WEBVTT

00:00:00.350 --> 00:00:03.999
♪ preroll music ♪

00:00:03.999 --> 00:00:10.940
Angel: The next talk will start now

00:00:10.940 --> 00:00:12.830
and will be 'Unpatchable -

00:00:12.830 --> 00:00:15.250
living with a vulnerable
implanted device'

00:00:15.250 --> 00:00:18.240
by Dr. Marie Moe and Eireann Leverett.

00:00:18.240 --> 00:00:22.180
Give them a warm round
of applause please.

00:00:22.180 --> 00:00:29.040
<i>applause</i>

00:00:33.300 --> 00:00:38.799
<i>heart monitor beep sounds start</i>

00:00:38.799 --> 00:00:40.489
So, we are here today

00:00:40.489 --> 00:00:41.760
to talk to you about a subject

00:00:41.760 --> 00:00:44.530
that is really close to my heart.

00:00:44.530 --> 00:00:46.350
I have a medical implant.

00:00:46.350 --> 00:00:48.969
A pacemaker, that is generating

00:00:48.969 --> 00:00:51.690
every single beat of my heart.

00:00:51.690 --> 00:00:56.079
But how can I trust my own heart,

00:00:56.079 --> 00:00:58.350
when it's being controlled by a machine,

00:00:58.350 --> 00:01:00.329
running a proprietary code,

00:01:00.329 --> 00:01:03.530
and there is no transparency?

00:01:03.530 --> 00:01:05.570
So I'm a patient,

00:01:05.570 --> 00:01:08.630
but I'm also a security researcher.

00:01:08.630 --> 00:01:10.860
I'm a hacker, because I like

00:01:10.860 --> 00:01:13.390
to figure out how things work.

00:01:13.390 --> 00:01:15.009
That's why I started a project

00:01:15.009 --> 00:01:16.340
on breaking my own heart,

00:01:16.340 --> 00:01:17.299
together with Eireann

00:01:17.299 --> 00:01:19.799
and a couple of friends.

00:01:19.799 --> 00:01:22.719
Because I really want to know

00:01:22.719 --> 00:01:24.270
what protocols are running

00:01:24.270 --> 00:01:27.259
in this machine inside my body.

00:01:27.259 --> 00:01:29.429
Is the crypto correctly implemented?

00:01:29.429 --> 00:01:32.979
Does it even have crypto?

00:01:34.939 --> 00:01:38.140
So I'm here to inspire you today.

00:01:38.140 --> 00:01:40.880
I want more people
to hack to save lives.

00:01:40.880 --> 00:01:44.049
Because we are all becoming

00:01:44.049 --> 00:01:47.990
more and more dependent on machines.

00:01:47.990 --> 00:01:49.999
Maybe some of you in the audience

00:01:49.999 --> 00:01:51.929
also have medical implants,

00:01:51.929 --> 00:01:52.840
maybe you know someone

00:01:52.840 --> 00:01:57.839
that's also depending on
medical implants

00:01:57.839 --> 00:02:00.119
Imagine that this is your heartbeat

00:02:00.119 --> 00:02:04.380
and it's being controlled by a device.

00:02:04.380 --> 00:02:06.350
A device, that might fail.

00:02:06.350 --> 00:02:09.680
Due to software bugs,

00:02:09.680 --> 00:02:11.820
due to hardware failures.

00:02:11.820 --> 00:02:14.490
<i>additional background sound:
real heartbeat</i>

00:02:14.490 --> 00:02:17.690
Wouldn't you also like to know

00:02:17.690 --> 00:02:21.390
if it has security vulnerabilities?

00:02:21.390 --> 00:02:23.680
If it can be trusted?

00:02:26.950 --> 00:02:32.110
<i>sounds stop</i>
<i>beeeeep</i>

00:02:32.110 --> 00:02:35.940
E: Something to think about, right?

00:02:35.940 --> 00:02:37.230
M: Yeah.

00:02:37.230 --> 00:02:40.140
E: Marie is an incredibly
brave women.

00:02:40.140 --> 00:02:42.940
When she asked me to give this talk

00:02:42.940 --> 00:02:44.640
it made me nervous, right?

00:02:44.640 --> 00:02:46.760
It's such a personal story.

00:02:46.760 --> 00:02:48.860
Such a journey as well.

00:02:48.860 --> 00:02:49.880
And she's gonna talk to you

00:02:49.880 --> 00:02:51.460
about a lot of things, right?

00:02:51.460 --> 00:02:53.640
Not just hacking medical devices

00:02:53.640 --> 00:02:54.950
from a safety point of view

00:02:54.950 --> 00:02:57.510
but also some of the
privacy concerns,

00:02:57.510 --> 00:02:59.050
some of the transparency concerns,

00:02:59.050 --> 00:03:01.280
some of the consent concerns.

00:03:01.280 --> 00:03:03.420
So, there's a lot to get trough

00:03:03.420 --> 00:03:05.140
in the next hour.

00:03:05.140 --> 00:03:07.200
But I think you're gonna enjoy it

00:03:07.200 --> 00:03:08.110
quite a lot.

00:03:08.110 --> 00:03:10.890
M: So, let me tell you

00:03:10.890 --> 00:03:13.110
the story about my heart.

00:03:13.110 --> 00:03:14.730
So, 4 years ago

00:03:14.730 --> 00:03:17.590
I got my medical implant.

00:03:17.590 --> 00:03:21.010
It was a kind of emergency situation

00:03:21.010 --> 00:03:22.950
because my heart was starting to beat

00:03:22.950 --> 00:03:24.200
really slow,

00:03:24.200 --> 00:03:26.110
so i needed to have the pacemaker.

00:03:26.110 --> 00:03:28.580
I had no choice.

00:03:28.580 --> 00:03:31.180
After I got the implant,

00:03:31.180 --> 00:03:32.690
since I was a security researcher,

00:03:32.690 --> 00:03:33.630
of course I started to

00:03:33.630 --> 00:03:36.520
look up information about how it worked.

00:03:36.520 --> 00:03:38.000
And I googled for information.

00:03:38.000 --> 00:03:40.440
I found a technical manual

00:03:40.440 --> 00:03:41.290
of my pacemaker

00:03:41.290 --> 00:03:43.750
and I started to read it.

00:03:43.750 --> 00:03:45.930
And i was quite surprised

00:03:45.930 --> 00:03:47.520
when I learned that

00:03:47.520 --> 00:03:51.580
my pacemaker has 2 wireless interfaces.

00:03:51.580 --> 00:03:54.870
There is one interface, that is really

00:03:54.870 --> 00:03:56.490
close field communication,

00:03:56.490 --> 00:03:58.730
near field communication

00:03:58.730 --> 00:04:01.180
that is being used when I'm at checkups

00:04:01.180 --> 00:04:03.150
at the hospital,

00:04:03.150 --> 00:04:05.550
where the technician,

00:04:05.550 --> 00:04:07.510
the pacemaker technician or doctor

00:04:07.510 --> 00:04:10.030
uses a programming device

00:04:10.030 --> 00:04:11.820
and places it

00:04:11.820 --> 00:04:14.410
really close to my pacemaker.

00:04:14.410 --> 00:04:16.620
And it's possible to use that

00:04:16.620 --> 00:04:19.608
communication to adjust the settings.

00:04:19.608 --> 00:04:21.560
But it also has another

00:04:21.560 --> 00:04:22.530
wireless interface,

00:04:22.530 --> 00:04:24.940
that I was not aware of,

00:04:24.940 --> 00:04:28.390
that I was not informed of
as a patient.

00:04:28.390 --> 00:04:30.810
It has a possibility for remote monitoring

00:04:30.810 --> 00:04:31.970
or telemetry,

00:04:31.970 --> 00:04:35.880
where you can have an
access point in your house

00:04:35.880 --> 00:04:37.010
that will communicate

00:04:37.010 --> 00:04:39.430
with the pacemaker

00:04:39.430 --> 00:04:41.940
at a couple of meters distance.

00:04:41.940 --> 00:04:44.320
And it can collect logs from the pacemaker

00:04:44.320 --> 00:04:46.160
and send them to a server

00:04:46.160 --> 00:04:47.880
at the vendor.

00:04:47.880 --> 00:04:48.870
And there is a web interface

00:04:48.870 --> 00:04:50.150
where the doctor can log in

00:04:50.150 --> 00:04:52.880
and retrieve my information.

00:04:52.880 --> 00:04:54.790
And I have no access the data

00:04:54.790 --> 00:04:56.260
that is being collected

00:04:56.260 --> 00:04:57.970
by my device.

00:04:57.970 --> 00:04:59.860
E: So imagine for a moment

00:04:59.860 --> 00:05:02.240
that you are buying a new phone

00:05:02.240 --> 00:05:03.600
or buying a new laptop.

00:05:03.600 --> 00:05:04.860
You would do your homework, right?

00:05:04.860 --> 00:05:07.000
You would understand
what interfaces where there.

00:05:07.000 --> 00:05:09.830
But in Marie's case she's just

00:05:09.830 --> 00:05:12.040
given a device,
and then later she gets

00:05:12.040 --> 00:05:13.950
to go and read the manual, right?

00:05:13.950 --> 00:05:16.790
So she's the epitome
of a informed consumer

00:05:16.790 --> 00:05:17.850
in this space

00:05:17.850 --> 00:05:20.070
and we want a lot more
informed consumers

00:05:20.070 --> 00:05:20.780
in this space,

00:05:20.780 --> 00:05:22.360
which is why we are giving this talk.

00:05:22.360 --> 00:05:23.830
Now, I don't know about you,

00:05:23.830 --> 00:05:25.750
but I'm used to hacking

00:05:25.750 --> 00:05:26.790
industrial systems.

00:05:26.790 --> 00:05:29.200
I haven't done as
much medical research

00:05:29.200 --> 00:05:30.060
in the past.

00:05:30.060 --> 00:05:31.940
So, when I first
started this project

00:05:31.940 --> 00:05:33.270
I knew literally nothing

00:05:33.270 --> 00:05:35.020
about Marie's heart.

00:05:35.020 --> 00:05:35.980
Or even my own.

00:05:35.980 --> 00:05:38.750
And she had to teach me
how the heart works

00:05:38.750 --> 00:05:40.290
and how her pacemaker works.

00:05:40.290 --> 00:05:42.660
So, would you mind explaining

00:05:42.660 --> 00:05:44.550
some details to the audience
that will be relevant

00:05:44.550 --> 00:05:45.930
through the rest of the presentation?

00:05:45.930 --> 00:05:48.290
M: Actually I think
we're going to show you

00:05:48.290 --> 00:05:50.100
a video of
how the heart works.

00:05:50.100 --> 00:05:53.250
So, it's a little bit of
biology introduction here

00:05:53.250 --> 00:05:57.630
before we start
with the technical details.

00:05:57.630 --> 00:06:01.070
So, this.. play the video.

00:06:01.070 --> 00:06:03.480
Video: A normal heart beat rate

00:06:03.480 --> 00:06:07.470
and rhythm is called
'Normal Sinus Rhythm'.

00:06:07.470 --> 00:06:09.010
The heart's pumping action

00:06:09.010 --> 00:06:11.240
is driven by electrical stimulation

00:06:11.240 --> 00:06:13.570
within the heart muscle.

00:06:13.570 --> 00:06:15.139
the heart's electrical system

00:06:15.139 --> 00:06:17.120
allows it to beat in an

00:06:17.120 --> 00:06:20.230
organized, synchronized pattern.

00:06:20.230 --> 00:06:21.360
Every normal heart beat

00:06:21.360 --> 00:06:23.400
has 4 steps.

00:06:23.400 --> 00:06:24.810
Step 1:

00:06:24.810 --> 00:06:27.150
As blood flows into the heart

00:06:27.150 --> 00:06:28.360
an electrical impulse

00:06:28.360 --> 00:06:31.240
from an upper area of the right atrium

00:06:31.240 --> 00:06:33.700
also known as the sinus node

00:06:33.700 --> 00:06:35.900
causes the atria to contract.

00:06:35.900 --> 00:06:38.139
When the atria contract

00:06:38.139 --> 00:06:39.460
they squeeze the blood

00:06:39.460 --> 00:06:41.930
into the ventricles.

00:06:41.930 --> 00:06:43.020
Step 3:

00:06:43.020 --> 00:06:45.020
There is a very short pause

00:06:45.020 --> 00:06:48.060
only about a fraction of a second.

