-
♪ preroll music ♪
-
Angel: The next talk will start now
-
and will be 'Unpatchable -
-
living with a vulnerable
implanted device'
-
by Dr. Marie Moe and Eireann Leverett.
-
Give them a warm round
of applause please.
-
applause
-
heart monitor beep sounds start
-
So, we are here today
-
to talk to you about a subject
-
that is really close to my heart.
-
I have a medical implant.
-
A pacemaker, that is generating
-
every single beat of my heart.
-
But how can I trust my own heart,
-
when it's being controlled by a machine,
-
running a proprietary code,
-
and there is no transparency?
-
So I'm a patient,
-
but I'm also a security researcher.
-
I'm a hacker, because I like
-
to figure out how things work.
-
That's why I started a project
-
on breaking my own heart,
-
together with Eireann
-
and a couple of friends.
-
Because I really want to know
-
what protocols are running
-
in this machine inside my body.
-
Is the crypto correctly implemented?
-
Does it even have crypto?
-
So I'm here to inspire you today.
-
I want more people
to hack to save lives.
-
Because we are all becoming
-
more and more dependent on machines.
-
Maybe some of you in the audience
-
also have medical implants,
-
maybe you know someone
-
that's also depending on
medical implants
-
Imagine that this is your heartbeat
-
and it's being controlled by a device.
-
A device, that might fail.
-
Due to software bugs,
-
due to hardware failures.
-
additional background sound:
real heartbeat
-
Wouldn't you also like to know
-
if it has security vulnerabilities?
-
If it can be trusted?
-
sounds stop
beeeeep
-
E: Something to think about, right?
-
M: Yeah.
-
E: Marie is an incredibly
brave women.
-
When she asked me to give this talk
-
it made me nervous, right?
-
It's such a personal story.
-
Such a journey as well.
-
And she's gonna talk to you
-
about a lot of things, right?
-
Not just hacking medical devices
-
from a safety point of view
-
but also some of the
privacy concerns,
-
some of the transparency concerns,
-
some of the consent concerns.
-
So, there's a lot to get trough
-
in the next hour.
-
But I think you're gonna enjoy it
-
quite a lot.
-
M: So, let me tell you
-
the story about my heart.
-
So, 4 years ago
-
I got my medical implant.
-
It was a kind of emergency situation
-
because my heart was starting to beat
-
really slow,
-
so i needed to have the pacemaker.
-
I had no choice.
-
After I got the implant,
-
since I was a security researcher,
-
of course I started to
-
look up information about how it worked.
-
And I googled for information.
-
I found a technical manual
-
of my pacemaker
-
and I started to read it.
-
And i was quite surprised
-
when I learned that
-
my pacemaker has 2 wireless interfaces.
-
There is one interface, that is really
-
close field communication,
-
near field communication
-
that is being used when I'm at checkups
-
at the hospital,
-
where the technician,
-
the pacemaker technician or doctor
-
uses a programming device
-
and places it
-
really close to my pacemaker.
-
And it's possible to use that
-
communication to adjust the settings.
-
But it also has another
-
wireless interface,
-
that I was not aware of,
-
that I was not informed of
as a patient.
-
It has a possibility for remote monitoring
-
or telemetry,
-
where you can have an
access point in your house
-
that will communicate
-
with the pacemaker
-
at a couple of meters distance.
-
And it can collect logs from the pacemaker
-
and send them to a server
-
at the vendor.
-
And there is a web interface
-
where the doctor can log in
-
and retrieve my information.
-
And I have no access the data
-
that is being collected
-
by my device.
-
E: So imagine for a moment
-
that you are buying a new phone
-
or buying a new laptop.
-
You would do your homework, right?
-
You would understand
what interfaces where there.
-
But in Marie's case she's just
-
given a device,
and then later she gets
-
to go and read the manual, right?
-
So she's the epitome
of a informed consumer
-
in this space
-
and we want a lot more
informed consumers
-
in this space,
-
which is why we are giving this talk.
-
Now, I don't know about you,
-
but I'm used to hacking
-
industrial systems.
-
I haven't done as
much medical research
-
in the past.
-
So, when I first
started this project
-
I knew literally nothing
-
about Marie's heart.
-
Or even my own.
-
And she had to teach me
how the heart works
-
and how her pacemaker works.
-
So, would you mind explaining
-
some details to the audience
that will be relevant
-
through the rest of the presentation?
-
M: Actually I think
we're going to show you
-
a video of
how the heart works.
-
So, it's a little bit of
biology introduction here
-
before we start
with the technical details.
-
So, this.. play the video.
-
Video: A normal heart beat rate
-
and rhythm is called
'Normal Sinus Rhythm'.
-
The heart's pumping action
-
is driven by electrical stimulation
-
within the heart muscle.
-
the heart's electrical system
-
allows it to beat in an
-
organized, synchronized pattern.
-
Every normal heart beat
-
has 4 steps.
-
Step 1:
-
As blood flows into the heart
-
an electrical impulse
-
from an upper area of the right atrium
-
also known as the sinus node
-
causes the atria to contract.
-
When the atria contract
-
they squeeze the blood
-
into the ventricles.
-
Step 3:
-
There is a very short pause
-
only about a fraction of a second.
-
and Step 4:
-
The ventricles contract
-
pumping the blood to the body.
-
A heart normally beats
-
between 60-100 times/min.
-
Electrical signals in your heart
-
can become blocked or irregular,
-
causing a disruption
-
in your hearts normal rhythm.
-
When the heart's rhythm is too fast,
-
too slow or out of order,
-
an arrhythmia,
-
also called a rhythm disorder occurs.
-
When your heart beats out of rhythm,
-
it may not deliver enough blood
-
to your body.
-
Rhythm disorders can be caused
-
by a number of factors
-
including disease, heredity,
-
medications or other factors.
-
E: So for those of you
who are already aware of that,
-
apologies.
-
But I needed to learn that.
-
I needed to learn the basics
-
before we even got started, right?
-
So...
-
M: So this is a diagram of the
-
electrical system of the heart.
-
So, as you see,
this is the sinus node
-
that is generating the pulse.
