
Dialogue: 0,0:40:12.66,0:40:18.07,Default,,0000,0000,0000,,a lot of PDF reports and graphs and full\Nof information. And so we thought: OK,
Dialogue: 0,0:40:18.07,0:40:22.44,Default,,0000,0000,0000,,that's not enough. We got seven reports\Nbut the system is full of any other data.
Dialogue: 0,0:40:22.44,0:40:27.96,Default,,0000,0000,0000,,Of course, we go to BSC and tell us: OK,\Nwe want to have all the data. BSC
Dialogue: 0,0:40:27.96,0:40:35.02,Default,,0000,0000,0000,,apologized: OK, so we didn't look it up\Ninto the home monitoring thing, but you
Dialogue: 0,0:40:35.02,0:40:41.12,Default,,0000,0000,0000,,can have the data, but we need two extra\Nmonths. So, as I said in the interruption,
Dialogue: 0,0:40:41.12,0:40:47.39,Default,,0000,0000,0000,,that might be OK if it's a really complex\Nthing and then it might be OK. For my, my
Dialogue: 0,0:40:47.39,0:40:53.02,Default,,0000,0000,0000,,understanding is or I have a feeling that\Nthey have to implement some export
Dialogue: 0,0:40:53.02,0:40:57.31,Default,,0000,0000,0000,,mechanism to fulfill our request. But OK,\Nif they want to have two months and we got
Dialogue: 0,0:40:57.31,0:41:04.05,Default,,0000,0000,0000,,the data, we were fine with this. Yeah,\Nand now final data. Within this extended
Dialogue: 0,0:41:04.05,0:41:08.98,Default,,0000,0000,0000,,deadline, so they did this in the\Ndeadline, in the three months, we got all
Dialogue: 0,0:41:08.98,0:41:13.18,Default,,0000,0000,0000,,the data. And all the data, I mean,\Nreally, we got a ton of it.It was a large
Dialogue: 0,0:41:13.18,0:41:19.17,Default,,0000,0000,0000,,zip file with a lot of HL7 data. So it's a\Nraw, digital, machine readable format. And
Dialogue: 0,0:41:19.17,0:41:23.45,Default,,0000,0000,0000,,we got some episode data, also digital as\Nan excel sheet. And we were now really
Dialogue: 0,0:41:23.45,0:41:28.96,Default,,0000,0000,0000,,happy because this was really satisfying.\NThe patient, or in this case, we got all
Dialogue: 0,0:41:28.96,0:41:35.56,Default,,0000,0000,0000,,the data which are really GDPR compliant.\NSo that was the first and only vendor
Dialogue: 0,0:41:35.56,0:41:41.59,Default,,0000,0000,0000,,where we got really our GDPR request\Nfulfilled. Yeah, but last point, we have
Dialogue: 0,0:41:41.59,0:41:48.24,Default,,0000,0000,0000,,to mention now the security. It was not\Nsent directly by email, but we just got
Dialogue: 0,0:41:48.24,0:41:52.37,Default,,0000,0000,0000,,the download link via email. And from the\Nsecurity perspective, that's more or less
Dialogue: 0,0:41:52.37,0:41:56.89,Default,,0000,0000,0000,,the same. So if you have a man in the\Nmiddle who can read plaintext email, you
Dialogue: 0,0:41:56.89,0:42:02.19,Default,,0000,0000,0000,,can also click on the link in the download\Nemail. So, OK, we got the data but the
Dialogue: 0,0:42:02.19,0:42:10.06,Default,,0000,0000,0000,,process here with the security must be\Nimproved. We also got one hospital patient
Dialogue: 0,0:42:10.06,0:42:17.67,Default,,0000,0000,0000,,and we send one inquiry to a hospital.\NThere's also some things which we were not
Dialogue: 0,0:42:17.67,0:42:22.10,Default,,0000,0000,0000,,informed of, which we're not aware of it.\NThe hospital was doing the implantation of
Dialogue: 0,0:42:22.10,0:42:28.06,Default,,0000,0000,0000,,the device in our inquiry was five years,\Nthe hospital was bankrupt and we were told
Dialogue: 0,0:42:28.06,0:42:33.29,Default,,0000,0000,0000,,that we have to contact a different person\Nof the old owner of the hospital. So the
Dialogue: 0,0:42:33.29,0:42:38.39,Default,,0000,0000,0000,,bankrupt company. We also think that this\Nis in the, yeah, we also think that this
Dialogue: 0,0:42:38.39,0:42:42.75,Default,,0000,0000,0000,,might not be correct because the\Nexplantation of the device was done during
Dialogue: 0,0:42:42.75,0:42:49.05,Default,,0000,0000,0000,,the time where the hospital was under the\Ncontrol of the new owner, which we
Dialogue: 0,0:42:49.05,0:42:54.01,Default,,0000,0000,0000,,contacted. So there might be some data for\Nthe explantation. But we also write a
Dialogue: 0,0:42:54.01,0:43:00.24,Default,,0000,0000,0000,,letter to the old company, and we got an\Nanswer, but also after two months, so
Dialogue: 0,0:43:00.24,0:43:08.20,Default,,0000,0000,0000,,again, here we have to wait two months. A\Ndelay GDPR time frame was not fulfilled.
