Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
SINTEF	
  ICT	
  
Unpatchable:	
  	
  
Living	
  with	
  a	
  vulnerable	
  implanted	
  device	
  
@MarieGMoe	
  @iamthec...
Safer|Sooner|Together	
  
Lorenzo	
  Franceschi-­‐Bicchierai,	
  Vice	
  Motherboard	
  
	
  
SomeAmes,	
  hackers	
  make...
The	
  stairs	
  that	
  almost	
  killed	
  me	
  
Safer|Sooner|Together	
  
How	
  the	
  heart	
  works	
  
hOps://www.youtube.com/watch?v=d6RbN5lPqIU	
  
	
  
Electrical	
  system	
  of	
  the	
  heart	
  
Pacemaker	
  
hOps://www.youtube.com/watch?v=-­‐f2FKmMneXY	
  
	
  
Leadless	
  pacemaker	
  
Safer|Sooner|Together	
  
The	
  future?	
  
Safer|Sooner|Together	
  
TrusAng	
  machines	
  
Safer|Sooner|Together	
  
 
The	
  Internet	
  of	
  Medical	
  ”Things”	
  is	
  real,	
  
	
  
and	
  my	
  heart	
  is	
  wired	
  into	
  it…	
 ...
Remote	
  monitoring	
  
PotenAal	
  threats	
  
Safer|Sooner|Together	
  
Device	
  is	
  vulnerable?	
  
Access	
  point	
  is	
  vulnerable?	
  ...
 
	
  
”We	
  need	
  to	
  be	
  able	
  to	
  verify	
  the	
  so`ware	
  that	
  
controls	
  our	
  lives”	
  
Bruce	
...
Pacemakers	
  are	
  vulnerable	
  
Source:	
  Daniel	
  Halperin,	
  Thomas	
  S.	
  Heydt-­‐Benjamin,	
  Benjamin	
  Ran...
Source:	
  hKp://www.vice.com/en_uk/read/i-­‐worked-­‐out-­‐how-­‐to-­‐remotely-­‐weaponise-­‐a-­‐pacemaker	
  
Source:	
  hKp://www.wired.com/2015/06/hackers-­‐can-­‐send-­‐fatal-­‐doses-­‐hospital-­‐drug-­‐pumps/	
  
Source:	
  hKp://www.fda.gov/MedicalDevices/Safety/AlertsandNoZces/ucm456815.htm	
  
Medical	
  devices	
  do	
  get	
  infected	
  	
  
Source:	
  hKps://securityledger.com/wp-­‐content/uploads/2015/06/AOA_...
Default	
  or	
  hard-­‐coded	
  passwords	
  
Source:	
  hKp://www.pcworld.com/arZcle/2987813/thousands-­‐of-­‐medical-­‐...
Malicious	
  so`ware	
  updates	
  
Source	
  :	
  Dr.	
  Kevin	
  Fu:	
  "On	
  the	
  Technical	
  Debt	
  of	
  Medical...
Cloud	
  safety?	
  
hOps://t.co/XndBSPbAta	
  
	
  
PotenAal	
  impact	
  
PaAent	
  privacy	
  issues	
  
BaOery	
  exhausAon	
  
Device	
  malfuncAon	
  
Death	
  threats	
...
Why?	
  
Legacy	
  
technology	
  
No	
  so`ware	
  updates	
  
Long	
  lifeAme	
  of	
  devices	
  
No	
  security	
  
te...
 
“Malicious	
  intent	
  is	
  not	
  a	
  prerequisite	
  to	
  paAent	
  
safety	
  issues”	
  	
  
ScoO	
  Erven,	
  S...
How	
  to	
  solve	
  it?	
  
Security	
  
research	
  
InformaAon	
  sharing	
  
Third	
  party	
  collaboraAon	
  
Coord...
The Cavalry isn’t coming… It falls to us
Problem	
  Statement	
  
Our	
  society	
  is	
  adopAng	
  connected	
  
technol...
 