00:06:48.060 --> 00:06:49.200
and Step 4:

00:06:49.200 --> 00:06:51.020
The ventricles contract

00:06:51.020 --> 00:06:55.590
pumping the blood to the body.

00:06:55.590 --> 00:06:56.860
A heart normally beats

00:06:56.860 --> 00:07:00.930
between 60-100 times/min.

00:07:00.930 --> 00:07:02.120
Electrical signals in your heart

00:07:02.120 --> 00:07:04.830
can become blocked or irregular,

00:07:04.830 --> 00:07:05.610
causing a disruption

00:07:05.610 --> 00:07:08.120
in your hearts normal rhythm.

00:07:08.120 --> 00:07:10.070
When the heart's rhythm is too fast,

00:07:10.070 --> 00:07:12.900
too slow or out of order,

00:07:12.900 --> 00:07:14.490
an arrhythmia,

00:07:14.490 --> 00:07:18.520
also called a rhythm disorder occurs.

00:07:18.520 --> 00:07:20.639
When your heart beats out of rhythm,

00:07:20.639 --> 00:07:22.180
it may not deliver enough blood

00:07:22.180 --> 00:07:24.790
to your body.

00:07:24.790 --> 00:07:26.180
Rhythm disorders can be caused

00:07:26.180 --> 00:07:27.800
by a number of factors

00:07:27.800 --> 00:07:30.710
including disease, heredity,

00:07:30.710 --> 00:07:33.590
medications or other factors.

00:07:33.590 --> 00:07:37.390
E: So for those of you
who are already aware of that,

00:07:37.390 --> 00:07:38.130
apologies.

00:07:38.130 --> 00:07:39.380
But I needed to learn that.

00:07:39.380 --> 00:07:40.280
I needed to learn the basics

00:07:40.280 --> 00:07:41.980
before we even got started, right?

00:07:41.980 --> 00:07:43.940
So...

00:07:43.940 --> 00:07:47.199
M: So this is a diagram of the

00:07:47.199 --> 00:07:50.169
electrical system of the heart.

00:07:50.169 --> 00:07:52.310
So, as you see,
this is the sinus node

00:07:52.310 --> 00:07:54.169
that is generating the pulse.

00:07:54.169 --> 00:07:56.290
And in my case

00:07:56.290 --> 00:07:58.850
I had a problem with the signal

00:07:58.850 --> 00:08:01.520
being generated by the sinus node

00:08:01.520 --> 00:08:05.090
not reaching the lower
heart chamber.

00:08:05.090 --> 00:08:10.640
It's something called an AV block
or a heart block

00:08:10.640 --> 00:08:13.580
So, occasionally this will cause

00:08:13.580 --> 00:08:17.080
an arrhythmia that makes
the heart pause.

00:08:17.080 --> 00:08:18.320
If you don't have a heart beat

00:08:18.320 --> 00:08:20.180
for, like ... 8-10 seconds,

00:08:20.180 --> 00:08:22.000
you lose your consciousness.

00:08:22.000 --> 00:08:24.260
And that was, what happened to me.

00:08:24.260 --> 00:08:25.620
I just suddenly found myself

00:08:25.620 --> 00:08:27.010
lying on the floor

00:08:27.010 --> 00:08:28.910
and I didn't remember how I got there.

00:08:28.910 --> 00:08:31.180
And it turned out that it was my heart

00:08:31.180 --> 00:08:34.009
that had taken a break.

00:08:34.009 --> 00:08:36.899
So that's how I discovered

00:08:36.899 --> 00:08:38.519
that I had this issue.

00:08:38.519 --> 00:08:40.899
So, this is where the signal is blocked

00:08:40.899 --> 00:08:44.279
on the way down to the lower heart chamber

00:08:44.279 --> 00:08:45.639
But there's a backup function

00:08:45.639 --> 00:08:50.600
in the heart that can make

00:08:50.600 --> 00:08:52.110
a so called backup pulse.

00:08:52.110 --> 00:08:54.759
And I had that backup pulse

00:08:54.759 --> 00:08:57.209
when I went to the
emergency room.

00:08:57.209 --> 00:08:59.579
So I had a pulse
around 30-40 beats/min.

00:08:59.579 --> 00:09:03.100
And that's generated by some cells

00:09:03.100 --> 00:09:05.449
in the lower heart chamber.

00:09:05.449 --> 00:09:08.259
So, after I got the pacemaker

00:09:08.259 --> 00:09:09.329
my heart started to become

00:09:09.329 --> 00:09:10.449
a little bit more lazy.

00:09:10.449 --> 00:09:12.220
So it is not certain,

00:09:12.220 --> 00:09:14.040
that I will have this backup pulse

00:09:14.040 --> 00:09:16.959
anymore if the pacemaker
stops working.

00:09:16.959 --> 00:09:17.990
So currently

00:09:17.990 --> 00:09:22.490
my heart is 100% running
on the pacemaker.

00:09:22.490 --> 00:09:27.079
So, let's also look at
how the pacemaker works.

00:09:27.079 --> 00:09:29.899
I have another video of that.

00:09:29.899 --> 00:09:31.670
So, this is my little friend

00:09:31.670 --> 00:09:34.449
that is running my heart.

00:09:34.449 --> 00:09:38.279
Video: A pacemaker
is a miniaturized computer

00:09:38.279 --> 00:09:40.990
that is used to treat
a slow heart beat.

00:09:40.990 --> 00:09:42.699
It is about the size

00:09:42.699 --> 00:09:45.449
of a couple of stacked silver dollars

00:09:45.449 --> 00:09:49.110
and weights approximately 17-25 grams.

00:09:49.110 --> 00:09:52.050
It is usually surgically placed

00:09:52.050 --> 00:09:54.449
or implanted just under the skin

00:09:54.449 --> 00:09:57.119
in the chest area.

00:09:57.119 --> 00:09:59.720
The device sends
a tiny electrical pulse

00:09:59.720 --> 00:10:01.730
down a thin coated wire,

00:10:01.730 --> 00:10:04.699
called a lead, into your heart.

00:10:04.699 --> 00:10:07.209
This stimulates the heart to beat.

00:10:07.209 --> 00:10:09.490
This impulses are very tiny

00:10:09.490 --> 00:10:12.499
and most people
do not feel them.

00:10:12.499 --> 00:10:13.929
While the device
helps your heart

00:10:13.929 --> 00:10:15.529
maintain its rhythm,

00:10:15.529 --> 00:10:17.009
it also stores information

00:10:17.009 --> 00:10:18.369
about your heart that can be

00:10:18.369 --> 00:10:20.209
retrieved by your doctor

00:10:20.209 --> 00:10:21.990
to program the device.

00:10:21.990 --> 00:10:23.629
E: Remember that!

00:10:23.629 --> 00:10:26.309
M: Yeah... Did you see

00:10:26.309 --> 00:10:28.509
the ones and zeros at the end

00:10:28.509 --> 00:10:29.459
of the video?

00:10:29.459 --> 00:10:31.240
That's what we want
to know more about.

00:10:31.240 --> 00:10:33.179
Because this information

00:10:33.179 --> 00:10:35.230
that is being collected
by the pacemaker,

00:10:35.230 --> 00:10:36.629
how it works,

00:10:36.629 --> 00:10:38.749
how the code looks like,

00:10:38.749 --> 00:10:40.119
it's all closed source,

00:10:40.119 --> 00:10:42.119
it's all proprietary information.

00:10:42.119 --> 00:10:44.540
And that's why we need more

00:10:44.540 --> 00:10:45.579
security researchers,

00:10:45.579 --> 00:10:48.579
we need more 3rd party testing,

00:10:48.579 --> 00:10:52.209
to be sure that we can trust this code.

00:10:52.209 --> 00:10:53.689
E: And you can imagine that

00:10:53.689 --> 00:10:56.029
we're doing some of
this research as well.

00:10:56.029 --> 00:10:58.209
But I'm not gonna break
Marie's heart on stage,

00:10:58.209 --> 00:10:59.189
I'm not gonna drop 0-day

00:10:59.189 --> 00:11:00.600
on some medical devices,

00:11:00.600 --> 00:11:02.999
so if you came for that,

00:11:02.999 --> 00:11:04.300
it's not worth staying.

00:11:04.300 --> 00:11:05.379
The rest of the presentation

00:11:05.379 --> 00:11:06.990
will be about some of
the things we found

00:11:06.990 --> 00:11:07.779
and how this works and

00:11:07.779 --> 00:11:09.529
how you might approach this research.

00:11:09.529 --> 00:11:11.629
And some of the people
who did this research before,

00:11:11.629 --> 00:11:12.279
because there's plenty of others,

00:11:12.279 --> 00:11:13.429
and we like to give a shout-out

00:11:13.429 --> 00:11:16.319
to those who've done
great research in advance.

00:11:16.319 --> 00:11:18.730
But essentially this point is

00:11:18.730 --> 00:11:19.589
very relevant.

00:11:19.589 --> 00:11:21.179
That the internet
of medical things

00:11:21.179 --> 00:11:22.850
is already here.

00:11:22.850 --> 00:11:24.899
And Marie is wired into it.

00:11:24.899 --> 00:11:27.059
She's a bit younger than the average

00:11:27.059 --> 00:11:30.339
pacemaker patient, but, you know,

00:11:30.339 --> 00:11:31.759
she was thrust into this situation

00:11:31.759 --> 00:11:33.249
where she had to think about things

00:11:33.249 --> 00:11:34.269
in a very different way.

00:11:34.269 --> 00:11:36.449
Like, you did a Masters,
breaking crypto,

00:11:36.449 --> 00:11:39.059
and also a PHD in Information Security.

00:11:39.059 --> 00:11:40.899
Did you imagine, that
things you learned

00:11:40.899 --> 00:11:42.709
about SSH and
network security

00:11:42.709 --> 00:11:46.689
might one day apply to your
heart and your own body?

00:11:46.689 --> 00:11:49.579
M: No, I never
figured out that

00:11:49.579 --> 00:11:52.910
my research would eventually
end up inside my own body.

00:11:52.910 --> 00:11:55.269
That's something I never
thought about.

00:11:55.269 --> 00:11:57.649
And also, there's a lot of

00:11:57.649 --> 00:12:00.110
people that don't think about

00:12:00.110 --> 00:12:02.610
how the medical devices
actually work.

00:12:02.610 --> 00:12:04.860
So, when I asked this question

00:12:04.860 --> 00:12:06.470
to health care professionals

00:12:06.470 --> 00:12:08.529
they look at me like I'm crazy,

00:12:08.529 --> 00:12:11.189
they don't ... they have never
thought about this before.

00:12:11.189 --> 00:12:14.699
That there's actually code
inside my body

00:12:14.699 --> 00:12:16.360
and someone has
programmed it,

00:12:16.360 --> 00:12:18.259
someone has
written this code.

00:12:18.259 --> 00:12:20.350
And, did they think
about, that this

00:12:20.350 --> 00:12:23.290
would actually control
someone's life,

00:12:23.290 --> 00:12:27.389
and be my own personal
critical infrastructure?

00:12:28.719 --> 00:12:31.009
E: Yeah, personal
infrastructure, right?

00:12:31.009 --> 00:12:33.189
On a physical level.

00:12:33.189 --> 00:12:35.220
And also, I think, it's...

00:12:35.220 --> 00:12:37.679
You know, the point that you made
is important to reiterate,

00:12:37.679 --> 00:12:38.629
that you go and see your doctor

00:12:38.629 --> 00:12:40.360
and you ask these questions about

00:12:40.360 --> 00:12:42.040
whether anyone can hack into my heart

00:12:42.040 --> 00:12:44.050
and they probably look
at you and go like

00:12:44.050 --> 00:12:46.600
'Don't you worry your pretty
little head about that', right?

00:12:46.600 --> 00:12:47.589
But Marie used to head up

00:12:47.589 --> 00:12:49.949
the Norwegian computer
emergency response team

00:12:49.949 --> 00:12:50.720
for a couple of years

00:12:50.720 --> 00:12:52.610
and knows a lot of hackers

00:12:52.610 --> 00:12:54.790
and knows what she's
talking about, right?

00:12:54.790 --> 00:12:57.199
So, when she asked her doctor
these questions,

00:12:57.199 --> 00:12:58.819
they're very legitimate questions.

00:12:58.819 --> 00:13:01.449
And the doctors probably
don't know anything about code,

00:13:01.449 --> 00:13:02.970
but they need to move
towards a place

00:13:02.970 --> 00:13:05.459
where they can answer
those questions with some

00:13:05.459 --> 00:13:08.079
honesty and certainty and
treat them with the dignity

00:13:08.079 --> 00:13:10.569
that they deserve.