-
And in my case
-
I had a problem with the signal
-
being generated by the sinus node
-
not reaching the lower
heart chamber.
-
It's something called an AV block
or a heart block
-
So, occasionally this will cause
-
an arrhythmia that makes
the heart pause.
-
If you don't have a heart beat
-
for, like ... 8-10 seconds,
-
you lose your consciousness.
-
And that was, what happened to me.
-
I just suddenly found myself
-
lying on the floor
-
and I didn't remember how I got there.
-
And it turned out that it was my heart
-
that had taken a break.
-
So that's how I discovered
-
that I had this issue.
-
So, this is where the signal is blocked
-
on the way down to the lower heart chamber
-
But there's a backup function
-
in the heart that can make
-
a so called backup pulse.
-
And I had that backup pulse
-
when I went to the
emergency room.
-
So I had a pulse
around 30-40 beats/min.
-
And that's generated by some cells
-
in the lower heart chamber.
-
So, after I got the pacemaker
-
my heart started to become
-
a little bit more lazy.
-
So it is not certain,
-
that I will have this backup pulse
-
anymore if the pacemaker
stops working.
-
So currently
-
my heart is 100% running
on the pacemaker.
-
So, let's also look at
how the pacemaker works.
-
I have another video of that.
-
So, this is my little friend
-
that is running my heart.
-
Video: A pacemaker
is a miniaturized computer
-
that is used to treat
a slow heart beat.
-
It is about the size
-
of a couple of stacked silver dollars
-
and weights approximately 17-25 grams.
-
It is usually surgically placed
-
or implanted just under the skin
-
in the chest area.
-
The device sends
a tiny electrical pulse
-
down a thin coated wire,
-
called a lead, into your heart.
-
This stimulates the heart to beat.
-
This impulses are very tiny
-
and most people
do not feel them.
-
While the device
helps your heart
-
maintain its rhythm,
-
it also stores information
-
about your heart that can be
-
retrieved by your doctor
-
to program the device.
-
E: Remember that!
-
M: Yeah... Did you see
-
the ones and zeros at the end
-
of the video?
-
That's what we want
to know more about.
-
Because this information
-
that is being collected
by the pacemaker,
-
how it works,
-
how the code looks like,
-
it's all closed source,
-
it's all proprietary information.
-
And that's why we need more
-
security researchers,
-
we need more 3rd party testing,
-
to be sure that we can trust this code.
-
E: And you can imagine that
-
we're doing some of
this research as well.
-
But I'm not gonna break
Marie's heart on stage,
-
I'm not gonna drop 0-day
-
on some medical devices,
-
so if you came for that,
-
it's not worth staying.
-
The rest of the presentation
-
will be about some of
the things we found
-
and how this works and
-
how you might approach this research.
-
And some of the people
who did this research before,
-
because there's plenty of others,
-
and we like to give a shout-out
-
to those who've done
great research in advance.
-
But essentially this point is
-
very relevant.
-
That the internet
of medical things
-
is already here.
-
And Marie is wired into it.
-
She's a bit younger than the average
-
pacemaker patient, but, you know,
-
she was thrust into this situation
-
where she had to think about things
-
in a very different way.
-
Like, you did a Masters,
breaking crypto,
-
and also a PHD in Information Security.
-
Did you imagine, that
things you learned
-
about SSH and
network security
-
might one day apply to your
heart and your own body?
-
M: No, I never
figured out that
-
my research would eventually
end up inside my own body.
-
That's something I never
thought about.
-
And also, there's a lot of
-
people that don't think about
-
how the medical devices
actually work.
-
So, when I asked this question
-
to health care professionals
-
they look at me like I'm crazy,
-
they don't ... they have never
thought about this before.
-
That there's actually code
inside my body
-
and someone has
programmed it,
-
someone has
written this code.
-
And, did they think
about, that this
-
would actually control
someone's life,
-
and be my own personal
critical infrastructure?
-
E: Yeah, personal
infrastructure, right?
-
On a physical level.
-
And also, I think, it's...
-
You know, the point that you made
is important to reiterate,
-
that you go and see your doctor
-
and you ask these questions about
-
whether anyone can hack into my heart
-
and they probably look
at you and go like
-
'Don't you worry your pretty
little head about that', right?
-
But Marie used to head up
-
the Norwegian computer
emergency response team
-
for a couple of years
-
and knows a lot of hackers
-
and knows what she's
talking about, right?
-
So, when she asked her doctor
these questions,
-
they're very legitimate questions.
-
And the doctors probably
don't know anything about code,
-
but they need to move
towards a place
-
where they can answer
those questions with some
-
honesty and certainty and
treat them with the dignity
-
that they deserve.
-
Should we show them
a little bit more
-
about the total ecosystem
of devices
-
that we are talking about,
at least in this particular talk?
-
M: Yeah.
-
E: So, this was
all new to me.
-
I mean I've moved around
in networks and done some
-
penetration testing and
some stuff in the past,
-
but I didn't know much about
implantable medical devices.
-
So, we've got a couple
of them there.
-
The ICD, which is the
in-cardio-defibrillator,
-
that's some of the work
that you saw from Barnaby Jack
-
which we will mention later,
-
was on those particular devices,
-
We've got the pacemakers
and of course other devices
-
could be in this diagram as well.
-
Like, we could be talking
about insulin pumps
-
or other things in the future.
-
The device itself speaks
to box number 2,
-
which we will tell you a little bit
more about in a moment,
-
using a protocol, commonly
referred to as 'MICS'.
-
A number of different
devices use this
-
Medical Implant
Communication Service.
-
And Marie shocked me yesterday
-
when she found
a couple devices
-
that potentially use Bluetooth. sighing
laughter
-
So, would you like to tell them
a little bit more about the access point,
-
and I'll join in?
-
M: Yeah, so, the access
point is the device
-
that you can typically have
on your bed stand
-
and that will, depending
on your configuration,
-
contact your pacemaker
as regular intervals,
-
e.g. once during the night.
-
It will start a communication
with the pacemaker,
-
couple of meters distance,
-
and will start
collecting logs.
-
And this logs will
then be sent,
-
it can be via SMS
or other means,
-
to a server.
