Submit Search
Upload
The Harsh Reality of Slow Movers
ā¢
1 like
ā¢
374 views
The Security of Things Forum
Follow
Medical device security and cyber risk: a presentation by Ben Ransford, CTO of Virta Labs
Read less
Read more
Technology
Report
Share
Report
Share
1 of 37
Download now
Download to read offline
Recommended
Patient Centric Cyber Monitoring with DocBox and Evolver
Patient Centric Cyber Monitoring with DocBox and Evolver
The Security of Things Forum
Ā
Medical Device Security: State of the Art -- NoConName, Barcelona, 2011
Medical Device Security: State of the Art -- NoConName, Barcelona, 2011
shawn_merdinger
Ā
Network Connected Medical Devices - A Case Study
Network Connected Medical Devices - A Case Study
SophiaPalmira
Ā
Medical device security presentation - Frank Siepmann
Medical device security presentation - Frank Siepmann
Frank Siepmann
Ā
CyberSecurity Medical Devices
CyberSecurity Medical Devices
Suresh Mandava
Ā
[Wroclaw #6] Medical device security
[Wroclaw #6] Medical device security
OWASP
Ā
Cybersecurity in medical devices
Cybersecurity in medical devices
SafisSolutions
Ā
Collaborative Approaches for Medical Device & Healthcare Cybersecurity
Collaborative Approaches for Medical Device & Healthcare Cybersecurity
Dr Dev Kambhampati
Ā
Recommended
Patient Centric Cyber Monitoring with DocBox and Evolver
Patient Centric Cyber Monitoring with DocBox and Evolver
The Security of Things Forum
Ā
Medical Device Security: State of the Art -- NoConName, Barcelona, 2011
Medical Device Security: State of the Art -- NoConName, Barcelona, 2011
shawn_merdinger
Ā
Network Connected Medical Devices - A Case Study
Network Connected Medical Devices - A Case Study
SophiaPalmira
Ā
Medical device security presentation - Frank Siepmann
Medical device security presentation - Frank Siepmann
Frank Siepmann
Ā
CyberSecurity Medical Devices
CyberSecurity Medical Devices
Suresh Mandava
Ā
[Wroclaw #6] Medical device security
[Wroclaw #6] Medical device security
OWASP
Ā
Cybersecurity in medical devices
Cybersecurity in medical devices
SafisSolutions
Ā
Collaborative Approaches for Medical Device & Healthcare Cybersecurity
Collaborative Approaches for Medical Device & Healthcare Cybersecurity
Dr Dev Kambhampati
Ā
Security for Implantable Medical Devices (IMDs)
Security for Implantable Medical Devices (IMDs)
HCL Technologies
Ā
Security for Healthcare Devices - Will Your Device Be Good Enough?
Security for Healthcare Devices - Will Your Device Be Good Enough?
Rio Valdes
Ā
Medical device security_anirudh
Medical device security_anirudh
anirudh duggal
Ā
Health apps regulation and quality control case studies and session 2 present...
Health apps regulation and quality control case studies and session 2 present...
3GDR
Ā
Securing the Healthcare Industry : Implantable Medical Devices
Securing the Healthcare Industry : Implantable Medical Devices
Tandhy Simanjuntak
Ā
Killed by code 2015
Killed by code 2015
Flaskdata.io
Ā
Security and Privacy in Implantable Medical Devices
Security and Privacy in Implantable Medical Devices
Michael Rushanan
Ā
Embedded systems in biomedical applications
Embedded systems in biomedical applications
Seminar Links
Ā
Implantable medical devices
Implantable medical devices
Neeraj Verma
Ā
IEC 80001 and Planning for Wi-Fi Capable Medical Devices
IEC 80001 and Planning for Wi-Fi Capable Medical Devices
Ali Youssef
Ā
Challenges and-opportunities-in-software-driven-medical-sciences
Challenges and-opportunities-in-software-driven-medical-sciences
PEPGRA Healthcare
Ā
Healthcare cyber powerpoint
Healthcare cyber powerpoint
safecities
Ā
Design of Self-Learning System for Diagnosing Health Parameters using ANFIS
Design of Self-Learning System for Diagnosing Health Parameters using ANFIS
IRJET Journal
Ā
What You Need to Know About Intelligent Network Segmentation
What You Need to Know About Intelligent Network Segmentation
Medigate
Ā
Ultra-Low Power, Secure IoT Platform for Predicting Cardiovascular Diseases
Ultra-Low Power, Secure IoT Platform for Predicting Cardiovascular Diseases
BHAVANA KONERU
Ā
The state of healthcare (ill)legality
The state of healthcare (ill)legality
anirudh duggal
Ā
Avaali-IOT HealthCare Applications
Avaali-IOT HealthCare Applications
Avaali Solutions
Ā
PreScouter Internet of Medical Things: Industry Roundtable Webinar
PreScouter Internet of Medical Things: Industry Roundtable Webinar
PreScouter
Ā
Capturing Data and Improving Outcomes for Humans and Machines Using the Inter...
Capturing Data and Improving Outcomes for Humans and Machines Using the Inter...
Altoros
Ā
Proper Use of Tools
Proper Use of Tools
MLG College of Learning, Inc
Ā
Realtime embedded systems
Realtime embedded systems
Faisal Shehzad
Ā
06.09.26.Handout
06.09.26.Handout
Mohammad Al-Ubaydli
Ā
More Related Content
What's hot
Security for Implantable Medical Devices (IMDs)
Security for Implantable Medical Devices (IMDs)
HCL Technologies
Ā
Security for Healthcare Devices - Will Your Device Be Good Enough?
Security for Healthcare Devices - Will Your Device Be Good Enough?