00:13:10.569 --> 00:13:11.670
Should we show them
a little bit more

00:13:11.670 --> 00:13:13.980
about the total ecosystem
of devices

00:13:13.980 --> 00:13:16.649
that we are talking about,
at least in this particular talk?

00:13:16.649 --> 00:13:18.629
M: Yeah.

00:13:18.629 --> 00:13:21.929
E: So, this was
all new to me.

00:13:21.929 --> 00:13:24.970
I mean I've moved around
in networks and done some

00:13:24.970 --> 00:13:27.519
penetration testing and
some stuff in the past,

00:13:27.519 --> 00:13:31.540
but I didn't know much about
implantable medical devices.

00:13:31.540 --> 00:13:34.360
So, we've got a couple
of them there.

00:13:34.360 --> 00:13:38.339
The ICD, which is the
in-cardio-defibrillator,

00:13:38.339 --> 00:13:40.360
that's some of the work
that you saw from Barnaby Jack

00:13:40.360 --> 00:13:41.629
which we will mention later,

00:13:41.629 --> 00:13:43.170
was on those particular devices,

00:13:43.170 --> 00:13:45.299
We've got the pacemakers
and of course other devices

00:13:45.299 --> 00:13:47.269
could be in this diagram as well.

00:13:47.269 --> 00:13:49.079
Like, we could be talking
about insulin pumps

00:13:49.079 --> 00:13:51.329
or other things in the future.

00:13:51.329 --> 00:13:54.619
The device itself speaks
to box number 2,

00:13:54.619 --> 00:13:56.389
which we will tell you a little bit
more about in a moment,

00:13:56.389 --> 00:13:59.799
using a protocol, commonly
referred to as 'MICS'.

00:13:59.799 --> 00:14:02.209
A number of different
devices use this

00:14:02.209 --> 00:14:06.170
Medical Implant
Communication Service.

00:14:06.170 --> 00:14:08.649
And Marie shocked me yesterday

00:14:08.649 --> 00:14:10.589
when she found
a couple devices

00:14:10.589 --> 00:14:15.799
that potentially use Bluetooth. <i>sighing</i>
<i>laughter</i>

00:14:15.799 --> 00:14:19.610
So, would you like to tell them
a little bit more about the access point,

00:14:19.610 --> 00:14:20.709
and I'll join in?

00:14:20.709 --> 00:14:23.889
M: Yeah, so, the access
point is the device

00:14:23.889 --> 00:14:27.369
that you can typically have
on your bed stand

00:14:27.369 --> 00:14:32.209
and that will, depending
on your configuration,

00:14:32.209 --> 00:14:35.249
contact your pacemaker
as regular intervals,

00:14:35.249 --> 00:14:37.509
e.g. once during the night.

00:14:37.509 --> 00:14:41.499
It will start a communication
with the pacemaker,

00:14:41.499 --> 00:14:43.209
couple of meters distance,

00:14:43.209 --> 00:14:44.249
and will start
collecting logs.

00:14:44.249 --> 00:14:47.160
And this logs will
then be sent,

00:14:47.160 --> 00:14:51.999
it can be via SMS
or other means,

00:14:51.999 --> 00:14:53.730
to a server.

00:14:53.730 --> 00:14:58.569
So, there's a lot of my
personal information

00:14:58.569 --> 00:15:02.049
that can end up different
places in this diagram.

00:15:02.049 --> 00:15:05.679
So, of course it's
in my own device,

00:15:05.679 --> 00:15:10.079
it will be then communicated
via this access point

00:15:10.079 --> 00:15:10.889
and also then

00:15:10.889 --> 00:15:14.179
via the cellular network.

00:15:14.179 --> 00:15:19.989
And then it will also be stored
in the telemetry server.

00:15:19.989 --> 00:15:24.519
Potentially when I go
for the checkups

00:15:24.519 --> 00:15:28.939
my personal information will
also end up in my

00:15:28.939 --> 00:15:29.730
doctor workstation

00:15:29.730 --> 00:15:36.639
or in the electronic
patient records.

00:15:36.639 --> 00:15:40.049
And there's a lot of things
that can go wrong there.

00:15:40.049 --> 00:15:42.100
E: Yeah, you
can see, it's using

00:15:42.100 --> 00:15:46.949
famously secure methods
of communication

00:15:46.949 --> 00:15:51.639
that have never been backdoored or
compromised by anyone ever before,

00:15:51.639 --> 00:15:56.139
even here at this conference,
probably even this time around.

00:15:56.139 --> 00:15:59.850
So these are some things
that are concerning.

00:15:59.850 --> 00:16:03.439
The data also travels often
to other countries

00:16:03.439 --> 00:16:05.199
and so there are questions
about the jurisdiction

00:16:05.199 --> 00:16:09.689
in terms of privacy laws
in terms of some of this data.

00:16:09.689 --> 00:16:13.049
And some of you can go and
look deeper into that as well.

00:16:13.049 --> 00:16:15.439
The telemetry store thing
I think is important,

00:16:15.439 --> 00:16:20.009
some of this is a telemetry store,
such as the server at the vendor.

00:16:20.009 --> 00:16:21.709
So the vendor owns some
machines somewhere

00:16:21.709 --> 00:16:23.859
that collect data
from Marie's heart.

00:16:23.859 --> 00:16:26.910
So you can imagine she goes to see her
doctor and the doctor is like:

00:16:26.910 --> 00:16:30.649
'Hey, Marie, last weekend, did you, ...
run a half marathon or something?'

00:16:30.649 --> 00:16:32.839
And she hasn't told him, right?

00:16:32.839 --> 00:16:35.410
Like, he just can look
at the data and see,

00:16:35.410 --> 00:16:38.529
that her heart rate was up
for a couple hours.

00:16:38.529 --> 00:16:40.609
That's true though, right? You
did actually run a half marathon.

00:16:40.609 --> 00:16:43.639
M: Yeah, I did run a half marathon.
<i>laughing</i>

00:16:43.639 --> 00:16:46.829
E: So, the telemetry
store is one part,

00:16:46.829 --> 00:16:48.420
but there's also the
doctors work station

00:16:48.420 --> 00:16:50.579
which contains a lot of
this medical data.

00:16:50.579 --> 00:16:54.040
So, from privacy perspective
that's part of the attack surface.

00:16:54.040 --> 00:16:55.489
But there's also the programmers, right?

00:16:55.489 --> 00:16:57.879
There's the device's programmers.

00:16:57.879 --> 00:17:00.850
So that's an interesting point, that
I hope a lot of you are interested in

00:17:00.850 --> 00:17:04.929
already, that there
is a programmer

00:17:04.929 --> 00:17:06.339
for these devices.

00:17:06.339 --> 00:17:10.299
M: So, we actually
went shopping on eBay

00:17:10.299 --> 00:17:12.189
and we found some
of these devices.

00:17:12.189 --> 00:17:13.319
E: You can buy them on eBay?

00:17:13.319 --> 00:17:14.429
M: Yeah.
E: <i>laughing</i>

00:17:14.429 --> 00:17:16.740
M: So, I found
a programmer

00:17:16.740 --> 00:17:19.369
that can program
my device, on eBay

00:17:19.369 --> 00:17:20.599
and I bought it.

00:17:20.599 --> 00:17:22.500
And I also found a couple of
these access points.

00:17:22.500 --> 00:17:26.319
So, that's what we're
now starting to look at.

00:17:26.319 --> 00:17:29.320
E: We just wanna to give
you an overview of this system,

00:17:29.320 --> 00:17:31.720
and it's fairly similar across the
different device vendors,

00:17:31.720 --> 00:17:34.549
and we're not going to talk
about individual vendors.

00:17:34.549 --> 00:17:36.600
But if you're gonna go and
do this kind of research

00:17:36.600 --> 00:17:39.789
you can see that some of the research
you've already done in the past

00:17:39.789 --> 00:17:43.110
applies to different parts
of this process.

00:17:43.110 --> 00:17:46.730
M: And talking about
patient privacy,

00:17:46.730 --> 00:17:50.710
when we got the
programmer from ebay

00:17:50.710 --> 00:17:54.159
it actually contained
patient information.

00:17:54.159 --> 00:17:56.779
So, that's the
really bad thing.

00:17:56.779 --> 00:17:58.919
E: So, I found
this very odd.

00:17:58.919 --> 00:18:01.100
I had a similar reaction
to yourselves because

00:18:01.100 --> 00:18:03.080
I usually do industrial
system stuff.

00:18:03.080 --> 00:18:06.299
One of my friends picked up
some PLCs recently and

00:18:06.299 --> 00:18:09.679
they had data from the nuclear plant,
that the PLCs had been used in.

00:18:09.679 --> 00:18:13.789
So, decommissioning is a problem
in industrial systems

00:18:13.789 --> 00:18:18.080
but it turns out also
in medical devices, right?

00:18:18.080 --> 00:18:20.480
I guess that's a useful point
to make as well,

00:18:20.480 --> 00:18:22.820
about the costs of doing
this kind of research.

00:18:22.820 --> 00:18:26.260
It is possible to get some
devices, some implants

00:18:26.260 --> 00:18:29.000
from people who have sadly
passed on,

00:18:29.000 --> 00:18:33.429
but that comes with a very high
cost of biomedical decontamination.

00:18:33.429 --> 00:18:35.549
So that raises the cost
of doing this research

00:18:35.549 --> 00:18:38.070
on the implants themselves,
not necessarily on the rest

00:18:38.070 --> 00:18:38.710
of the devices.

00:18:38.710 --> 00:18:42.700
M: Yeah, so, also want
to say, that in this research

00:18:42.700 --> 00:18:44.059
I had not have not tinkered
with my own device.

00:18:44.059 --> 00:18:46.630
So, that would not be a good thing ...

00:18:46.630 --> 00:18:49.679
E: You're not gonna let me,
like, SSH into your heart and just ...

00:18:49.679 --> 00:18:52.330
M: Um.. No.
E: ... just delete some stuff.. No?

00:18:52.330 --> 00:18:54.990
M: No.
E: I wouldn't do it anyway,

00:18:54.990 --> 00:18:56.860
but it's an interesting point, right?

00:18:56.860 --> 00:18:59.019
So, like, there are a lot of
safety percussions

00:18:59.019 --> 00:19:00.960
that we and the rest
of the team have to take

00:19:00.960 --> 00:19:02.380
when we are doing this research.

00:19:02.380 --> 00:19:06.039
And one of them is
not pairing Marie's pacemaker

00:19:06.039 --> 00:19:09.289
with any of the devices
that are under test.

00:19:09.289 --> 00:19:13.519
Do you wanna say a bit more
about connectivity and vulnerability?

00:19:13.519 --> 00:19:15.200
M: Yeah, so...

00:19:15.200 --> 00:19:18.620
I was worried
when I discovered that

00:19:18.620 --> 00:19:23.850
I had this possible connectivity
to the medical internet of things.

00:19:23.850 --> 00:19:28.830
In my case this is switched off
in the configurations

00:19:28.830 --> 00:19:29.679
but it's there.

00:19:29.679 --> 00:19:32.750
It's possible to turn it on,
it's possible for me to be

00:19:32.750 --> 00:19:36.970
hooked up to the,
this internet of medical things.

00:19:36.970 --> 00:19:40.500
And for some patients
this is really benefit.

00:19:40.500 --> 00:19:43.090
So you always have to make
a risk-based decision

00:19:43.090 --> 00:19:47.510
on whether or not to
make use of this

00:19:47.510 --> 00:19:48.529
connectivity.

00:19:48.529 --> 00:19:52.490
But I think it's really important
that you make an informed decision

00:19:52.490 --> 00:19:55.480
about that and that the patient

00:19:55.480 --> 00:20:01.919
is informed and has given
his or her consent

00:20:01.919 --> 00:20:04.120
to have this feature.

00:20:04.120 --> 00:20:08.200
The battery lifetime of my pacemaker
is around 10 years.

00:20:08.200 --> 00:20:10.450
So in 6 years time

00:20:10.450 --> 00:20:12.870
I will have to have a
replacement surgery

00:20:12.870 --> 00:20:16.409
and I'm going to be
a really difficult patient <i>laughing</i>

00:20:16.409 --> 00:20:17.840
<i>laughter</i>

00:20:17.840 --> 00:20:23.980
So, ...
<i>applause</i>

00:20:23.980 --> 00:20:25.039
E: Right on.