-
So, there's a lot of my
personal information
-
that can end up different
places in this diagram.
-
So, of course it's
in my own device,
-
it will be then communicated
via this access point
-
and also then
-
via the cellular network.
-
And then it will also be stored
in the telemetry server.
-
Potentially when I go
for the checkups
-
my personal information will
also end up in my
-
doctor workstation
-
or in the electronic
patient records.
-
And there's a lot of things
that can go wrong there.
-
E: Yeah, you
can see, it's using
-
famously secure methods
of communication
-
that have never been backdoored or
compromised by anyone ever before,
-
even here at this conference,
probably even this time around.
-
So these are some things
that are concerning.
-
The data also travels often
to other countries
-
and so there are questions
about the jurisdiction
-
in terms of privacy laws
in terms of some of this data.
-
And some of you can go and
look deeper into that as well.
-
The telemetry store thing
I think is important,
-
some of this is a telemetry store,
such as the server at the vendor.
-
So the vendor owns some
machines somewhere
-
that collect data
from Marie's heart.
-
So you can imagine she goes to see her
doctor and the doctor is like:
-
'Hey, Marie, last weekend, did you, ...
run a half marathon or something?'
-
And she hasn't told him, right?
-
Like, he just can look
at the data and see,
-
that her heart rate was up
for a couple hours.
-
That's true though, right? You
did actually run a half marathon.
-
M: Yeah, I did run a half marathon.
laughing
-
E: So, the telemetry
store is one part,
-
but there's also the
doctors work station
-
which contains a lot of
this medical data.
-
So, from privacy perspective
that's part of the attack surface.
-
But there's also the programmers, right?
-
There's the device's programmers.
-
So that's an interesting point, that
I hope a lot of you are interested in
-
already, that there
is a programmer
-
for these devices.
-
M: So, we actually
went shopping on eBay
-
and we found some
of these devices.
-
E: You can buy them on eBay?
-
M: Yeah.
E: laughing
-
M: So, I found
a programmer
-
that can program
my device, on eBay
-
and I bought it.
-
And I also found a couple of
these access points.
-
So, that's what we're
now starting to look at.
-
E: We just wanna to give
you an overview of this system,
-
and it's fairly similar across the
different device vendors,
-
and we're not going to talk
about individual vendors.
-
But if you're gonna go and
do this kind of research
-
you can see that some of the research
you've already done in the past
-
applies to different parts
of this process.
-
M: And talking about
patient privacy,
-
when we got the
programmer from ebay
-
it actually contained
patient information.
-
So, that's the
really bad thing.
-
E: So, I found
this very odd.
-
I had a similar reaction
to yourselves because
-
I usually do industrial
system stuff.
-
One of my friends picked up
some PLCs recently and
-
they had data from the nuclear plant,
that the PLCs had been used in.
-
So, decommissioning is a problem
in industrial systems
-
but it turns out also
in medical devices, right?
-
I guess that's a useful point
to make as well,
-
about the costs of doing
this kind of research.
-
It is possible to get some
devices, some implants
-
from people who have sadly
passed on,
-
but that comes with a very high
cost of biomedical decontamination.
-
So that raises the cost
of doing this research
-
on the implants themselves,
not necessarily on the rest
-
of the devices.
-
M: Yeah, so, also want
to say, that in this research
-
I had not have not tinkered
with my own device.
-
So, that would not be a good thing ...
-
E: You're not gonna let me,
like, SSH into your heart and just ...
-
M: Um.. No.
E: ... just delete some stuff.. No?
-
M: No.
E: I wouldn't do it anyway,
-
but it's an interesting point, right?
-
So, like, there are a lot of
safety percussions
-
that we and the rest
of the team have to take
-
when we are doing this research.
-
And one of them is
not pairing Marie's pacemaker
-
with any of the devices
that are under test.
-
Do you wanna say a bit more
about connectivity and vulnerability?
-
M: Yeah, so...
-
I was worried
when I discovered that
-
I had this possible connectivity
to the medical internet of things.
-
In my case this is switched off
in the configurations
-
but it's there.
-
It's possible to turn it on,
it's possible for me to be
-
hooked up to the,
this internet of medical things.
-
And for some patients
this is really benefit.
-
So you always have to make
a risk-based decision
-
on whether or not to
make use of this
-
connectivity.
-
But I think it's really important
that you make an informed decision
-
about that and that the patient
-
is informed and has given
his or her consent
-
to have this feature.
-
The battery lifetime of my pacemaker
is around 10 years.
-
So in 6 years time
-
I will have to have a
replacement surgery
-
and I'm going to be
a really difficult patient laughing
-
laughter
-
So, ...
applause
-
E: Right on.
-
M: I really want to know
-
how the devices work
by then and
-
I want to make an informed
decision on whether or not
-
to have this connectivity.
-
But of course for lot of patients
the benefit of having this
-
outweighs the risk.
-
Because people that had other
heart problems than me
-
they have to go for more
frequent checkups.
-
I only have to go once a year.
-
So, for patients that need to go
frequently for checkups,
-
it's really good for them
to have the possibility
-
of having telemetry and
having connectivity to
-
have remote patient monitoring.
-
E: Yeah, imagine you
have mobility problems or
-
you even just live far
-
from a major city.
-
And making the journey
to the hospital is quite arduous,
-
then this kind of remote
telemetry allows your doctor
-
to keep track of
what's going on.
-
And that's very important,
we don't wanna, like...
-
have a big scary testosterone
filled talk where we, like,
-
hack some pacemakers.
-
We wanna talk about
how there's a dual use thing
-
going on here.
-
And that there is a lot of value
in having this devices
-
but we also want them to be safe
and secure and preserve our privacy
-
and a lot of other things.
-
So, these are some
of the issues.
-
Of course the last one,
the remote assassination scenario,
-
that' s everyone favorite one
to fantasize about
-
or talk about, or make
movies about, but
-
we think there's a lot of
other issues in here
-
that are more interesting,
-
some quality issues even, right,
-
that we'll talk about
in a little bit.
-
Battery exhaustion,
-
again something many people
don't think about. But...