“There	
  will	
  be	
  bugs”	
  
Safer|Sooner|Together	
  
Joshua	
  Corman	
  of	
  I	
  am	
  The	
  Cavalry	
  
Debugging	
  me	
  
	
  
	
  
Safer|Sooner|Together	
  
 
	
  
You	
  can’t	
  patch	
  me!	
  
Safer|Sooner|Together	
  
The	
  benefit	
  outweighs	
  the	
  risk	
  
Safer|Sooner|Together	
  
Credits	
  
Alexandre	
  Dulaunoy	
  (@adulau)	
  
Éireann	
  LevereO	
  (@blackswanburst)	
  
Joshua	
  Corman	
  (@joshc...
SINTEF	
  ICT	
  
Thank	
  you!	
  
	
  
marie.moe@sintef.no	
  
hOps://www.iamthecavalry.org	
  
@MarieGMoe	
  @iamthecav...
Upcoming SlideShare
Loading in …5
×

Unpatchable: Living with a vulnerable implanted device

553 views

Published on

Keynote presentation at Hack.lu 2015 by Marie Moe. This talk is focused on the problem that we have these life critical devices with vulnerabilities that can’t easily be patched without performing surgery on patients, my personal experience with being the host of such a device, and how the hacker community can proceed to work with the vendors to secure the devices.