Dialogue: 0,0:43:08.20,0:43:12.22,Default,,0000,0000,0000,,And also the final answer, so we get some,\Nwe really got some data, as we can see
Dialogue: 0,0:43:12.22,0:43:16.75,Default,,0000,0000,0000,,here, this handwritten stuff here, but we\Nwere missing, for example, the surgery
Dialogue: 0,0:43:16.75,0:43:24.31,Default,,0000,0000,0000,,report. Normally a hospital has to do a\Nlot of documentation for surgery, but we
Dialogue: 0,0:43:24.31,0:43:31.17,Default,,0000,0000,0000,,didn't get this information here, so we\Njust get a part of it. But in summary, I
Dialogue: 0,0:43:31.17,0:43:35.17,Default,,0000,0000,0000,,won't go into all at this point, but you\Ncan see a lot of red here, so we had some
Dialogue: 0,0:43:35.17,0:43:40.37,Default,,0000,0000,0000,,plaintext data via email, which is not\Ncorrect and also not legally, not GDPR
Dialogue: 0,0:43:40.37,0:43:45.39,Default,,0000,0000,0000,,compliant. We have some deadline missed.\NWe have some incomplete data or at the end
Dialogue: 0,0:43:45.39,0:43:49.93,Default,,0000,0000,0000,,it was complete data, but we have to ask a\Nlot and have to ask a doctor who will
Dialogue: 0,0:43:49.93,0:43:55.72,Default,,0000,0000,0000,,double check if the data is correct and we\Nneeded often more than one request. And
Dialogue: 0,0:43:55.72,0:44:00.30,Default,,0000,0000,0000,,finally, for the patient, if you want to\Nhave your data, if you want to execute
Dialogue: 0,0:44:00.30,0:44:03.96,Default,,0000,0000,0000,,your right, it's a really hard way, as you\Ncan see here. And you need a lot of
Dialogue: 0,0:44:03.96,0:44:08.98,Default,,0000,0000,0000,,emails, a lot of time for this. And\Nsometimes it's not really possible because
Dialogue: 0,0:44:08.98,0:44:12.94,Default,,0000,0000,0000,,they say: OK, just go to the hospital, go\Nto a different thing here. We are not
Dialogue: 0,0:44:12.94,0:44:20.32,Default,,0000,0000,0000,,responsible for this. So it's not a good\Nuser experience here. And our
Dialogue: 0,0:44:20.32,0:44:23.59,Default,,0000,0000,0000,,recommendation for the companies is and\Nalso for the hospitals, they should be
Dialogue: 0,0:44:23.59,0:44:30.39,Default,,0000,0000,0000,,prepared for such stuff because GDPR is\Nnow active for more than three years. And
Dialogue: 0,0:44:30.39,0:44:36.78,Default,,0000,0000,0000,,in the next time or some time, they will\Nget some requests and perhaps not from the
Dialogue: 0,0:44:36.78,0:44:40.42,Default,,0000,0000,0000,,friendly researchers but from real\Npatients. And they can, yeah, if they
Dialogue: 0,0:44:40.42,0:44:44.62,Default,,0000,0000,0000,,won't get the answer, they can go to the\Nlocal authorities and the local
Dialogue: 0,0:44:44.62,0:44:49.88,Default,,0000,0000,0000,,authorities can really,can sue them so\Nthey can punish the company with a large
Dialogue: 0,0:44:49.88,0:44:57.33,Default,,0000,0000,0000,,fine. So our recommendations: Be prepared\Nfor such stuff. And with this slide, I
Dialogue: 0,0:44:57.33,0:45:01.08,Default,,0000,0000,0000,,want to thank you for your attention and\Nwant to close the talk, and we are happy
Dialogue: 0,0:45:01.08,0:45:08.08,Default,,0000,0000,0000,,to answer some questions in the Q&amp;A\Nsession. Thanks.