-
I'm very interested in
cyber-physical exploitation
-
and so some of this elements
were interesting to me
-
that you might use the device
in a way that wasn't expected.
-
M: So personally I'm not afraid
of being remotely assassinated.
-
E: I've actually never known
you to be afraid of anything
-
M: laughing
-
I'm more worried about
software bugs in my device,
-
the things that can malfunction,
-
E: Is that just theoretical?
-
M: No, actually software bugs
-
have killed people.
-
So, think about that!
-
People that are not here,
-
they don't have their voice
and they can't really
-
give there story.
-
But there are stories about persons
depending on medical devices
-
dying because their
device malfunctioned.
-
E: There's even some
great research
-
from academics about
how the user interface design
-
of medical devices can have
an impact on patients safety
-
and how designing UX
-
much more clearly
and concisely
-
specifically for the
medical profession
-
might improve
the care of patients.
-
Do you wanna say more
about this slide or should we
-
go on to the previous work,
should we... go ahead!
-
M: Yeah, I think it's really
important also to...
-
the issue of trusting the vendors.
-
So, as a patient I'm
expected to just, you know,
-
trust, that my device
is working correctly,
-
every security vulnerability
has been corrected by the vendor
-
and it's safe.
-
But I want to have more
third party testing,
-
I want to have more security
research on medical implants.
-
And as a lot things, like ...
history has shown
-
we can't always trust that
the vendors do the right thing.
-
E: I think this is a good
opportunity for us to ask
-
a very fun question, which is:
-
Any fans of DMCA in the room?
-
laughter
-
No? No fans? Alright.
-
Well, you then you'll really enjoy this.
-
Marie has some very exciting news
about DMCA exemptions.
-
M: Yeah, so... October, this year
-
there was a ruling of
an DMCA exemption for
-
security research
on medical devices
-
also for automotive security research.
-
So, this means, that
-
as researchers you can
-
actually do reverse engineering
of medical implants
-
without infringing copyright laws.
-
It will take effect
I think October next year.
-
E: Yeah.
M: That is really a big
-
step forward in my opinion.
-
And I hope that this will
encourage more research.
-
And I also want to mention
that there are
-
fellow activist patients
like myself
-
that was behind that proposal
of having this exemptions.
-
So, Jay Radcliff who hacked
his own insulin pump,
-
Karen Sandler, who is a free and
open software advocat.
-
And Hugo Campos, who has
an ICD implant, he is very ...
-
he wants to have access
to his own data
-
for quantified self reasons.
-
So this patients,
they actually
-
made this happen,
that you're allowed to do
-
security research
on medical devices.
-
I think that's really great.
-
applause
-
E: Do you wanna say something
about Scott Erven's presentation
-
that you saw at DEF CON?
-
M: Yeah, that was a really
interesting presentation about
-
how medical devices have
really poor security.
-
And they have, like,
hard coded credentials,
-
and you can find them
using Shodan on the internet.
-
This were not pacemakers,
but other types of
-
different medical devices.
-
There are, like, hospital networks
that are completely open
-
and you can access
the medical equipment
-
using default passwords that
you can find in the manuals.
-
And the vendors claim that
-
no, these are not hard coded,
these are default,
-
but then the manuals say:
Do not change this password...
-
E: Because they want to
integrate with other stuff, right? So...
-
I've heard that excuse from SCADA,
so I wasn't having it.
-
M: They also put up some
medical device honeypots
-
to see if there were
targeted hacking attempts
-
but they only picked up regular malware
on them, which is also ...
-
E: Only!
M: ... of course of a concern laughing
-
E: Anything else,
about prior art, Kevin?
-
M: I guess we should mention
that the academic research
-
on hacking pacemakers,
which was started by
-
a group led by Kevin Fu
-
and they had this
first paper in 2008
-
that they also followed up
with more academic research
-
and they showed that it's
possible to hack a pacemaker.
-
They showed that...
this was possible on a, like
-
a couple of centimeters
distance only,
-
so, like, the attack scenario
would be, if you have a
-
device similar to the
programmers device
-
and you attack me with it
you can laughing
-
turn off my pacemaker.
-
That's not really scary,
-
but then we have the research
by Barnaby Jack
-
where this range of the attack
is extended to several meters
-
so you have someone with
an antenna in a room
-
scanning for pacemakers
-
and starting to program them.
-
E: We have a saying
at Cambridge about that.
-
Some of the other people at the
university have been doing attacks
-
a lot longer than I have, and
one of the things they say is:
-
'Attacks only get worse,
they never get better.'
-
So, the range might be short one year,
then a couple of years later it's worse.
-
M: The worst case scenario
I think would be remotely,
-
via the internet being able to
hack pacemakers.
-
but there's no research so far
indicating that that's possible.
-
E: And we don't wanna
hype that up. We don't wanna...
-
M: No.
E: ... get that kind of an angle
-
on this talk. We wanna make the
point that hacking can save lives,
-
that hackers are global citizen's
resource to save lives, right? So...
-
M: Yeah, so, this is the result
of hacking of the drug infusion pumps.
-
Earlier this year
-
the FDA actually issued the first ever
recall of a medical device
-
based on cyber security concerns.
-
E: I think that's amazing, right?
They've recalled products
-
because of cyber security concerns. They
used to have to wait until someone died.
-
In fact, they had to show
something like 500 deaths
-
before you could recall a product.
So now they can ...
-
the FDA, at least in the US,
they can recall products
-
just based on security
considerations.
-
M: So, this is also,
-
I guess the first example
of that type of pro-active
-
security research,
where you can
-
make a proof of concept
without killing any patients
-
and then that closes
the security holes.
-
And that potentially
saves lives.
-
And no one has been hurt
in the research.
-
I think that's great.
-
E: I'm also really excited
because we give a lot of presentations
-
about security that are filled with
doom and gloom and depression,
-
so it's nice to have two major victories
in medical device research
-
in the last few years.
One being the DMCA exemptions
-
and the other being
actual product recalls.
-
M: Yeah, and the FDA are starting
to take these issues seriously and
-
they are really focusing on the cyber
security of medical implants now.
-
I'm going to go to a workshop
arranged by the FDA in January
-
and participate on a panel discussing
cyber security of medical implants.