00:20:25.039 --> 00:20:27.710
M: I really want to know

00:20:27.710 --> 00:20:30.269
how the devices work
by then and

00:20:30.269 --> 00:20:33.830
I want to make an informed
decision on whether or not

00:20:33.830 --> 00:20:35.659
to have this connectivity.

00:20:35.659 --> 00:20:38.970
But of course for lot of patients
the benefit of having this

00:20:38.970 --> 00:20:40.850
outweighs the risk.

00:20:40.850 --> 00:20:44.630
Because people that had other
heart problems than me

00:20:44.630 --> 00:20:47.070
they have to go for more
frequent checkups.

00:20:47.070 --> 00:20:49.759
I only have to go once a year.

00:20:49.759 --> 00:20:53.130
So, for patients that need to go
frequently for checkups,

00:20:53.130 --> 00:20:55.710
it's really good for them
to have the possibility

00:20:55.710 --> 00:20:58.039
of having telemetry and
having connectivity to

00:20:58.039 --> 00:21:00.370
have remote patient monitoring.

00:21:00.370 --> 00:21:04.059
E: Yeah, imagine you
have mobility problems or

00:21:04.059 --> 00:21:06.029
you even just live far

00:21:06.029 --> 00:21:08.639
from a major city.

00:21:08.639 --> 00:21:11.360
And making the journey
to the hospital is quite arduous,

00:21:11.360 --> 00:21:15.159
then this kind of remote
telemetry allows your doctor

00:21:15.159 --> 00:21:17.070
to keep track of
what's going on.

00:21:17.070 --> 00:21:19.570
And that's very important,
we don't wanna, like...

00:21:19.570 --> 00:21:22.440
have a big scary testosterone
filled talk where we, like,

00:21:22.440 --> 00:21:23.389
hack some pacemakers.

00:21:23.389 --> 00:21:26.720
We wanna talk about
how there's a dual use thing

00:21:26.720 --> 00:21:28.090
going on here.

00:21:28.090 --> 00:21:31.649
And that there is a lot of value
in having this devices

00:21:31.649 --> 00:21:35.830
but we also want them to be safe
and secure and preserve our privacy

00:21:35.830 --> 00:21:39.320
and a lot of other things.

00:21:39.320 --> 00:21:43.789
So, these are some
of the issues.

00:21:43.789 --> 00:21:46.139
Of course the last one,
the remote assassination scenario,

00:21:46.139 --> 00:21:49.340
that' s everyone favorite one
to fantasize about

00:21:49.340 --> 00:21:53.250
or talk about, or make
movies about, but

00:21:53.250 --> 00:21:54.980
we think there's a lot of
other issues in here

00:21:54.980 --> 00:21:56.620
that are more interesting,

00:21:56.620 --> 00:21:59.009
some quality issues even, right,

00:21:59.009 --> 00:22:02.070
that we'll talk about
in a little bit.

00:22:02.070 --> 00:22:02.649
Battery exhaustion,

00:22:02.649 --> 00:22:06.600
again something many people
don't think about. But...

00:22:06.600 --> 00:22:09.200
I'm very interested in
cyber-physical exploitation

00:22:09.200 --> 00:22:12.789
and so some of this elements
were interesting to me

00:22:12.789 --> 00:22:15.960
that you might use the device
in a way that wasn't expected.

00:22:15.960 --> 00:22:20.700
M: So personally I'm not afraid
of being remotely assassinated.

00:22:20.700 --> 00:22:23.370
E: I've actually never known
you to be afraid of anything

00:22:23.370 --> 00:22:24.549
M: <i>laughing</i>

00:22:24.549 --> 00:22:29.130
I'm more worried about
software bugs in my device,

00:22:29.130 --> 00:22:31.759
the things that can malfunction,

00:22:31.759 --> 00:22:34.049
E: Is that just theoretical?

00:22:34.049 --> 00:22:36.850
M: No, actually software bugs

00:22:36.850 --> 00:22:38.940
have killed people.

00:22:38.940 --> 00:22:41.340
So, think about that!

00:22:41.340 --> 00:22:42.130
People that are not here,

00:22:42.130 --> 00:22:44.700
they don't have their voice
and they can't really

00:22:44.700 --> 00:22:46.340
give there story.

00:22:46.340 --> 00:22:51.100
But there are stories about persons
depending on medical devices

00:22:51.100 --> 00:22:54.240
dying because their
device malfunctioned.

00:22:54.240 --> 00:22:57.830
E: There's even some
great research

00:22:57.830 --> 00:23:01.940
from academics about
how the user interface design

00:23:01.940 --> 00:23:05.100
of medical devices can have
an impact on patients safety

00:23:05.100 --> 00:23:07.399
and how designing UX

00:23:07.399 --> 00:23:10.139
much more clearly
and concisely

00:23:10.139 --> 00:23:11.840
specifically for the
medical profession

00:23:11.840 --> 00:23:17.809
might improve
the care of patients.

00:23:17.809 --> 00:23:19.889
Do you wanna say more
about this slide or should we

00:23:19.889 --> 00:23:22.370
go on to the previous work,
should we... go ahead!

00:23:22.370 --> 00:23:25.190
M: Yeah, I think it's really
important also to...

00:23:25.190 --> 00:23:27.639
the issue of trusting the vendors.

00:23:27.639 --> 00:23:31.480
So, as a patient I'm
expected to just, you know,

00:23:31.480 --> 00:23:34.720
trust, that my device
is working correctly,

00:23:34.720 --> 00:23:38.860
every security vulnerability
has been corrected by the vendor

00:23:38.860 --> 00:23:39.650
and it's safe.

00:23:39.650 --> 00:23:42.659
But I want to have more
third party testing,

00:23:42.659 --> 00:23:48.210
I want to have more security
research on medical implants.

00:23:48.210 --> 00:23:52.379
And as a lot things, like ...
history has shown

00:23:52.379 --> 00:23:57.580
we can't always trust that
the vendors do the right thing.

00:23:57.580 --> 00:24:00.179
E: I think this is a good
opportunity for us to ask

00:24:00.179 --> 00:24:03.279
a very fun question, which is:

00:24:03.279 --> 00:24:05.700
Any fans of DMCA in the room?

00:24:05.700 --> 00:24:08.330
<i>laughter</i>

00:24:08.330 --> 00:24:09.379
No? No fans? Alright.

00:24:09.379 --> 00:24:12.779
Well, you then you'll really enjoy this.

00:24:12.779 --> 00:24:17.129
Marie has some very exciting news
about DMCA exemptions.

00:24:17.129 --> 00:24:21.350
M: Yeah, so... October, this year

00:24:21.350 --> 00:24:27.909
there was a ruling of
an DMCA exemption for

00:24:27.909 --> 00:24:30.710
security research
on medical devices

00:24:30.710 --> 00:24:33.529
also for automotive security research.

00:24:33.529 --> 00:24:34.860
So, this means, that

00:24:34.860 --> 00:24:39.289
as researchers you can

00:24:39.289 --> 00:24:41.919
actually do reverse engineering
of medical implants

00:24:41.919 --> 00:24:46.169
without infringing copyright laws.

00:24:46.169 --> 00:24:48.220
It will take effect
I think October next year.

00:24:48.220 --> 00:24:50.710
E: Yeah.
M: That is really a big

00:24:50.710 --> 00:24:53.529
step forward in my opinion.

00:24:53.529 --> 00:24:56.009
And I hope that this will
encourage more research.

00:24:56.009 --> 00:24:59.649
And I also want to mention
that there are

00:24:59.649 --> 00:25:02.720
fellow activist patients
like myself

00:25:02.720 --> 00:25:06.649
that was behind that proposal
of having this exemptions.

00:25:06.649 --> 00:25:11.529
So, Jay Radcliff who hacked
his own insulin pump,

00:25:11.529 --> 00:25:16.299
Karen Sandler, who is a free and
open software advocat.

00:25:16.299 --> 00:25:21.190
And Hugo Campos, who has
an ICD implant, he is very ...

00:25:21.190 --> 00:25:24.580
he wants to have access
to his own data

00:25:24.580 --> 00:25:27.669
for quantified self reasons.

00:25:27.669 --> 00:25:31.210
So this patients,
they actually

00:25:31.210 --> 00:25:36.409
made this happen,
that you're allowed to do

00:25:36.409 --> 00:25:38.870
security research
on medical devices.

00:25:38.870 --> 00:25:40.859
I think that's really great.

00:25:40.859 --> 00:25:48.029
<i>applause</i>

00:25:48.029 --> 00:25:51.639
E: Do you wanna say something
about Scott Erven's presentation

00:25:51.639 --> 00:25:52.419
that you saw at DEF CON?

00:25:52.419 --> 00:25:54.419
M: Yeah, that was a really
interesting presentation about

00:25:54.419 --> 00:25:59.899
how medical devices have
really poor security.

00:25:59.899 --> 00:26:02.399
And they have, like,
hard coded credentials,

00:26:02.399 --> 00:26:06.059
and you can find them
using Shodan on the internet.

00:26:06.059 --> 00:26:09.500
This were not pacemakers,
but other types of

00:26:09.500 --> 00:26:10.809
different medical devices.

00:26:10.809 --> 00:26:17.029
There are, like, hospital networks
that are completely open

00:26:17.029 --> 00:26:20.799
and you can access
the medical equipment

00:26:20.799 --> 00:26:26.240
using default passwords that
you can find in the manuals.

00:26:26.240 --> 00:26:27.240
And the vendors claim that

00:26:27.240 --> 00:26:30.159
no, these are not hard coded,
these are default,

00:26:30.159 --> 00:26:33.809
but then the manuals say:
Do not change this password...

00:26:33.809 --> 00:26:37.269
E: Because they want to
integrate with other stuff, right? So...

00:26:37.269 --> 00:26:40.950
I've heard that excuse from SCADA,
so I wasn't having it.

00:26:40.950 --> 00:26:43.759
M: They also put up some
medical device honeypots

00:26:43.759 --> 00:26:48.889
to see if there were
targeted hacking attempts

00:26:48.889 --> 00:26:55.009
but they only picked up regular malware
on them, which is also ...

00:26:55.009 --> 00:26:57.309
E: Only!
M: ... of course of a concern <i>laughing</i>

00:26:57.309 --> 00:27:01.389
E: Anything else,
about prior art, Kevin?

00:27:01.389 --> 00:27:04.889
M: I guess we should mention
that the academic research

00:27:04.889 --> 00:27:08.019
on hacking pacemakers,
which was started by

00:27:08.019 --> 00:27:11.090
a group led by Kevin Fu

00:27:11.090 --> 00:27:13.840
and they had this
first paper in 2008

00:27:13.840 --> 00:27:15.210
that they also followed up
with more academic research

00:27:15.210 --> 00:27:17.909
and they showed that it's
possible to hack a pacemaker.

00:27:17.909 --> 00:27:21.220
They showed that...
this was possible on a, like

00:27:21.220 --> 00:27:23.460
a couple of centimeters
distance only,

00:27:23.460 --> 00:27:28.289
so, like, the attack scenario
would be, if you have a

00:27:28.289 --> 00:27:30.330
device similar to the
programmers device

00:27:30.330 --> 00:27:33.610
and you attack me with it
you can <i>laughing</i>

00:27:33.610 --> 00:27:34.289
turn off my pacemaker.

00:27:34.289 --> 00:27:36.019
That's not really scary,

00:27:36.019 --> 00:27:39.840
but then we have the research
by Barnaby Jack

00:27:39.840 --> 00:27:45.529
where this range of the attack
is extended to several meters

00:27:45.529 --> 00:27:48.549
so you have someone with
an antenna in a room

00:27:48.549 --> 00:27:51.360
scanning for pacemakers

00:27:51.360 --> 00:27:54.059
and starting to program them.

00:27:54.059 --> 00:28:00.210
E: We have a saying
at Cambridge about that.

00:28:00.210 --> 00:28:01.929
Some of the other people at the
university have been doing attacks

00:28:01.929 --> 00:28:04.799
a lot longer than I have, and
one of the things they say is:

00:28:04.799 --> 00:28:07.059
'Attacks only get worse,
they never get better.'

00:28:07.059 --> 00:28:11.169
So, the range might be short one year,
then a couple of years later it's worse.