Published in: Devices & Hardware
  • Be the first to comment

  • Be the first to like this

Unpatchable: Living with a vulnerable implanted device

  1. 1. SINTEF  ICT   Unpatchable:     Living  with  a  vulnerable  implanted  device   @MarieGMoe  @iamthecavalry   #safersoonertogether   Marie  Moe,  PhD,  Research  ScienAst  at  SINTEF   Safer|Sooner|Together  
  2. 2. Safer|Sooner|Together   Lorenzo  Franceschi-­‐Bicchierai,  Vice  Motherboard     SomeAmes,  hackers  make  the  worst  paAents…    
  3. 3. The  stairs  that  almost  killed  me   Safer|Sooner|Together  
  4. 4. How  the  heart  works   hOps://www.youtube.com/watch?v=d6RbN5lPqIU    
  5. 5. Electrical  system  of  the  heart  
  6. 6. Pacemaker   hOps://www.youtube.com/watch?v=-­‐f2FKmMneXY    
  7. 7. Leadless  pacemaker   Safer|Sooner|Together  
  8. 8. The  future?   Safer|Sooner|Together  
  9. 9. TrusAng  machines   Safer|Sooner|Together  
  10. 10.   The  Internet  of  Medical  ”Things”  is  real,     and  my  heart  is  wired  into  it…   Safer|Sooner|Together  
  11. 11. Remote  monitoring  
  12. 12. PotenAal  threats   Safer|Sooner|Together   Device  is  vulnerable?   Access  point  is  vulnerable?   Mobile  network  is  compromised?   Server  at  vendor  is  compromised?   Web  site  that  doctor  logs  in  to  is  vulnerable?  
  13. 13.     ”We  need  to  be  able  to  verify  the  so`ware  that   controls  our  lives”   Bruce  Schneier  on  “Volkswagen  and  CheaAng  So`ware”   Safer|Sooner|Together  
  14. 14. Pacemakers  are  vulnerable   Source:  Daniel  Halperin,  Thomas  S.  Heydt-­‐Benjamin,  Benjamin  Ransford,  Shane  S.  Clark,  Benessa  Defend,  Will  Morgan,  Kevin  Fu,   Tadayoshi  Kohno,  and  William  H.  Maisel.  Pacemakers  and  implantable  cardiac  defibrillators:  SoIware  radio  aKacks  and  zero-­‐ power  defenses.  In  Proceedings  of  the  29th  Annual  IEEE  Symposium  on  Security  and  Privacy,  May  2008.  
  15. 15. Source:  hKp://www.vice.com/en_uk/read/i-­‐worked-­‐out-­‐how-­‐to-­‐remotely-­‐weaponise-­‐a-­‐pacemaker  
  16. 16. Source:  hKp://www.wired.com/2015/06/hackers-­‐can-­‐send-­‐fatal-­‐doses-­‐hospital-­‐drug-­‐pumps/  
  17. 17. Source:  hKp://www.fda.gov/MedicalDevices/Safety/AlertsandNoZces/ucm456815.htm  
  18. 18. Medical  devices  do  get  infected     Source:  hKps://securityledger.com/wp-­‐content/uploads/2015/06/AOA_MEDJACK_LAYOUT_6-­‐0_6-­‐3-­‐2015-­‐1.pdf  
  19. 19. Default  or  hard-­‐coded  passwords   Source:  hKp://www.pcworld.com/arZcle/2987813/thousands-­‐of-­‐medical-­‐devices-­‐are-­‐vulnerable-­‐to-­‐hacking-­‐security-­‐researchers-­‐say.html      
  20. 20. Malicious  so`ware  updates   Source  :  Dr.  Kevin  Fu:  "On  the  Technical  Debt  of  Medical  Device  Security”,  hKp://www.naefronZers.org/File.aspx?id=50750  
  21. 21. Cloud  safety?   hOps://t.co/XndBSPbAta    
  22. 22. PotenAal  impact   PaAent  privacy  issues   BaOery  exhausAon   Device  malfuncAon   Death  threats  and  extorAon   Remote  assassinaAon  scenario…   Safer|Sooner|Together  
  23. 23. Why?   Legacy   technology   No  so`ware  updates   Long  lifeAme  of  devices   No  security   tesAng  or   monitoring   Medical  devices  are   ”black  boxes”   Proprietary  so`ware   More   connecAvity   Lack  of  regulaAons   Increased  aOack  surface   Safer|Sooner|Together  
  24. 24.   “Malicious  intent  is  not  a  prerequisite  to  paAent   safety  issues”     ScoO  Erven,  Security  Researcher  at  ProAviA   Safer|Sooner|Together  
  25. 25. How  to  solve  it?   Security   research   InformaAon  sharing   Third  party  collaboraAon   Coordinated  disclosure   Vendor   awareness   RegulaAon   Procurement   Safety  by  design   Security  tesAng   Security   risk   monitoring   Security  updates   Incident  response   Cyber  insurance   Resilience   Safer|Sooner|Together  
  26. 26. The Cavalry isn’t coming… It falls to us Problem  Statement   Our  society  is  adopAng  connected   technology  faster  than  we  are  able  to   secure  it.   Mission  Statement   To  ensure  connected  technologies  with   the  potenAal  to  impact  public  safety   and  human  life  are  worthy  of  our  trust.    Collec;ng    exisAng  research,  researchers,  and  resources    Connec;ng    researchers  with  each  other,  industry,  media,  policy,  and  legal    Collabora;ng    across  a  broad  range  of  backgrounds,  interests,  and  skillsets    Catalyzing    posiAve  acAon  sooner  than  it  would  have  happened  on  its  own    Why    Trust,  public  safety,  human  life    How    EducaAon,  outreach,  research    Who    Infosec  research  community        Who    Global,  grass  roots  iniAaAve    What  Long-­‐term  vision  for  cyber  safety     Medical   AutomoAve   Connected   Home   Public   Infrastructure   Safer|Sooner|Together   hOps://iamthecavalry.org   @iamthecavalry  
  27. 27.   “There  will  be  bugs”   Safer|Sooner|Together   Joshua  Corman  of  I  am  The  Cavalry  
  28. 28. Debugging  me       Safer|Sooner|Together  
  29. 29.     You  can’t  patch  me!   Safer|Sooner|Together  
  30. 30. The  benefit  outweighs  the  risk   Safer|Sooner|Together  
  31. 31. Credits   Alexandre  Dulaunoy  (@adulau)   Éireann  LevereO  (@blackswanburst)   Joshua  Corman  (@joshcorman)   Claus  Cramon  Houmann  (@ClausHoumann)   ScoO  Erven  (@scoOerven)   Beau  Woods  (@beauwoods)   Suzanne  Schwartz  (US  FDA)   Family  &  Friends     Safer|Sooner|Together  
  32. 32. SINTEF  ICT   Thank  you!     marie.moe@sintef.no   hOps://www.iamthecavalry.org   @MarieGMoe  @iamthecavalry   #safersoonertogether   Safer|Sooner|Together  

×