-
And it's great to have this
type of interaction between
-
the security committee, medical
device vendors and the regulators.
-
So, things are happening.
-
E: Yeah. How do you feel
as an audience,
-
are you glad that she's going to be
your representative in Washington
-
for some of these issues?
-
applause
-
And we want you to get
involved as well, right?
-
This is not just about Marie
and myself and the other people
-
who worked on this
project, it's meant say
-
you too can do this research.
And you should be.
-
You have to be a little sensitive,
a little bit precise and articulate
-
about concerns.
-
We take some inspiration from the
former research around hygiene.
-
Imagine the first time some scientist
went to some other scientist and said
-
'There is this invisible stuff,
and it's on your hands,
-
and if you don't wash your hands
people get infections!'
-
And everyone thought
they were crazy.
-
Well, it's kind of the same with us
talking about industrial systems
-
or talking about medical devices
or talking about hacking in general.
-
People just didn't, sort of,
believe it was possible at first.
-
And so we have to articulate ourselves
very, very carefully.
-
So, we draw inspiration from
that early hygiene movement
-
where they had a couple simple rules
that started to save people's lives
-
while they explained germ theory
to the masses.
-
M: Yeah, so, this type of research
is kind of low hanging fruits
-
where you just, so...
-
what we show here is an example,
-
where there's a lot of medical
device networks in hospitals
-
that are open to the internet
and that can get infected
-
by normal type of malware,
like banking trojans or whatever.
-
And this is potentially a safety issue.
-
So, if your MR scanner or some other
-
more life-critical device
is being unavailable because of
-
a virus on it,
-
that's a real concern for patient
security and safety.
-
So we need to think more about
the hygiene also in terms of
-
computer viruses, not only
just normal viruses.
-
E: Yeah. So, you know, some
times people will treat you like
-
this is an entirely theoretical
concern, but
-
I think this is one of the best
illustrations that we've found
-
of how that should
be a concern,
-
and I think all of you will get it,
-
but I wanna give you a moment to kind of
read what's about to come up on the slides.
-
So I'll just let you enjoy
that for a moment.
-
So if it's not clear or it's not your
first language or something,
-
this guy basically sharded patient data
across a bunch of amazon clusters.
-
And then it was unavailable.
And they were very concerned
-
about the unavailability of their
costumer patient data
-
sharded across amazon instances.
-
He was complaining to support, like
'Can I get support to fix this?' laughing
-
M: So, all the data of the ...
-
... the monitoring data of the cardiac
patients is unavailable to them
-
because of the service
being downed.
-
And, well, do you want to outsource your
patient's safety to the cloud? Really?
-
I don't want that.
Okay.
-
E: I wanna get into some other details.
We have sort of 10 min left if we can ...
-
so we can have a lot of questions,
and I'm sure there will be some.
-
But I want you to talk to them about
this very personal story.
-
This is... Remember before, when we
said, is this stuff theoretical?
-
I want you to pay a lot of
attention to this story.
-
It really moved me
when she first told me.
-
M: I know how it feels to have
my body controlled by a device
-
that is not working correctly.
-
So, I think it was around 2 or 3
weeks after I had the surgery.
-
I felt fine.
-
But I hadn't really done
any exercise yet.
-
The surgery was pretty easy,
I only had 2 weeks sick leave
-
and then I came back to work
-
and I went to London
-
to participate in a course
in ethical hacking and
-
I did take the London Underground
together with some of my colleges
-
and we went of at this station
at Covent Garden
-
And I don't know if you
have been there but
-
that particular station is
really low underground.
-
They have elevators that you
can use to get up,
-
but usually there are, like,
long queues to the elevators...
-
E: You always have to do
things the hard way, right?
-
M: You had to take the stairs, or
-
they were just heading for the stairs
and I was following them and
-
we were starting to climb the stairs and
I didn't read this warning sign, which is:
-
'Those with luggage, pushchairs & heart
conditions, please use the lift' laughing
-
Because I was feeling fine,
-
and this was the first time that I
figured out there's something wrong
-
with my pacemaker or with my heart.
-
Because I came like
half way up this stairs
-
and I felt like I was going to die.
-
It was a really horrible feeling.
-
I didn't have any more breath left,
-
I felt like I wasn't able
to complete the stairs.
-
I didn't know what was
happening to me, but
-
somehow I managed to
drag myself up the stairs
-
and my heart was really...
-
it didn't feel right.
-
So, first thing when I came
back from this course
-
I went to my doctor
-
and we started to try
debug me, tried to find out
-
what was wrong with my pacemaker.
-
And this is how that looks like.
E: laughing
-
M: So, there's a stack
of different programmers
-
- this is not me by the way, but it's
a very similar situation.
-
E: And we'll come back to those
programmers in a moment.
-
M: Yeah.
E: But the bit I want you
-
to focus on is, like, they're
debugging your pacemaker?
-
Inside you?
M: Yeah, I didn't know
-
what was happening
at the time.
-
We were just trying to
get the settings right
-
and it took like 2 or 3 months before
we figured out what was wrong.
-
And what happened was, that my
operate limit was set to low for me,
-
for my age. So, the normal pacemaker
patient is maybe around 80 years old
-
and the default operate
limit was 160 beats/min.
-
And that's pretty low for
a young person.
-
E: So, imagine, like, you're younger
and you're really fit and you know
-
how to do something really well,
like swimming or skiing or skateboarding
-
or whatever. You're fantastic at it.
And then a couple years go past
-
and you know, you gain some weight
and you're not as good at it, right?
-
But now imagine that
happens in 3 seconds.
-
While you're walking
up a set of stairs.
-
M: So, what happens is that
the pacemaker detects
-
'Oh, you have a really high pulse'.
And there's a safety mechanism
-
that will cut your pulse in half ...
E: In half!
-
laughter
M: laughing So in my case it went
-
from 160 beats/min to 80 beats/min.
In a second, or less than a second,
-
and that felt really, really horrible.
-
And it took a long time
to figure out what was wrong.
-
It wasn't until they put me on
an exercise bike and
-
had me on monitoring that they
figured out what was wrong, because
-
the thing was, that what was displayed
on the pacemaker technician's view
-
was not the same settings that
my pacemaker actually had.