00:28:11.169 --> 00:28:15.889
M: The worst case scenario
I think would be remotely,

00:28:15.889 --> 00:28:19.549
via the internet being able to
hack pacemakers.

00:28:19.549 --> 00:28:24.490
but there's no research so far
indicating that that's possible.

00:28:24.490 --> 00:28:26.970
E: And we don't wanna
hype that up. We don't wanna...

00:28:26.970 --> 00:28:28.929
M: No.
E: ... get that kind of an angle

00:28:28.929 --> 00:28:31.720
on this talk. We wanna make the
point that hacking can save lives,

00:28:31.720 --> 00:28:38.779
that hackers are global citizen's
resource to save lives, right? So...

00:28:38.779 --> 00:28:45.200
M: Yeah, so, this is the result
of hacking of the drug infusion pumps.

00:28:45.200 --> 00:28:48.659
Earlier this year

00:28:48.659 --> 00:28:55.190
the FDA actually issued the first ever
recall of a medical device

00:28:55.190 --> 00:28:57.730
based on cyber security concerns.

00:28:57.730 --> 00:29:02.190
E: I think that's amazing, right?
They've recalled products

00:29:02.190 --> 00:29:05.509
because of cyber security concerns. They
used to have to wait until someone died.

00:29:05.509 --> 00:29:09.840
In fact, they had to show
something like 500 deaths

00:29:09.840 --> 00:29:13.360
before you could recall a product.
So now they can ...

00:29:13.360 --> 00:29:16.080
the FDA, at least in the US,
they can recall products

00:29:16.080 --> 00:29:18.570
just based on security
considerations.

00:29:18.570 --> 00:29:20.519
M: So, this is also,

00:29:20.519 --> 00:29:26.730
I guess the first example
of that type of pro-active

00:29:26.730 --> 00:29:29.450
security research,
where you can

00:29:29.450 --> 00:29:33.049
make a proof of concept
without killing any patients

00:29:33.049 --> 00:29:36.740
and then that closes
the security holes.

00:29:36.740 --> 00:29:38.240
And that potentially
saves lives.

00:29:38.240 --> 00:29:41.169
And no one has been hurt
in the research.

00:29:41.169 --> 00:29:42.110
I think that's great.

00:29:42.110 --> 00:29:45.019
E: I'm also really excited
because we give a lot of presentations

00:29:45.019 --> 00:29:48.610
about security that are filled with
doom and gloom and depression,

00:29:48.610 --> 00:29:52.190
so it's nice to have two major victories
in medical device research

00:29:52.190 --> 00:29:54.610
in the last few years.
One being the DMCA exemptions

00:29:54.610 --> 00:29:57.299
and the other being
actual product recalls.

00:29:57.299 --> 00:30:01.879
M: Yeah, and the FDA are starting
to take these issues seriously and

00:30:01.879 --> 00:30:05.700
they are really focusing on the cyber
security of medical implants now.

00:30:05.700 --> 00:30:09.980
I'm going to go to a workshop
arranged by the FDA in January

00:30:09.980 --> 00:30:15.639
and participate on a panel discussing
cyber security of medical implants.

00:30:15.639 --> 00:30:18.789
And it's great to have this
type of interaction between

00:30:18.789 --> 00:30:23.269
the security committee, medical
device vendors and the regulators.

00:30:23.269 --> 00:30:24.950
So, things are happening.

00:30:24.950 --> 00:30:26.820
E: Yeah. How do you feel
as an audience,

00:30:26.820 --> 00:30:29.759
are you glad that she's going to be
your representative in Washington

00:30:29.759 --> 00:30:31.749
for some of these issues?

00:30:31.749 --> 00:30:38.679
<i>applause</i>

00:30:38.679 --> 00:30:41.330
And we want you to get
involved as well, right?

00:30:41.330 --> 00:30:44.950
This is not just about Marie
and myself and the other people

00:30:44.950 --> 00:30:47.499
who worked on this
project, it's meant say

00:30:47.499 --> 00:30:50.200
you too can do this research.
And you should be.

00:30:50.200 --> 00:30:53.499
You have to be a little sensitive,
a little bit precise and articulate

00:30:53.499 --> 00:30:55.029
about concerns.

00:30:55.029 --> 00:30:58.509
We take some inspiration from the
former research around hygiene.

00:30:58.509 --> 00:31:01.419
Imagine the first time some scientist
went to some other scientist and said

00:31:01.419 --> 00:31:04.960
'There is this invisible stuff,
and it's on your hands,

00:31:04.960 --> 00:31:07.210
and if you don't wash your hands
people get infections!'

00:31:07.210 --> 00:31:08.240
And everyone thought
they were crazy.

00:31:08.240 --> 00:31:12.049
Well, it's kind of the same with us
talking about industrial systems

00:31:12.049 --> 00:31:15.840
or talking about medical devices
or talking about hacking in general.

00:31:15.840 --> 00:31:18.200
People just didn't, sort of,
believe it was possible at first.

00:31:18.200 --> 00:31:21.019
And so we have to articulate ourselves
very, very carefully.

00:31:21.019 --> 00:31:25.200
So, we draw inspiration from
that early hygiene movement

00:31:25.200 --> 00:31:28.730
where they had a couple simple rules
that started to save people's lives

00:31:28.730 --> 00:31:31.529
while they explained germ theory
to the masses.

00:31:31.529 --> 00:31:38.139
M: Yeah, so, this type of research
is kind of low hanging fruits

00:31:38.139 --> 00:31:41.149
where you just, so...

00:31:41.149 --> 00:31:46.320
what we show here is an example,

00:31:46.320 --> 00:31:50.440
where there's a lot of medical
device networks in hospitals

00:31:50.440 --> 00:31:53.720
that are open to the internet
and that can get infected

00:31:53.720 --> 00:31:59.429
by normal type of malware,
like banking trojans or whatever.

00:31:59.429 --> 00:32:03.200
And this is potentially a safety issue.

00:32:03.200 --> 00:32:08.460
So, if your MR scanner or some other

00:32:08.460 --> 00:32:12.970
more life-critical device
is being unavailable because of

00:32:12.970 --> 00:32:16.919
a virus on it,

00:32:16.919 --> 00:32:21.360
that's a real concern for patient
security and safety.

00:32:21.360 --> 00:32:26.419
So we need to think more about
the hygiene also in terms of

00:32:26.419 --> 00:32:29.860
computer viruses, not only
just normal viruses.

00:32:29.860 --> 00:32:33.129
E: Yeah. So, you know, some
times people will treat you like

00:32:33.129 --> 00:32:35.639
this is an entirely theoretical
concern, but

00:32:35.639 --> 00:32:39.379
I think this is one of the best
illustrations that we've found

00:32:39.379 --> 00:32:42.210
of how that should
be a concern,

00:32:42.210 --> 00:32:43.740
and I think all of you will get it,

00:32:43.740 --> 00:32:47.320
but I wanna give you a moment to kind of
read what's about to come up on the slides.

00:32:47.320 --> 00:32:59.200
So I'll just let you enjoy
that for a moment.

00:32:59.200 --> 00:33:02.009
So if it's not clear or it's not your
first language or something,

00:33:02.009 --> 00:33:07.659
this guy basically sharded patient data
across a bunch of amazon clusters.

00:33:07.659 --> 00:33:11.309
And then it was unavailable.
And they were very concerned

00:33:11.309 --> 00:33:14.029
about the unavailability of their
costumer patient data

00:33:14.029 --> 00:33:17.629
sharded across amazon instances.

00:33:17.629 --> 00:33:23.289
He was complaining to support, like
'Can I get support to fix this?' <i>laughing</i>

00:33:23.289 --> 00:33:27.149
M: So, all the data of the ...

00:33:27.149 --> 00:33:31.580
... the monitoring data of the cardiac
patients is unavailable to them

00:33:31.580 --> 00:33:35.129
because of the service
being downed.

00:33:35.129 --> 00:33:43.060
And, well, do you want to outsource your
patient's safety to the cloud? Really?

00:33:43.060 --> 00:33:45.360
I don't want that.
Okay.

00:33:45.360 --> 00:33:50.039
E: I wanna get into some other details.
We have sort of 10 min left if we can ...

00:33:50.039 --> 00:33:53.179
so we can have a lot of questions,
and I'm sure there will be some.

00:33:53.179 --> 00:33:57.990
But I want you to talk to them about
this very personal story.

00:33:57.990 --> 00:34:00.769
This is... Remember before, when we
said, is this stuff theoretical?

00:34:00.769 --> 00:34:02.299
I want you to pay a lot of
attention to this story.

00:34:02.299 --> 00:34:04.299
It really moved me
when she first told me.

00:34:04.299 --> 00:34:08.650
M: I know how it feels to have
my body controlled by a device

00:34:08.650 --> 00:34:12.360
that is not working correctly.

00:34:12.360 --> 00:34:18.429
So, I think it was around 2 or 3
weeks after I had the surgery.

00:34:18.429 --> 00:34:19.480
I felt fine.

00:34:19.480 --> 00:34:23.409
But I hadn't really done
any exercise yet.

00:34:23.409 --> 00:34:28.090
The surgery was pretty easy,
I only had 2 weeks sick leave

00:34:28.090 --> 00:34:29.730
and then I came back to work

00:34:29.730 --> 00:34:30.960
and I went to London

00:34:30.960 --> 00:34:35.449
to participate in a course
in ethical hacking and

00:34:35.449 --> 00:34:39.770
I did take the London Underground
together with some of my colleges

00:34:39.770 --> 00:34:42.840
and we went of at this station
at Covent Garden

00:34:42.840 --> 00:34:46.050
And I don't know if you
have been there but

00:34:46.050 --> 00:34:49.100
that particular station is
really low underground.

00:34:49.100 --> 00:34:51.980
They have elevators that you
can use to get up,

00:34:51.980 --> 00:34:55.139
but usually there are, like,
long queues to the elevators...

00:34:55.139 --> 00:34:57.050
E: You always have to do
things the hard way, right?

00:34:57.050 --> 00:34:58.120
M: You had to take the stairs, or

00:34:58.120 --> 00:35:00.830
they were just heading for the stairs
and I was following them and

00:35:00.830 --> 00:35:05.700
we were starting to climb the stairs and
I didn't read this warning sign, which is:

00:35:05.700 --> 00:35:09.850
'Those with luggage, pushchairs &amp; heart
conditions, please use the lift' <i>laughing</i>

00:35:09.850 --> 00:35:11.610
Because I was feeling fine,

00:35:11.610 --> 00:35:15.570
and this was the first time that I
figured out there's something wrong

00:35:15.570 --> 00:35:17.860
with my pacemaker or with my heart.

00:35:17.860 --> 00:35:20.330
Because I came like
half way up this stairs

00:35:20.330 --> 00:35:23.120
and I felt like I was going to die.

00:35:23.120 --> 00:35:24.610
It was a really horrible feeling.

00:35:24.610 --> 00:35:26.430
I didn't have any more breath left,

00:35:26.430 --> 00:35:30.740
I felt like I wasn't able
to complete the stairs.

00:35:30.740 --> 00:35:33.650
I didn't know what was
happening to me, but

00:35:33.650 --> 00:35:37.440
somehow I managed to
drag myself up the stairs

00:35:37.440 --> 00:35:38.700
and my heart was really...

00:35:38.700 --> 00:35:40.830
it didn't feel right.

00:35:40.830 --> 00:35:45.040
So, first thing when I came
back from this course

00:35:45.040 --> 00:35:46.250
I went to my doctor

00:35:46.250 --> 00:35:49.230
and we started to try
debug me, tried to find out

00:35:49.230 --> 00:35:51.670
what was wrong with my pacemaker.

00:35:51.670 --> 00:35:54.610
And this is how that looks like.
E: <i>laughing</i>

00:35:54.610 --> 00:35:58.370
M: So, there's a stack
of different programmers

00:35:58.370 --> 00:36:02.410
- this is not me by the way, but it's
a very similar situation.

00:36:02.410 --> 00:36:04.130
E: And we'll come back to those
programmers in a moment.

00:36:04.130 --> 00:36:05.180
M: Yeah.
E: But the bit I want you

00:36:05.180 --> 00:36:08.930
to focus on is, like, they're
debugging your pacemaker?

00:36:08.930 --> 00:36:11.730
Inside you?
M: Yeah, I didn't know

00:36:11.730 --> 00:36:12.890
what was happening
at the time.

00:36:12.890 --> 00:36:15.260
We were just trying to
get the settings right

00:36:15.260 --> 00:36:19.030
and it took like 2 or 3 months before
we figured out what was wrong.