Dialogue: 0,0:45:08.08,0:45:13.80,Default,,0000,0000,0000,,Herald: Thank you very much. I have a\Nbunch of questions from the internet.
Dialogue: 0,0:45:13.80,0:45:22.49,Default,,0000,0000,0000,,First one is, did you analyze binaries\Nonly or did you have any access to source
Dialogue: 0,0:45:22.49,0:45:26.26,Default,,0000,0000,0000,,codes? And did you ask any\Nmanufacturers...
Dialogue: 0,0:45:26.26,0:45:35.14,Default,,0000,0000,0000,,e7p: Please repeat the question. I didn't\Nget it because of...
Dialogue: 0,0:45:35.14,0:45:42.74,Default,,0000,0000,0000,,Herald: Some technician, please mute the\Nroom. I can also (inaudible) Ah, the
Dialogue: 0,0:45:42.74,0:45:50.19,Default,,0000,0000,0000,,question is: Did you analyze binaries only\Nor did you obtain a degree of access to
Dialogue: 0,0:45:50.19,0:46:00.48,Default,,0000,0000,0000,,the source codes?\Ne7p: I'm not sure if the check dongle is
Dialogue: 0,0:46:00.48,0:46:06.18,Default,,0000,0000,0000,,meant but for this one, it was very small\Nand we could analyze it easily using
Dialogue: 0,0:46:06.18,0:46:13.25,Default,,0000,0000,0000,,Ghidra to decompile it and then just see\Nwhich data needs to be which position in
Dialogue: 0,0:46:13.25,0:46:17.76,Default,,0000,0000,0000,,the parallel port. If that was the\Nquestion. I think the other binaries from
Dialogue: 0,0:46:17.76,0:46:27.11,Default,,0000,0000,0000,,the home monitoring system or, if you\Ncould concretize... From the home
Dialogue: 0,0:46:27.11,0:46:32.56,Default,,0000,0000,0000,,monitoring systems, we first had just a\Nlook for strings mainly, for some access
Dialogue: 0,0:46:32.56,0:46:41.61,Default,,0000,0000,0000,,credentials or domain names. And I think\Nwe did not that much the decompilation in
Dialogue: 0,0:46:41.61,0:46:49.19,Default,,0000,0000,0000,,the other stuff, but the whole software of\Nthe programing computer is in obfuscated
Dialogue: 0,0:46:49.19,0:46:57.96,Default,,0000,0000,0000,,Java. And this is, I don't know, it's a\Njust in time compiled obfuscated Java, and
Dialogue: 0,0:46:57.96,0:47:04.34,Default,,0000,0000,0000,,I didn't find a good way how to do with\Nthis. Other questions?
Dialogue: 0,0:47:04.34,0:47:15.76,Default,,0000,0000,0000,,Herald: Thank you. Another question was:\NHow many CVEs did you file from this
Dialogue: 0,0:47:15.76,0:47:24.41,Default,,0000,0000,0000,,research?\Ne7p: So I'm not sure, but some of these
Dialogue: 0,0:47:24.41,0:47:30.08,Default,,0000,0000,0000,,findings were already found by others, and\Nwe just didn't get that they were already
Dialogue: 0,0:47:30.08,0:47:37.20,Default,,0000,0000,0000,,reported as CVE or as CISA reports. But I\Nthink one or two or three.