-
There was a software bug in the
programmer, that caused this problem.
-
E: So they thought they had updated
her settings to be that of a young person.
-
They were like
'Oh, we've already changed it'.
-
But they lost the view. They couldn't
see the actual state of the pacemaker.
-
And the only way to figure that out
was to put her on a bike
-
and let her cycle until her
heart rate was high enough.
-
You know, literally physically
debugging her to figure out
-
what was wrong.
-
Now stop and think about whether or not
you would trust your doctor
-
to debug software.
-
laughter
-
So, say a little bit more about those
programmers and then we'll move on
-
towards the future.
-
M: Yeah, so, we got hold of one of these
programmers, as mentioned
-
and looked inside it.
-
And, well, we named this talk
'Unpatchable', because
-
originally my hypothesis was that,
if you find a bug in a pacemaker
-
it will be hard to patch it.
-
Maybe it would require surgery.
-
But then when we looked
inside the programmer
-
and we saw that it contained firmware
for pacemakers we realized that
-
it's possible to actually patch the
pacemaker via this programmer.
-
E: One of the other researchers
finds these firmware blobs inside
-
the programmer code and, like,
my heart stopped at that point, right?
-
I was just going 'Really, you can just
update the code on someones pacemaker?'
-
We also wanna say something
about standardization.
-
Look at all those
different programmers.
-
Someone goes into a hospital
with one of these devices
-
they have may different programmers
so they have to make an estimation
-
of which... you know, which
programmer for which device.
-
Like, which one are you running.
-
And, so, some standardization
would be an option laughing
-
perhaps, in this case.
M: Yeah.
-
E: Alright. So, we gonna need
to move quickly through
-
the next few slides to talk
to you about the future,
-
but I hope that drives home that
this is a very real issue for real people.
-
M: So, pacemakers are evolving and
they are getting smaller
-
and this is the type of pacemaker
that you can actually implant
-
inside the heart.
-
So, the pacemaker I have today
is outside the heart and it has
-
leads that are wired to my heart.
-
But in future they are getting
smaller and more sophisticated and
-
I think this is exciting!
-
I think that a lot of you,
also in the audience will
-
benefit from having this type of
technology when you grow older
-
and we can have longer lives and
we can live more healthier lives
-
because of the technology
E: And keep in mind, right?
-
Some of you may already have devices
and already have this issues,
-
but others of you will think 'Ah, that
won't happen to me for quite a long time'
-
But it can be a sudden thing, that,
you know, you don't necessarily
-
have a choice to run code
inside your body.
-
Which OS do you wanna implant?
laughing
-
You wanna tell them about the..
-
M: This is also a quite exciting
-
maybe future type of implants
that you can have.
-
So, this is actually a cardiac sock,
it's 3D-printed and it's making
-
a rabbit's heart beat outside
the body of the rabbit.
-
So, there's a lot of technology
and sensors and things that
-
are going to be implanted
in our bodies
-
and I think more of you will become
cyborgs like me in the future
-
E: And there's a lot of work
that you could be doing.
-
You know, 3D-printing
this devices,
-
and open sourcing as much
of this as possible.
-
There's a lot to say here, right?
-
I think it's time to address
the really scary issue.
-
The informed consent issue
around patching, right?
-
Remember earlier we were
talking about the programmers
-
and we pointed out that there
were firmware blobs in there
-
and that these people,
you know, your doctor or nurse
-
could upgrade the code
running on your medical implant.
-
Now, is there a legal requirement
for them to inform you,
-
before they alter the code
that's running inside your body?
-
As far as we can tell
-
- and we need to look at a lot of
different countries at the same time,
-
so we gonna ask you to help us -
-
as far as we can tell there are not
laws requiring your doctor
-
to tell you that they are upgrading
the firmware in your device.
-
M: Yeah, think about that laughs
-
It's a quite scary thing.
-
I want to know what's happening
to my implant, the code,
-
if someone wants to alter the code
inside my body, I would like to know
-
and I would like to make
an informed decision on that
-
and give my consent
before it happens.
-
E: You might even choose a device
where that's possible or not possible
-
because you're making a risk-based
decision and you're an informed consumer
-
but how do we help people,
who don't wanna understand
-
software and firmware and upgrades
make those decisions in the future as well.
-
Alright.
-
M: So now, if we're going to go through
-
all this, but there's a lot of reasons
why we're in the situations of having
-
insecure medical devices.
-
There's a lot of legacy technology because
there's a long lifetime of this devices
-
and it takes a long time
to get them on the market.
-
And they can be patched,
but in some cases
-
they are not patched or there are
no software updates applied to them.
-
We don't have any third party
security testing of the devices,
-
and that's really needed in my opinion.
-
E: Right, an underwriters laboratory
-
or consumer laboratory that's there
to check some of these details.
-
And I don't think that's unreasonable,
right? That sort of approach.
-
M: And there's a lack of regulations,
also. So there's a lot of things
-
that should be worked on.
-
E: So, there's a lot of
ways to solve this
-
and we're not gonna give you
the answer, because we're not
-
geniuses, so we're
gonna say that
-
these are some different
approaches that we see all
-
playing in a solution space.
-
So, vendor awareness is
obviously important, but
-
that's not the only thing.
A lot of the vendors have been
-
very supportive and
very open to discussion,
-
of transparency, that needs to
happen more in the future, right?
-
Security risk monitoring,
I've been working in the field
-
of cyber insurance, which I'm sure
sounds like insanity to the rest of you,
-
and it is, there are bad days.
But that could play a part
-
in this risk equation in the future.
-
What about medical incidence response,
right? Or medical device forensics.
-
M: If I suddenly drop dead
I really would like to have
-
a forensic analysis
of my pacemaker, to ...
-
E: Please remember that, all of you!
Like, if anything is going to happen
-
to Marie... everyone asked that, right?
Like, 'Aren't you afraid of giving this talk?'
-
And we thought about it,
we talked about it a lot and
-
she's got a lot of support
from her husband and her son
-
and her family and a bunch of us.
If anything happens to this woman
-
I hope that we will all be doing
forensic analysis
-
of everything.