00:36:19.030 --> 00:36:23.860
And what happened was, that my
operate limit was set to low for me,

00:36:23.860 --> 00:36:29.930
for my age. So, the normal pacemaker
patient is maybe around 80 years old

00:36:29.930 --> 00:36:34.050
and the default operate
limit was 160 beats/min.

00:36:34.050 --> 00:36:36.750
And that's pretty low for
a young person.

00:36:36.750 --> 00:36:40.420
E: So, imagine, like, you're younger
and you're really fit and you know

00:36:40.420 --> 00:36:43.930
how to do something really well,
like swimming or skiing or skateboarding

00:36:43.930 --> 00:36:47.180
or whatever. You're fantastic at it.
And then a couple years go past

00:36:47.180 --> 00:36:49.870
and you know, you gain some weight
and you're not as good at it, right?

00:36:49.870 --> 00:36:53.040
But now imagine that
happens in 3 seconds.

00:36:53.040 --> 00:36:54.580
While you're walking
up a set of stairs.

00:36:54.580 --> 00:36:57.470
M: So, what happens is that
the pacemaker detects

00:36:57.470 --> 00:37:01.570
'Oh, you have a really high pulse'.
And there's a safety mechanism

00:37:01.570 --> 00:37:04.690
that will cut your pulse in half ...
E: In half!

00:37:04.690 --> 00:37:07.380
<i>laughter</i>
M: <i>laughing</i> So in my case it went

00:37:07.380 --> 00:37:11.050
from 160 beats/min to 80 beats/min.
In a second, or less than a second,

00:37:11.050 --> 00:37:14.370
and that felt really, really horrible.

00:37:14.370 --> 00:37:16.480
And it took a long time
to figure out what was wrong.

00:37:16.480 --> 00:37:20.890
It wasn't until they put me on
an exercise bike and

00:37:20.890 --> 00:37:24.520
had me on monitoring that they
figured out what was wrong, because

00:37:24.520 --> 00:37:31.400
the thing was, that what was displayed
on the pacemaker technician's view

00:37:31.400 --> 00:37:35.730
was not the same settings that
my pacemaker actually had.

00:37:35.730 --> 00:37:41.340
There was a software bug in the
programmer, that caused this problem.

00:37:41.340 --> 00:37:45.610
E: So they thought they had updated
her settings to be that of a young person.

00:37:45.610 --> 00:37:47.080
They were like
'Oh, we've already changed it'.

00:37:47.080 --> 00:37:51.390
But they lost the view. They couldn't
see the actual state of the pacemaker.

00:37:51.390 --> 00:37:53.980
And the only way to figure that out
was to put her on a bike

00:37:53.980 --> 00:37:57.190
and let her cycle until her
heart rate was high enough.

00:37:57.190 --> 00:38:00.230
You know, literally physically
debugging her to figure out

00:38:00.230 --> 00:38:00.850
what was wrong.

00:38:00.850 --> 00:38:04.250
Now stop and think about whether or not
you would trust your doctor

00:38:04.250 --> 00:38:06.890
to debug software.

00:38:06.890 --> 00:38:10.800
<i>laughter</i>

00:38:10.800 --> 00:38:14.050
So, say a little bit more about those
programmers and then we'll move on

00:38:14.050 --> 00:38:14.860
towards the future.

00:38:14.860 --> 00:38:19.240
M: Yeah, so, we got hold of one of these
programmers, as mentioned

00:38:19.240 --> 00:38:20.500
and looked inside it.

00:38:20.500 --> 00:38:24.160
And, well, we named this talk
'Unpatchable', because

00:38:24.160 --> 00:38:29.930
originally my hypothesis was that,
if you find a bug in a pacemaker

00:38:29.930 --> 00:38:32.630
it will be hard to patch it.

00:38:32.630 --> 00:38:34.550
Maybe it would require surgery.

00:38:34.550 --> 00:38:37.370
But then when we looked
inside the programmer

00:38:37.370 --> 00:38:42.520
and we saw that it contained firmware
for pacemakers we realized that

00:38:42.520 --> 00:38:46.170
it's possible to actually patch the
pacemaker via this programmer.

00:38:46.170 --> 00:38:49.500
E: One of the other researchers
finds these firmware blobs inside

00:38:49.500 --> 00:38:53.290
the programmer code and, like,
my heart stopped at that point, right?

00:38:53.290 --> 00:39:00.160
I was just going 'Really, you can just
update the code on someones pacemaker?'

00:39:00.160 --> 00:39:01.920
We also wanna say something
about standardization.

00:39:01.920 --> 00:39:02.840
Look at all those
different programmers.

00:39:02.840 --> 00:39:05.680
Someone goes into a hospital
with one of these devices

00:39:05.680 --> 00:39:08.940
they have may different programmers
so they have to make an estimation

00:39:08.940 --> 00:39:12.730
of which... you know, which
programmer for which device.

00:39:12.730 --> 00:39:14.000
Like, which one are you running.

00:39:14.000 --> 00:39:18.070
And, so, some standardization
would be an option <i>laughing</i>

00:39:18.070 --> 00:39:20.410
perhaps, in this case.
M: Yeah.

00:39:20.410 --> 00:39:23.110
E: Alright. So, we gonna need
to move quickly through

00:39:23.110 --> 00:39:25.400
the next few slides to talk
to you about the future,

00:39:25.400 --> 00:39:28.940
but I hope that drives home that
this is a very real issue for real people.

00:39:28.940 --> 00:39:32.770
M: So, pacemakers are evolving and
they are getting smaller

00:39:32.770 --> 00:39:36.060
and this is the type of pacemaker
that you can actually implant

00:39:36.060 --> 00:39:37.070
inside the heart.

00:39:37.070 --> 00:39:42.130
So, the pacemaker I have today
is outside the heart and it has

00:39:42.130 --> 00:39:44.360
leads that are wired to my heart.

00:39:44.360 --> 00:39:50.600
But in future they are getting
smaller and more sophisticated and

00:39:50.600 --> 00:39:52.730
I think this is exciting!

00:39:52.730 --> 00:39:54.950
I think that a lot of you,
also in the audience will

00:39:54.950 --> 00:39:58.060
benefit from having this type of
technology when you grow older

00:39:58.060 --> 00:40:02.050
and we can have longer lives and
we can live more healthier lives

00:40:02.050 --> 00:40:04.680
because of the technology
E: And keep in mind, right?

00:40:04.680 --> 00:40:06.900
Some of you may already have devices
and already have this issues,

00:40:06.900 --> 00:40:09.550
but others of you will think 'Ah, that
won't happen to me for quite a long time'

00:40:09.550 --> 00:40:13.200
But it can be a sudden thing, that,
you know, you don't necessarily

00:40:13.200 --> 00:40:17.140
have a choice to run code
inside your body.

00:40:17.140 --> 00:40:21.340
Which OS do you wanna implant?
<i>laughing</i>

00:40:21.340 --> 00:40:25.220
You wanna tell them about the..

00:40:25.220 --> 00:40:27.080
M: This is also a quite exciting

00:40:27.080 --> 00:40:29.610
maybe future type of implants
that you can have.

00:40:29.610 --> 00:40:34.320
So, this is actually a cardiac sock,
it's 3D-printed and it's making

00:40:34.320 --> 00:40:38.370
a rabbit's heart beat outside
the body of the rabbit.

00:40:38.370 --> 00:40:41.270
So, there's a lot of technology
and sensors and things that

00:40:41.270 --> 00:40:44.170
are going to be implanted
in our bodies

00:40:44.170 --> 00:40:46.840
and I think more of you will become
cyborgs like me in the future

00:40:46.840 --> 00:40:49.800
E: And there's a lot of work
that you could be doing.

00:40:49.800 --> 00:40:51.400
You know, 3D-printing
this devices,

00:40:51.400 --> 00:40:57.110
and open sourcing as much
of this as possible.

00:40:57.110 --> 00:40:58.860
There's a lot to say here, right?

00:40:58.860 --> 00:41:02.860
I think it's time to address
the really scary issue.

00:41:02.860 --> 00:41:07.550
The informed consent issue
around patching, right?

00:41:07.550 --> 00:41:09.750
Remember earlier we were
talking about the programmers

00:41:09.750 --> 00:41:11.980
and we pointed out that there
were firmware blobs in there

00:41:11.980 --> 00:41:14.280
and that these people,
you know, your doctor or nurse

00:41:14.280 --> 00:41:18.950
could upgrade the code
running on your medical implant.

00:41:18.950 --> 00:41:23.760
Now, is there a legal requirement
for them to inform you,

00:41:23.760 --> 00:41:26.650
before they alter the code
that's running inside your body?

00:41:26.650 --> 00:41:27.490
As far as we can tell

00:41:27.490 --> 00:41:30.480
- and we need to look at a lot of
different countries at the same time,

00:41:30.480 --> 00:41:32.330
so we gonna ask you to help us -

00:41:32.330 --> 00:41:34.690
as far as we can tell there are not
laws requiring your doctor

00:41:34.690 --> 00:41:40.360
to tell you that they are upgrading
the firmware in your device.

00:41:40.360 --> 00:41:43.780
M: Yeah, think about that <i> laughs</i>

00:41:43.780 --> 00:41:44.780
It's a quite scary thing.

00:41:44.780 --> 00:41:48.970
I want to know what's happening
to my implant, the code,

00:41:48.970 --> 00:41:53.070
if someone wants to alter the code
inside my body, I would like to know

00:41:53.070 --> 00:41:57.250
and I would like to make
an informed decision on that

00:41:57.250 --> 00:41:59.470
and give my consent
before it happens.

00:41:59.470 --> 00:42:02.230
E: You might even choose a device
where that's possible or not possible

00:42:02.230 --> 00:42:05.640
because you're making a risk-based
decision and you're an informed consumer

00:42:05.640 --> 00:42:07.800
but how do we help people,
who don't wanna understand

00:42:07.800 --> 00:42:11.190
software and firmware and upgrades
make those decisions in the future as well.

00:42:11.190 --> 00:42:15.570
Alright.

00:42:15.570 --> 00:42:17.320
M: So now, if we're going to go through

00:42:17.320 --> 00:42:21.950
all this, but there's a lot of reasons
why we're in the situations of having

00:42:21.950 --> 00:42:23.870
insecure medical devices.

00:42:23.870 --> 00:42:29.040
There's a lot of legacy technology because
there's a long lifetime of this devices

00:42:29.040 --> 00:42:31.910
and it takes a long time
to get them on the market.

00:42:31.910 --> 00:42:35.680
And they can be patched,
but in some cases

00:42:35.680 --> 00:42:40.790
they are not patched or there are
no software updates applied to them.

00:42:40.790 --> 00:42:48.030
We don't have any third party
security testing of the devices,

00:42:48.030 --> 00:42:49.490
and that's really needed in my opinion.

00:42:49.490 --> 00:42:50.770
E: Right, an underwriters laboratory

00:42:50.770 --> 00:42:55.190
or consumer laboratory that's there
to check some of these details.

00:42:55.190 --> 00:42:58.590
And I don't think that's unreasonable,
right? That sort of approach.

00:42:58.590 --> 00:43:02.040
M: And there's a lack of regulations,
also. So there's a lot of things

00:43:02.040 --> 00:43:04.610
that should be worked on.

00:43:04.610 --> 00:43:07.270
E: So, there's a lot of
ways to solve this

00:43:07.270 --> 00:43:09.640
and we're not gonna give you
<i>the</i> answer, because we're not

00:43:09.640 --> 00:43:13.420
geniuses, so we're
gonna say that

00:43:13.420 --> 00:43:16.370
these are some different
approaches that we see all

00:43:16.370 --> 00:43:19.700
playing in a solution space.

00:43:19.700 --> 00:43:22.270
So, vendor awareness is
obviously important, but

00:43:22.270 --> 00:43:23.950
that's not the only thing.
A lot of the vendors have been

00:43:23.950 --> 00:43:27.890
very supportive and
very open to discussion,

00:43:27.890 --> 00:43:31.750
of transparency, that needs to
happen more in the future, right?

00:43:31.750 --> 00:43:34.390
Security risk monitoring,
I've been working in the field

00:43:34.390 --> 00:43:38.600
of cyber insurance, which I'm sure
sounds like insanity to the rest of you,

00:43:38.600 --> 00:43:42.880
and it is, there are bad days.
But that could play a part

00:43:42.880 --> 00:43:45.530
in this risk equation in the future.