Dialogue: 0,0:47:37.20,0:47:43.80,Default,,0000,0000,0000,,Christoph: Yes, there were some CVEs and\Nalso our results were linked to some other
Dialogue: 0,0:47:43.80,0:47:49.85,Default,,0000,0000,0000,,CVEs which were already published. The\Ncompany did some other internal research
Dialogue: 0,0:47:49.85,0:47:55.07,Default,,0000,0000,0000,,thing and internal research got some CVEs.\NBut if you look into the CVE, you cannot
Dialogue: 0,0:47:55.07,0:48:01.32,Default,,0000,0000,0000,,always make it back to the actual\Nvulnerability. But at least for the
Dialogue: 0,0:48:01.32,0:48:05.97,Default,,0000,0000,0000,,programmer here, for the Boston scientific\Nprogrammer there was the CISA advisory and
Dialogue: 0,0:48:05.97,0:48:11.44,Default,,0000,0000,0000,,a few months back, I think in September or\Njust end of August, there was a CISA
Dialogue: 0,0:48:11.44,0:48:16.63,Default,,0000,0000,0000,,advisory for this programmer and it\Nstated, I don't know, four or five CVEs.
Dialogue: 0,0:48:16.63,0:48:21.66,Default,,0000,0000,0000,,Yeah, and it will be replaced in the next,\Nyeah, hopefully months, because it's also
Dialogue: 0,0:48:21.66,0:48:27.24,Default,,0000,0000,0000,,pretty old. And it's the old generation\Nand the hospitals have to use the newer
Dialogue: 0,0:48:27.24,0:48:38.92,Default,,0000,0000,0000,,generation in the next months.\NHerald: You mentioned the cooperativeness
Dialogue: 0,0:48:38.92,0:48:47.55,Default,,0000,0000,0000,,of the manufacturers on the subject access\Nrequest but how cooperative were they on
Dialogue: 0,0:48:47.55,0:48:51.94,Default,,0000,0000,0000,,the technical side, when you tried to\Nreport and disclose?
Dialogue: 0,0:48:51.94,0:48:59.29,Default,,0000,0000,0000,,e7p: Yeah, actually, they were quite\Ncooperative when we simply wrote: Hey, we
Dialogue: 0,0:48:59.29,0:49:04.94,Default,,0000,0000,0000,,found this and that. We wrote it to them,\NI think, first at the press address or
Dialogue: 0,0:49:04.94,0:49:13.29,Default,,0000,0000,0000,,something. And then we were redirected to\Nthe internal security group, or, would you
Dialogue: 0,0:49:13.29,0:49:20.12,Default,,0000,0000,0000,,say, the experts. And then we had, I\Nthink, Zoom meetings with them and it was
Dialogue: 0,0:49:20.12,0:49:25.66,Default,,0000,0000,0000,,a good cooperation, I would say.\NChristoph: Really, I think it was a good
Dialogue: 0,0:49:25.66,0:49:31.22,Default,,0000,0000,0000,,communication on the same level here, so\Nit was really the goal from all that we,
Dialogue: 0,0:49:31.22,0:49:36.75,Default,,0000,0000,0000,,of course, don't threaten the patients,\Nbut get the product more secure. I think
Dialogue: 0,0:49:36.75,0:49:41.42,Default,,0000,0000,0000,,it is also some point of regulation like\Nthe CISA in the US. If they have
Dialogue: 0,0:49:41.42,0:49:45.90,Default,,0000,0000,0000,,vulnerabilities they have to change it so\Nthey also get some pressure from the
Dialogue: 0,0:49:45.90,0:49:51.80,Default,,0000,0000,0000,,regulations and they really want to change\Nsome things. So that's my impression and
Dialogue: 0,0:49:51.80,0:49:56.15,Default,,0000,0000,0000,,the discussions were really well\Norganized, well structured with a lot of
Dialogue: 0,0:49:56.15,0:49:59.73,Default,,0000,0000,0000,,people who were really deep into the\Ntopic. So we asked some questions and we
Dialogue: 0,0:49:59.73,0:50:04.02,Default,,0000,0000,0000,,got really deep insights into the products\Nhere. They were very helpful.
Dialogue: 0,0:50:04.02,0:50:08.66,Default,,0000,0000,0000,,e7p: So I think all of the companies\Noffered some jobs for security analysts.
Dialogue: 0,0:50:08.66,0:50:12.16,Default,,0000,0000,0000,,Christoph: Oh yeah!\Ne7p: So anyone who's interested in jobs at
Dialogue: 0,0:50:12.16,0:50:14.68,Default,,0000,0000,0000,,Boston Scientific or Medtronic or\NBiotronik must...