-
applause
-
Cool. So, we'll say a little bit about
'I Am The Cavalry' and social contract
-
and then we'll wrap it up, okay?
-
So, 'I Am The Cavalry' does
a lot of grassroots research
-
and support and lobbying and
tries to articulate these messages.
-
They have a medical implant
arm that has a bunch of
-
different researchers doing
this kind of stuff.
-
Do you wanna say more about them?
-
M: Yeah, so we are both
part of the Cavalry,
-
because no one is coming
to save us from the future
-
of being more depended on
trusting our lives on machines
-
so, that's why we need to step up
and do the research and
-
encourage and inspire the research.
-
So, that's why I joined
'I Am The Cavalry'
-
and I think it's a
good thing to have
-
a collaboration effort between
researchers, between the vendors
-
and the regulators, as they are,
or we are working with.
-
E: We also think that even if you
don't do reverse engineering
-
or you're not interested in
security details or the opcodes
-
that are inside the firmwares
or whatever,
-
this question is a question that
any of you here can talk about
-
for the rest of the congress and
going forward into the future.
-
Right?
-
This is Marie's, so go ahead.
-
M: Yeah, so, I really want to know
what code is running inside my body.
-
And I want to know ...
-
or I want to have a social contract
with my medical doctors and
-
my physician that is giving me
this implants.
-
It needs to be based on a
patient-to-doctor trust relationship.
-
And also between
me and the vendors.
-
So I really want to know that
I can trust this machine inside...
-
E: And we think many of you will
be facing similar questions
-
to these in the future.
-
I have questions.
Some of my questions are serious,
-
some of my questions are
not serious, like this one:
-
Is the code on your dress
from your pacemaker?
-
M: No, actually it's from the
computer game 'Doom'.
-
But ...
laughter
-
once I have the laughing
code of my pacemaker
-
I'm going to make a custom-
ordered dress and get it...
-
E: Which is pretty cool, right?
M: ... get it with my own code.
-
applause
-
So, let's wrap up with... what we
want to have of future research.
-
So, we encourage more research,
and these are some things that
-
could be looked into.
-
Like open source medical devices,
that doesn't really exist,
-
at least not for pacemakers.
-
But I think that's one way
of going forward.
-
E: I think it's also an opportunity
for us to mention a really scary idea,
-
which is, you know, should anyone
have a golden key to Marie's heart,
-
should there be backdoored
encryption inside of her heart?
-
We think no laughing
but that...
-
M: I don't see any reason why
the NSA should be able to
-
have a back door to my heart,
do you?
-
E: You would be an extremist,
that's why you don't want them
-
to have a back door to your heart.
But this is a serious question, right?
-
If you start backdooring
any kind of crypto anywhere,
-
how do you know,
where it's gonna end up.
-
It might end up in medical devices
and we think that's unacceptable.
-
applause
-
M: And we should also mention
that we're not doing this alone,
-
we have other researchers
helping us forward doing this.
-
Angel: So, thank you very much
for this thrilling talk,
-
we're now doing a little
Q&A for 10 min,
-
and for the Q&A please keep in mind
to respect Marie's privacy, so
-
don't ask for details about
-
the implant or
something like that.
-
E: Yeah, the brands and stuff.
-
We're gonna tell you, what OS
she's running.
-
Angel: People, who are now leaving
the room, they will not be able
-
to come back in, because
-
of measures laughing
laughter
-
So, let's start with the Q&A!
Let's start with this microphone there.
-
Q: Hi, first of all thank you very much
for a very fascinating talk.
-
I'm not going to ask you
about specific vendors.
-
However, I thought it was very
interesting what you said, that
-
most vendors were really supportive
I would like to know whether
-
there have been
exceptions to that rule,
-
not who it was or anything like that
but what kind of arguments
-
you may have heard from vendors
e. g. have they referred to anything
-
such as trade secrets or copyright
or any other legal reasons
-
why not to give you,
or not to give public access
-
to information about devices?
Thank you.
-
E: So, we haven't had any legal
issues so far in this research.
-
And in general they haven't been
concerned about copyright.
-
I think they're more concerned
about press, bad press,
-
and a hype, you know, what
they would see as hype.
-
they don't wanna see us scaring
people away from these things
-
with, you know, these stories.
-
M: Yeah, that's also something
I'm concerned of, of course,
-
as a patient. I don't want to
scare my fellow patients
-
from having life-critical
implants in their body.
-
Because a lot of people need
them, like me, to survive.
-
So, the benefit clearly
outweighs the risk in my case.
-
E: But that seems to be their
main concern, like, you know,
-
'Don't give us too
much bad press'
-
Angel: Ok, next question
from over there.
-
Q: Hello. I wanted to ask you, if you
know about any existing initiatives
-
on open sourcing
the medical devices,
-
on mandating the open sourcing
of the software and firmware
-
through the legal system,
in European Union, in United States
-
because I think I've read
about such initiatives
-
about 1 year ago or so,
but it was just a glimpse.
-
M: So, there are some patients
that have reverse engineered their
-
no audio
-
(insu)lin pumps. I know, that
there are groups of patients
-
like the parents of children
with insulin pumps.
-
They have created
software to be able...
-
to have an app on their
mobile phone to be able
-
to monitor their child's
blood sugar levels.
-
So that's one way of
doing this open source
-
and I think that's great.
-
Q: But nothing
in the legal systems,
-
no initiatives to mandate this,
e.g. on European level?
-
E: Not so far that we've seen,
-
but that's something that
can be discussed now, right?
-
M: I think it's really interesting,
you could look into the legal
-
aspects and the regulations
around this, yeah.
-
Q: Thank you.
-
Angel: Ok, can we have
a question from the internet?
-
Q: Yes, from the IRC someone asks:
-
'Does your pacemaker
have a biofeedback,
-
so in case something bad
happens it starts to defibrillate?
-
M: No, I don't have an ICD,
so in my case I'm not getting a shock
-
in case my heart stops.
Because I have a different condition
-
I only need to have
my rhythm corrected.
-
But there are other
types of conditions,
-
that require pacemakers
that can deliver shocks.