00:43:45.530 --> 00:43:49.710
What about medical incidence response,
right? Or medical device forensics.

00:43:49.710 --> 00:43:53.660
M: If I suddenly drop dead
I really would like to have

00:43:53.660 --> 00:43:57.160
a forensic analysis
of my pacemaker, to ...

00:43:57.160 --> 00:44:00.960
E: Please remember that, all of you!
Like, if anything is going to happen

00:44:00.960 --> 00:44:04.660
to Marie... everyone asked that, right?
Like, 'Aren't you afraid of giving this talk?'

00:44:04.660 --> 00:44:06.950
And we thought about it,
we talked about it a lot and

00:44:06.950 --> 00:44:09.500
she's got a lot of support
from her husband and her son

00:44:09.500 --> 00:44:12.880
and her family and a bunch of us.
If anything happens to this woman

00:44:12.880 --> 00:44:15.380
I hope that we will all be doing
forensic analysis

00:44:15.380 --> 00:44:17.110
of everything.

00:44:17.110 --> 00:44:24.580
<i>applause</i>

00:44:24.580 --> 00:44:32.470
Cool. So, we'll say a little bit about
'I Am The Cavalry' and social contract

00:44:32.470 --> 00:44:34.590
and then we'll wrap it up, okay?

00:44:34.590 --> 00:44:37.840
So, 'I Am The Cavalry' does
a lot of grassroots research

00:44:37.840 --> 00:44:41.450
and support and lobbying and
tries to articulate these messages.

00:44:41.450 --> 00:44:44.230
They have a medical implant
arm that has a bunch of

00:44:44.230 --> 00:44:46.350
different researchers doing
this kind of stuff.

00:44:46.350 --> 00:44:48.580
Do you wanna say more about them?

00:44:48.580 --> 00:44:52.430
M: Yeah, so we are both
part of the Cavalry,

00:44:52.430 --> 00:44:56.000
because no one is coming
to save us from the future

00:44:56.000 --> 00:44:59.840
of being more depended on
trusting our lives on machines

00:44:59.840 --> 00:45:04.390
so, that's why we need to step up
and do the research and

00:45:04.390 --> 00:45:06.550
encourage and inspire the research.

00:45:06.550 --> 00:45:09.460
So, that's why I joined
'I Am The Cavalry'

00:45:09.460 --> 00:45:12.750
and I think it's a
good thing to have

00:45:12.750 --> 00:45:15.660
a collaboration effort between
researchers, between the vendors

00:45:15.660 --> 00:45:21.060
and the regulators, as they are,
or we are working with.

00:45:21.060 --> 00:45:25.010
E: We also think that even if you
don't do reverse engineering

00:45:25.010 --> 00:45:28.040
or you're not interested in
security details or the opcodes

00:45:28.040 --> 00:45:30.130
that are inside the firmwares
or whatever,

00:45:30.130 --> 00:45:33.060
this question is a question that
any of you here can talk about

00:45:33.060 --> 00:45:36.310
for the rest of the congress and
going forward into the future.

00:45:36.310 --> 00:45:37.240
Right?

00:45:37.240 --> 00:45:39.990
This is Marie's, so go ahead.

00:45:39.990 --> 00:45:47.820
M: Yeah, so, I really want to know
what code is running inside my body.

00:45:47.820 --> 00:45:49.030
And I want to know ...

00:45:49.030 --> 00:45:55.390
or I want to have a social contract
with my medical doctors and

00:45:55.390 --> 00:45:58.780
my physician that is giving me
this implants.

00:45:58.780 --> 00:46:05.570
It needs to be based on a
patient-to-doctor trust relationship.

00:46:05.570 --> 00:46:08.620
And also between
me and the vendors.

00:46:08.620 --> 00:46:13.210
So I really want to know that
I can trust this machine inside...

00:46:13.210 --> 00:46:15.510
E: And we think many of you will
be facing similar questions

00:46:15.510 --> 00:46:17.000
to these in the future.

00:46:17.000 --> 00:46:20.240
I have questions.
Some of my questions are serious,

00:46:20.240 --> 00:46:25.260
some of my questions are
not serious, like this one:

00:46:25.260 --> 00:46:27.770
Is the code on your dress
from your pacemaker?

00:46:27.770 --> 00:46:31.660
M: No, actually it's from the
computer game 'Doom'.

00:46:31.660 --> 00:46:33.090
But ...
<i>laughter</i>

00:46:33.090 --> 00:46:36.180
once I have the <i>laughing</i>
code of my pacemaker

00:46:36.180 --> 00:46:38.790
I'm going to make a custom-
ordered dress and get it...

00:46:38.790 --> 00:46:44.970
E: Which is pretty cool, right?
M: ... get it with my own code.

00:46:44.970 --> 00:46:48.710
<i>applause</i>

00:46:48.710 --> 00:46:53.710
So, let's wrap up with... what we
want to have of future research.

00:46:53.710 --> 00:46:57.190
So, we encourage more research,
and these are some things that

00:46:57.190 --> 00:46:59.220
could be looked into.

00:46:59.220 --> 00:47:02.970
Like open source medical devices,
that doesn't really exist,

00:47:02.970 --> 00:47:05.320
at least not for pacemakers.

00:47:05.320 --> 00:47:09.180
But I think that's one way
of going forward.

00:47:09.180 --> 00:47:13.710
E: I think it's also an opportunity
for us to mention a really scary idea,

00:47:13.710 --> 00:47:18.200
which is, you know, should anyone
have a golden key to Marie's heart,

00:47:18.200 --> 00:47:22.070
should there be backdoored
encryption inside of her heart?

00:47:22.070 --> 00:47:24.910
We think no <i>laughing</i>
but that...

00:47:24.910 --> 00:47:28.290
M: I don't see any reason why
the NSA should be able to

00:47:28.290 --> 00:47:31.130
have a back door to my heart,
do you?

00:47:31.130 --> 00:47:33.890
E: You would be an extremist,
that's why you don't want them

00:47:33.890 --> 00:47:37.380
to have a back door to your heart.
But this is a serious question, right?

00:47:37.380 --> 00:47:39.480
If you start backdooring
any kind of crypto anywhere,

00:47:39.480 --> 00:47:41.320
how do you know,
where it's gonna end up.

00:47:41.320 --> 00:47:46.550
It might end up in medical devices
and we think that's unacceptable.

00:47:46.550 --> 00:47:58.410
<i>applause</i>

00:47:58.410 --> 00:48:05.400
M: And we should also mention
that we're not doing this alone,

00:48:05.400 --> 00:48:09.280
we have other researchers
helping us forward doing this.

00:48:09.280 --> 00:48:12.230
Angel: So, thank you very much
for this thrilling talk,

00:48:12.230 --> 00:48:15.250
we're now doing a little
Q&amp;A for 10 min,

00:48:15.250 --> 00:48:19.630
and for the Q&amp;A please keep in mind
to respect Marie's privacy, so

00:48:19.630 --> 00:48:23.340
don't ask for details about

00:48:23.340 --> 00:48:24.760
the implant or
something like that.

00:48:24.760 --> 00:48:26.820
E: Yeah, the brands and stuff.

00:48:26.820 --> 00:48:29.530
We're gonna tell you, what OS
she's running.

00:48:29.530 --> 00:48:35.130
Angel: People, who are now leaving
the room, they will not be able

00:48:35.130 --> 00:48:41.440
to come back in, because

00:48:41.440 --> 00:48:43.030
of measures <i>laughing</i>
<i>laughter</i>

00:48:43.030 --> 00:48:48.320
So, let's start with the Q&amp;A!
Let's start with this microphone there.

00:48:48.320 --> 00:48:54.100
Q: Hi, first of all thank you very much
for a very fascinating talk.

00:48:54.100 --> 00:48:56.640
I'm not going to ask you
about specific vendors.

00:48:56.640 --> 00:49:01.340
However, I thought it was very
interesting what you said, that

00:49:01.340 --> 00:49:05.720
most vendors were really supportive
I would like to know whether

00:49:05.720 --> 00:49:09.100
there have been
exceptions to that rule,

00:49:09.100 --> 00:49:13.760
not who it was or anything like that
but what kind of arguments

00:49:13.760 --> 00:49:19.270
you may have heard from vendors
e. g. have they referred to anything

00:49:19.270 --> 00:49:24.220
such as trade secrets or copyright
or any other legal reasons

00:49:24.220 --> 00:49:28.100
why not to give you,
or not to give public access

00:49:28.100 --> 00:49:33.210
to information about devices?
Thank you.

00:49:33.210 --> 00:49:41.560
E: So, we haven't had any legal
issues so far in this research.

00:49:41.560 --> 00:49:44.940
And in general they haven't been
concerned about copyright.

00:49:44.940 --> 00:49:47.840
I think they're more concerned
about press, bad press,

00:49:47.840 --> 00:49:51.110
and a hype, you know, what
they would see as hype.

00:49:51.110 --> 00:49:55.160
they don't wanna see us scaring
people away from these things

00:49:55.160 --> 00:49:56.420
with, you know, these stories.

00:49:56.420 --> 00:50:00.290
M: Yeah, that's also something
I'm concerned of, of course,

00:50:00.290 --> 00:50:03.230
as a patient. I don't want to
scare my fellow patients

00:50:03.230 --> 00:50:06.000
from having life-critical
implants in their body.

00:50:06.000 --> 00:50:10.700
Because a lot of people need
them, like me, to survive.

00:50:10.700 --> 00:50:15.820
So, the benefit clearly
outweighs the risk in my case.

00:50:15.820 --> 00:50:18.810
E: But that seems to be their
main concern, like, you know,

00:50:18.810 --> 00:50:19.760
'Don't give us too
much bad press'

00:50:19.760 --> 00:50:25.200
Angel: Ok, next question
from over there.

00:50:25.200 --> 00:50:31.900
Q: Hello. I wanted to ask you, if you
know about any existing initiatives

00:50:31.900 --> 00:50:35.480
on open sourcing
the medical devices,

00:50:35.480 --> 00:50:40.250
on mandating the open sourcing
of the software and firmware

00:50:40.250 --> 00:50:43.980
through the legal system,
in European Union, in United States

00:50:43.980 --> 00:50:47.760
because I think I've read
about such initiatives

00:50:47.760 --> 00:50:51.050
about 1 year ago or so,
but it was just a glimpse.

00:50:51.050 --> 00:50:56.170
M: So, there are some patients
that have reverse engineered their

00:50:56.170 --> 00:50:57.780
<i>no audio</i>

00:50:57.780 --> 00:51:04.310
(insu)lin pumps. I know, that
there are groups of patients

00:51:04.310 --> 00:51:07.740
like the parents of children
with insulin pumps.

00:51:07.740 --> 00:51:10.760
They have created
software to be able...

00:51:10.760 --> 00:51:14.180
to have an app on their
mobile phone to be able

00:51:14.180 --> 00:51:17.410
to monitor their child's
blood sugar levels.

00:51:17.410 --> 00:51:21.390
So that's one way of
doing this open source

00:51:21.390 --> 00:51:23.250
and I think that's great.

00:51:23.250 --> 00:51:26.540
Q: But nothing
in the legal systems,

00:51:26.540 --> 00:51:32.640
no initiatives to mandate this,
e.g. on European level?

00:51:32.640 --> 00:51:34.480
E: Not so far that we've seen,

00:51:34.480 --> 00:51:36.280
but that's something that
can be discussed now, right?

00:51:36.280 --> 00:51:38.770
M: I think it's really interesting,
you could look into the legal

00:51:38.770 --> 00:51:41.760
aspects and the regulations
around this, yeah.

00:51:41.760 --> 00:51:43.050
Q: Thank you.

00:51:43.050 --> 00:51:45.510
Angel: Ok, can we have
a question from the internet?

00:51:45.510 --> 00:51:49.250
Q: Yes, from the IRC someone asks:

00:51:49.250 --> 00:51:52.890
'Does your pacemaker
have a biofeedback,

00:51:52.890 --> 00:51:56.300
so in case something bad
happens it starts to defibrillate?

00:51:56.300 --> 00:52:02.920
M: No, I don't have an ICD,
so in my case I'm not getting a shock

00:52:02.920 --> 00:52:06.380
in case my heart stops.
Because I have a different condition

00:52:06.380 --> 00:52:08.620
I only need to have
my rhythm corrected.

00:52:08.620 --> 00:52:11.230
But there are other
types of conditions,

00:52:11.230 --> 00:52:14.420
that require pacemakers
that can deliver shocks.