Dialogue: 0,0:50:14.68,0:50:24.59,Default,,0000,0000,0000,,Christoph: Just hack a device and you will\Nget a job for it. I don't know.
Dialogue: 0,0:50:24.59,0:50:33.08,Default,,0000,0000,0000,,Herald: And the last question I have for\Nyou is how difficult this was in terms of
Dialogue: 0,0:50:33.08,0:50:39.54,Default,,0000,0000,0000,,technical skills needed. Was this, did it\Nrequire really high tech exploits or was
Dialogue: 0,0:50:39.54,0:50:45.03,Default,,0000,0000,0000,,this just unbelievably easy? How, where in\Nthe spectrum was it?
Dialogue: 0,0:50:45.03,0:50:53.06,Default,,0000,0000,0000,,e7p: So with the programing device it was,\Nfor me, rather difficult because I'm not
Dialogue: 0,0:50:53.06,0:51:00.27,Default,,0000,0000,0000,,so much into 90s or 2000s PC architecture,\Nso I did have to learn something and I
Dialogue: 0,0:51:00.27,0:51:07.84,Default,,0000,0000,0000,,found out about old custom hardware which\Nis interacting over PCI and also with the
Dialogue: 0,0:51:07.84,0:51:15.65,Default,,0000,0000,0000,,home monitoring I had to learn some stuff\Nfor embedded Linux and find out where the
Dialogue: 0,0:51:15.65,0:51:23.76,Default,,0000,0000,0000,,network stack is and how it all works, but\Nall in all, I think in maybe one month or
Dialogue: 0,0:51:23.76,0:51:29.57,Default,,0000,0000,0000,,something like this, I could have done it\Nall in all. And to find out.
Dialogue: 0,0:51:29.57,0:51:35.79,Default,,0000,0000,0000,,Christoph: I mean, it actually depends on\Nyour knowledge already. So some stuff were
Dialogue: 0,0:51:35.79,0:51:39.37,Default,,0000,0000,0000,,pretty standard like sniffing on some\Nbusses on the hardware with a logic
Dialogue: 0,0:51:39.37,0:51:43.66,Default,,0000,0000,0000,,analyzer. If you did this in past, you can\Nalso do this on these devices, for
Dialogue: 0,0:51:43.66,0:51:47.61,Default,,0000,0000,0000,,example. But if you never did this, then\Nyou have to figure out which pins are for
Dialogue: 0,0:51:47.61,0:51:51.58,Default,,0000,0000,0000,,which bus, how can I identify which bus is\Nused here? How can I read out the EPROM?
Dialogue: 0,0:51:51.58,0:51:57.41,Default,,0000,0000,0000,,How can I read out the memory chips? It\Nhighly depends on your previous work and
Dialogue: 0,0:51:57.41,0:52:05.82,Default,,0000,0000,0000,,previous knowledge. For Endres here it's\Neasy. {\i1}laughs{\i0}
Dialogue: 0,0:52:05.82,0:52:17.33,Default,,0000,0000,0000,,e7p: {\i1}laughs{\i0} Maybe not.\NHerald: OK, thank you. I think this
Dialogue: 0,0:52:17.33,0:52:24.22,Default,,0000,0000,0000,,concludes the session. Thank you both for\Nthis interesting presentation. So we'll
Dialogue: 0,0:52:24.22,0:52:28.12,Default,,0000,0000,0000,,see how your research will be further\Napproved.
Dialogue: 0,0:52:28.12,0:52:33.57,Default,,0000,0000,0000,,e7p: Thank you. Thanks for being here.\NChristoph: For being remote there. And
Dialogue: 0,0:52:33.57,0:52:39.38,Default,,0000,0000,0000,,next time, hopefully in life and presence,\Nhopefully.
Dialogue: 0,0:52:39.38,0:52:42.17,Default,,0000,0000,0000,,Herald: Yes, that would be so much better\Nthan this. Bye bye.
Dialogue: 0,0:52:42.17,0:53:03.05,Default,,0000,0000,0000,,{\i1}postroll music{\i0}
Dialogue: 0,0:53:03.05,0:53:06.00,Default,,0000,0000,0000,,Subtitles created by c3subtitles.de\Nin the year 2021. Join, and help us!