-
Angel: Ok, one question
from that microphone there.
-
Q: Thank you very much.
At one point you mentioned
-
that the connectivity in you
pacemaker is off. For now.
-
And, is that something, that patients
are asked during the process,
-
or is that something,
patients have to require?
-
And generally: What role
do you see for the choice
-
not to have any connectivity
or any security for that matter,
-
that technology would
make available to you?
-
So, how do you see the possibility
to choose a more risky life
-
in terms of trading in
for privacy, whatever?
-
M: Yeah, I think that's
really a relevant question.
-
As we mentioned
in the social contract,
-
I really would like, that the doctors
informed patients about
-
their different wireless interfaces
and that there's an informed decision
-
whether or not to switch it on.
-
So, in my case, I don't
have it switched on and ...
-
I don't need it, so there's no reason
why I need to have it switched on.
-
But then, again, why did I get
an implant that has this capability?
-
I should have had the option of
opting out of it, but I didn't get that.
-
They didn't ask me, or they
didn't inform me of that,
-
before I got the implant.
It was chosen for me.
-
And at that time I hadn't looked
into the security of medical devices,
-
and I needed to
have the implant,
-
so I couldn't really make
an informed decision.
-
A lot of patients that are,
like, older and not so...
-
that don't really understand
the technology,
-
they can't make that
informed decision, like I can.
-
So, it's really a
complex issue
-
and something that we
need to discuss more.
-
Angel: Ok, another
question from there.
-
Q: Yeah, thanks.
-
As a hacker, connected personally
-
and professionally
to the medical world:
-
How can I educate doctors,
nurses, medical people
-
about the security risks presented
by connected medical devices?
-
What can I tell them?
Do you have something
-
from your own experience
I could somehow ...
-
M: Yeah, so, the issue of
software bugs in the devices
-
I think is a real scenario
that can happen and ...
-
E: Yeah, if you can repeat
that story of debugging her,
-
like, I think, that makes the point.
And then try in adopt that
-
hygiene-metaphor that we
had before, where, you know,
-
people didn't believe in germs,
and these problems before,
-
we're in that sort of era,
and we're still figuring out
-
what the scope of potential
security and privacy problems are
-
for medical devices.
In the meantime
-
please be open to new research
on this subject, right?
-
And that story is
a fantastic illustration,
-
that we don't need evil hacker
typer, you know, bond villain,
-
we just need failure to debug
programming station, properly, right?
-
Q: Thank you very much.
-
Angel: Ok, another question
from the internet.
-
Q: Yes, from the IRC:
-
'20 years ago it was common,
that a magnet had to be placed
-
on the patients chest to activate the
pacemakers remote configuration interface.
-
Is that no longer the case today?'
-
E: It's still the case with some devices,
but not with all of them I think.
-
M: Yeah, it varies between the devices,
how they are programmed and
-
how long distance you
can be from the device.
-
Q: Thank you for the talk.
I've some medical devices
-
in myself to, an insulin pump and
sensors to measure the blood sugar levels,
-
I'm busy with hacking that and
to write the software for myself,
-
because the *** doesn't
have the software.
-
Have you ever think about it, to write
your own software for your pacemaker?
-
E: laughing
M: laughing
-
M: No, I haven't thought about
that until now. No. laughing
-
E: Fantastic, I think that deserves
a round of applause, though,
-
because that's exactly
what we're talking about.
-
applause
-
Angel: Another question
from there.
-
Q: First off, I want to say thank you
that you gave this talk, because
-
once it's quite interesting,
but it's not that talk,
-
anyone of that is effected could hold,
-
so, it takes quiet some courage and
-
I want to say thank you. So
-
applause
-
Secondly, thank you for giving me the
-
update. I started medical technology but
-
I finished ten years ago and I didn't work
-
in the area and it's quiet interesting to
-
see what happened in the meantime, but
-
now for my actual question:
-
You said you got devices on ebay, is it
-
possible to get the hole
-
communication chain?
-
So you can make a sandbox test or ..
-
M: Yes it's possible to get devices,
-
it's not so easy to get the pacemaker
-
itself , it's quite expensive.
-
E: And even when we get one,
-
we have some paring issues and like
-
Marie can't be in the same room , when
-
we were doing a curtain types of testing
-
and right, so that last piece is difficult
-
but the rest of the chain is pretty
-
available for the research.
-
Q: Ok, thank you.
-
Angel: So, time is running out, so we,
-
only time left for one question and from
-
there please.
-
Q: Thank you. I'm also involved in
-
software quality checks and software qs
-
here in Germany also
with medical developments
-
and as far as I know, it is the most
-
restricted area of developing products
-
I think in the world,
-
it's just easier to manipulate software
-
in a car X-source system or breaking guard
-
or something like this, where you don't
-
have to show any testing certificate or
-
something like this, the FDA is a very
-
high regulation part there.
-
Do you have the feeling that it's a
-
general issue that patients do not have
-
access to these FDA compliant tests and
-
software q-a-systems?
-
M: Yeah, I think that we should have
-
more openness and more transparency
-
about, around this issues , really.
-
E: I mean, it's fantastic you do quality
-
assurance, i used to be in quality assurance
-
at a large cooperation and I got tiered
-
and landed in strategy and pen testing and
-
then I just thought of myself as paramilitary
-
quality assurence , ..
-
now I just do it on ever I wanne test, so
-
thank you for doing q-a and keep doing it
-
and hopefull you don't have to many regulations
-
but companies sharing more of this
-
information, its really the transparency
-
and the discussion, the open dialogue
-
with patients and doctor and a vendor is
-
really what we wanna focus on and make
-
our final note ?
M: Yeah.
-
M: We see some problems already
-
the last year, the MI Undercover Group has
-
had some great progress on having good
-
discussions with the FDA and also involving
-
the medical device vendors in the discussions
-
about cyber security of medical devices
-
and implants. so thats great and I hope
-
that this will be even better the next year.
-
E: And I think you wanne to say
-
one more thing to congress before we leave
-
which is:
-
M: Hack to save lives!
-
applaus
-
♪ postroll music ♪
-
subtitles created by c3subtitles.de
Join, and help us!