00:52:14.420 --> 00:52:18.130
Angel: Ok, one question
from that microphone there.

00:52:18.130 --> 00:52:20.220
Q: Thank you very much.
At one point you mentioned

00:52:20.220 --> 00:52:24.870
that the connectivity in you
pacemaker is off. For now.

00:52:24.870 --> 00:52:28.900
And, is that something, that patients
are asked during the process,

00:52:28.900 --> 00:52:32.170
or is that something,
patients have to require?

00:52:32.170 --> 00:52:35.530
And generally: What role
do you see for the choice

00:52:35.530 --> 00:52:39.430
not to have any connectivity
or any security for that matter,

00:52:39.430 --> 00:52:41.870
that technology would
make available to you?

00:52:41.870 --> 00:52:47.120
So, how do you see the possibility
to choose a more risky life

00:52:47.120 --> 00:52:49.640
in terms of trading in
for privacy, whatever?

00:52:49.640 --> 00:52:52.310
M: Yeah, I think that's
really a relevant question.

00:52:52.310 --> 00:52:58.130
As we mentioned
in the social contract,

00:52:58.130 --> 00:53:03.640
I really would like, that the doctors
informed patients about

00:53:03.640 --> 00:53:07.930
their different wireless interfaces
and that there's an informed decision

00:53:07.930 --> 00:53:10.960
whether or not to switch it on.

00:53:10.960 --> 00:53:14.560
So, in my case, I don't
have it switched on and ...

00:53:14.560 --> 00:53:17.750
I don't need it, so there's no reason
why I need to have it switched on.

00:53:17.750 --> 00:53:21.760
But then, again, why did I get
an implant that has this capability?

00:53:21.760 --> 00:53:29.200
I should have had the option of
opting out of it, but I didn't get that.

00:53:29.200 --> 00:53:31.980
They didn't ask me, or they
didn't inform me of that,

00:53:31.980 --> 00:53:34.720
before I got the implant.
It was chosen for me.

00:53:34.720 --> 00:53:40.740
And at that time I hadn't looked
into the security of medical devices,

00:53:40.740 --> 00:53:43.470
and I needed to
have the implant,

00:53:43.470 --> 00:53:46.200
so I couldn't really make
an informed decision.

00:53:46.200 --> 00:53:49.140
A lot of patients that are,
like, older and not so...

00:53:49.140 --> 00:53:55.240
that don't really understand
the technology,

00:53:55.240 --> 00:54:00.040
they can't make that
informed decision, like I can.

00:54:00.040 --> 00:54:02.590
So, it's really a
complex issue

00:54:02.590 --> 00:54:06.480
and something that we
need to discuss more.

00:54:06.480 --> 00:54:09.270
Angel: Ok, another
question from there.

00:54:09.270 --> 00:54:11.490
Q: Yeah, thanks.

00:54:11.490 --> 00:54:14.430
As a hacker, connected personally

00:54:14.430 --> 00:54:19.290
and professionally
to the medical world:

00:54:19.290 --> 00:54:25.300
How can I educate doctors,
nurses, medical people

00:54:25.300 --> 00:54:30.530
about the security risks presented
by connected medical devices?

00:54:30.530 --> 00:54:34.870
What can I tell them?
Do you have something

00:54:34.870 --> 00:54:37.670
from your own experience
I could somehow ...

00:54:37.670 --> 00:54:42.230
M: Yeah, so, the issue of
software bugs in the devices

00:54:42.230 --> 00:54:48.220
I think is a real scenario
that can happen and ...

00:54:48.220 --> 00:54:50.380
E: Yeah, if you can repeat
that story of debugging her,

00:54:50.380 --> 00:54:53.790
like, I think, that makes the point.
And then try in adopt that

00:54:53.790 --> 00:54:56.690
hygiene-metaphor that we
had before, where, you know,

00:54:56.690 --> 00:54:59.560
people didn't believe in germs,
and these problems before,

00:54:59.560 --> 00:55:01.990
we're in that sort of era,
and we're still figuring out

00:55:01.990 --> 00:55:05.170
what the scope of potential
security and privacy problems are

00:55:05.170 --> 00:55:07.440
for medical devices.
In the meantime

00:55:07.440 --> 00:55:10.290
please be open to new research
on this subject, right?

00:55:10.290 --> 00:55:12.330
And that story is
a fantastic illustration,

00:55:12.330 --> 00:55:16.980
that we don't need evil hacker
typer, you know, bond villain,

00:55:16.980 --> 00:55:22.150
we just need failure to debug
programming station, properly, right?

00:55:22.150 --> 00:55:23.580
Q: Thank you very much.

00:55:23.580 --> 00:55:26.150
Angel: Ok, another question
from the internet.

00:55:26.150 --> 00:55:28.510
Q: Yes, from the IRC:

00:55:28.510 --> 00:55:34.240
'20 years ago it was common,
that a magnet had to be placed

00:55:34.240 --> 00:55:40.300
on the patients chest to activate the
pacemakers remote configuration interface.

00:55:40.300 --> 00:55:42.250
Is that no longer the case today?'

00:55:42.250 --> 00:55:45.910
E: It's still the case with some devices,
but not with all of them I think.

00:55:45.910 --> 00:55:52.240
M: Yeah, it varies between the devices,
how they are programmed and

00:55:52.240 --> 00:55:58.200
how long distance you
can be from the device.

00:55:58.200 --> 00:56:02.640
Q: Thank you for the talk.
I've some medical devices

00:56:02.640 --> 00:56:10.220
in myself to, an insulin pump and
sensors to measure the blood sugar levels,

00:56:10.220 --> 00:56:15.640
I'm busy with hacking that and
to write the software for myself,

00:56:15.640 --> 00:56:17.940
because the *** doesn't
have the software.

00:56:17.940 --> 00:56:24.790
Have you ever think about it, to write
your own software for your pacemaker?

00:56:24.790 --> 00:56:27.190
E: <i>laughing</i>
M: <i>laughing</i>

00:56:27.190 --> 00:56:33.800
M: No, I haven't thought about
that until now. No. <i>laughing</i>

00:56:33.800 --> 00:56:37.820
E: Fantastic, I think that deserves
a round of applause, though,

00:56:37.820 --> 00:56:40.130
because that's exactly
what we're talking about.

00:56:40.130 --> 00:56:42.340
<i>applause</i>

00:56:42.340 --> 00:56:46.400
Angel: Another question
from there.

00:56:46.400 --> 00:56:52.850
Q: First off, I want to say thank you
that you gave this talk, because

00:56:52.850 --> 00:56:55.700
once it's quite interesting,
but it's not that talk,

00:56:55.700 --> 00:56:59.870
anyone of that is effected could hold,

00:56:59.870 --> 00:57:04.530
so, it takes quiet some courage and

00:57:04.530 --> 00:57:06.740
I want to say thank you. So

00:57:06.740 --> 00:57:12.370
<i>applause</i>

00:57:12.370 --> 00:57:15.010
Secondly, thank you for giving me the

00:57:15.010 --> 00:57:18.350
update. I started medical technology but

00:57:18.350 --> 00:57:21.740
I finished ten years ago and I didn't work

00:57:21.740 --> 00:57:22.150
in the area and it's quiet interesting to

00:57:22.150 --> 00:57:24.020
see what happened in the meantime, but

00:57:24.020 --> 00:57:24.800
now for my actual question:

00:57:24.800 --> 00:57:28.300
You said you got devices on ebay, is it

00:57:28.300 --> 00:57:29.720
possible to get the hole

00:57:29.720 --> 00:57:30.980
communication chain?

00:57:30.980 --> 00:57:34.680
So you can make a sandbox test or ..

00:57:34.680 --> 00:57:37.810
M: Yes it's possible to get devices,

00:57:37.810 --> 00:57:40.240
it's not so easy to get the pacemaker

00:57:40.240 --> 00:57:42.080
itself , it's quite expensive.

00:57:42.080 --> 00:57:44.130
E: And even when we get one,

00:57:44.130 --> 00:57:46.310
we have some paring issues and like

00:57:46.310 --> 00:57:48.020
Marie can't be in the same room , when

00:57:48.020 --> 00:57:49.500
we were doing a curtain types of testing

00:57:49.500 --> 00:57:52.910
and right, so that last piece is difficult

00:57:52.910 --> 00:57:54.590
but the rest of the chain is pretty

00:57:54.590 --> 00:57:56.230
available for the research.

00:57:56.230 --> 00:57:57.460
Q: Ok, thank you.

00:57:57.460 --> 00:57:59.690
Angel: So, time is running out, so we,

00:57:59.690 --> 00:58:02.500
only time left for one question and from

00:58:02.500 --> 00:58:03.110
there please.

00:58:03.110 --> 00:58:06.340
Q: Thank you. I'm also involved in

00:58:06.340 --> 00:58:09.620
software quality checks and software qs

00:58:09.620 --> 00:58:13.070
here in Germany also
with medical developments

00:58:13.070 --> 00:58:15.900
and as far as I know, it is the most

00:58:15.900 --> 00:58:18.580
restricted area of developing products

00:58:18.580 --> 00:58:21.180
I think in the world,

00:58:21.180 --> 00:58:24.710
it's just easier to manipulate software

00:58:24.710 --> 00:58:27.750
in a car X-source system or breaking guard

00:58:27.750 --> 00:58:29.590
or something like this, where you don't

00:58:29.590 --> 00:58:34.020
have to show any testing certificate or

00:58:34.020 --> 00:58:35.940
something like this, the FDA is a very

00:58:35.940 --> 00:58:37.980
high regulation part there.

00:58:37.980 --> 00:58:41.920
Do you have the feeling that it's a

00:58:41.920 --> 00:58:44.590
general issue that patients do not have

00:58:44.590 --> 00:58:47.670
access to these FDA compliant tests and

00:58:47.670 --> 00:58:48.800
software q-a-systems?

00:58:48.800 --> 00:58:53.330
M: Yeah, I think that we should have

00:58:53.330 --> 00:58:56.160
more openness and more transparency

00:58:56.160 --> 00:58:58.320
about, around this issues , really.

00:58:58.320 --> 00:59:01.680
E: I mean, it's fantastic you do quality

00:59:01.680 --> 00:59:03.060
assurance, i used to be in quality assurance

00:59:03.060 --> 00:59:06.260
at a large cooperation and I got tiered

00:59:06.260 --> 00:59:08.620
and landed in strategy and pen testing and

00:59:08.620 --> 00:59:10.420
then I just thought of myself as paramilitary

00:59:10.420 --> 00:59:11.130
quality assurence , ..

00:59:11.130 --> 00:59:15.870
now I just do it on ever I wanne test, so

00:59:15.870 --> 00:59:17.790
thank you for doing q-a and keep doing it

00:59:17.790 --> 00:59:19.790
and hopefull you don't have to many regulations

00:59:19.790 --> 00:59:21.570
but companies sharing more of this

00:59:21.570 --> 00:59:23.590
information, its really the transparency

00:59:23.590 --> 00:59:25.370
and the discussion, the open dialogue

00:59:25.370 --> 00:59:28.070
with patients and doctor and a vendor is

00:59:28.070 --> 00:59:30.650
really what we wanna focus on and make

00:59:30.650 --> 00:59:32.840
our final note ?
M: Yeah.

00:59:32.840 --> 00:59:35.570
M: We see some problems already

00:59:35.570 --> 00:59:37.540
the last year, the MI Undercover Group has

00:59:37.540 --> 00:59:42.040
had some great progress on having good

00:59:42.040 --> 00:59:46.390
discussions with the FDA and also involving

00:59:46.390 --> 00:59:49.090
the medical device vendors in the discussions

00:59:49.090 --> 00:59:51.440
about cyber security of medical devices

00:59:51.440 --> 00:59:52.850
and implants. so thats great and I hope

00:59:52.850 --> 00:59:54.800
that this will be even better the next year.

00:59:54.800 --> 00:59:57.170
E: And I think you wanne to say

00:59:57.170 --> 00:59:59.000
one more thing to congress before we leave

00:59:59.000 --> 00:59:59.490
which is:

00:59:59.490 --> 01:00:01.280
M: Hack to save lives!

01:00:01.280 --> 01:00:04.709
<i>applaus</i>

01:00:04.709 --> 01:00:09.428
♪ postroll music ♪

01:00:09.428 --> 01:00:16.000
subtitles created by c3subtitles.de
Join, and help us!