Rio Valdes
Ā
Medical device security_anirudh
Medical device security_anirudh
anirudh duggal
Ā
Health apps regulation and quality control case studies and session 2 present...
Health apps regulation and quality control case studies and session 2 present...
3GDR
Ā
Securing the Healthcare Industry : Implantable Medical Devices
Securing the Healthcare Industry : Implantable Medical Devices
Tandhy Simanjuntak
Ā
Killed by code 2015
Killed by code 2015
Flaskdata.io
Ā
Security and Privacy in Implantable Medical Devices
Security and Privacy in Implantable Medical Devices
Michael Rushanan
Ā
Embedded systems in biomedical applications
Embedded systems in biomedical applications
Seminar Links
Ā
Implantable medical devices
Implantable medical devices
Neeraj Verma
Ā
IEC 80001 and Planning for Wi-Fi Capable Medical Devices
IEC 80001 and Planning for Wi-Fi Capable Medical Devices
Ali Youssef
Ā
Challenges and-opportunities-in-software-driven-medical-sciences
Challenges and-opportunities-in-software-driven-medical-sciences
PEPGRA Healthcare
Ā
Healthcare cyber powerpoint
Healthcare cyber powerpoint
safecities
Ā
Design of Self-Learning System for Diagnosing Health Parameters using ANFIS
Design of Self-Learning System for Diagnosing Health Parameters using ANFIS
IRJET Journal
Ā
What You Need to Know About Intelligent Network Segmentation
What You Need to Know About Intelligent Network Segmentation
Medigate
Ā
Ultra-Low Power, Secure IoT Platform for Predicting Cardiovascular Diseases
Ultra-Low Power, Secure IoT Platform for Predicting Cardiovascular Diseases
BHAVANA KONERU
Ā
The state of healthcare (ill)legality
The state of healthcare (ill)legality
anirudh duggal
Ā
Avaali-IOT HealthCare Applications
Avaali-IOT HealthCare Applications
Avaali Solutions
Ā
PreScouter Internet of Medical Things: Industry Roundtable Webinar
PreScouter Internet of Medical Things: Industry Roundtable Webinar
PreScouter
Ā
What's hot
(18)
Security for Implantable Medical Devices (IMDs)
Security for Implantable Medical Devices (IMDs)
Ā
Security for Healthcare Devices - Will Your Device Be Good Enough?
Security for Healthcare Devices - Will Your Device Be Good Enough?
Ā
Medical device security_anirudh
Medical device security_anirudh
Ā
Health apps regulation and quality control case studies and session 2 present...
Health apps regulation and quality control case studies and session 2 present...
Ā
Securing the Healthcare Industry : Implantable Medical Devices
Securing the Healthcare Industry : Implantable Medical Devices
Ā
Killed by code 2015
Killed by code 2015
Ā
Security and Privacy in Implantable Medical Devices
Security and Privacy in Implantable Medical Devices
Ā
Embedded systems in biomedical applications
Embedded systems in biomedical applications
Ā
Implantable medical devices
Implantable medical devices
Ā
IEC 80001 and Planning for Wi-Fi Capable Medical Devices
IEC 80001 and Planning for Wi-Fi Capable Medical Devices
Ā
Challenges and-opportunities-in-software-driven-medical-sciences
Challenges and-opportunities-in-software-driven-medical-sciences
Ā
Healthcare cyber powerpoint
Healthcare cyber powerpoint
Ā
Design of Self-Learning System for Diagnosing Health Parameters using ANFIS
Design of Self-Learning System for Diagnosing Health Parameters using ANFIS
Ā
What You Need to Know About Intelligent Network Segmentation
What You Need to Know About Intelligent Network Segmentation
Ā
Ultra-Low Power, Secure IoT Platform for Predicting Cardiovascular Diseases
Ultra-Low Power, Secure IoT Platform for Predicting Cardiovascular Diseases
Ā
The state of healthcare (ill)legality
The state of healthcare (ill)legality
Ā
Avaali-IOT HealthCare Applications
Avaali-IOT HealthCare Applications
Ā
PreScouter Internet of Medical Things: Industry Roundtable Webinar
PreScouter Internet of Medical Things: Industry Roundtable Webinar
Ā
Similar to The Harsh Reality of Slow Movers
Capturing Data and Improving Outcomes for Humans and Machines Using the Inter...
Capturing Data and Improving Outcomes for Humans and Machines Using the Inter...
Altoros
Ā
Proper Use of Tools
Proper Use of Tools
MLG College of Learning, Inc
Ā
Realtime embedded systems
Realtime embedded systems
Faisal Shehzad
Ā
06.09.26.Handout
06.09.26.Handout
Mohammad Al-Ubaydli
Ā
IOT_BASED_PATIENT_MONITORING_SYSTEM_Anan.docx
IOT_BASED_PATIENT_MONITORING_SYSTEM_Anan.docx
hashelectrolabs
Ā
IOT BASED HEALTH MONITORING BY USING PULSE OXIMETER AND ECG
IOT BASED HEALTH MONITORING BY USING PULSE OXIMETER AND ECG
PonselvanV
Ā
Presentation
Presentation
VarshaRathore15
Ā
Maintain Peace of Mind 24/7 with Lab Monitoring and Alerting
Maintain Peace of Mind 24/7 with Lab Monitoring and Alerting
Elemental Machines
Ā
Emergency Tracking System for Women using Body Sensors Via Wrist Watches usin...
Emergency Tracking System for Women using Body Sensors Via Wrist Watches usin...
IRJET Journal
Ā
ATM System using Augmented Reality Technology
ATM System using Augmented Reality Technology
IRJET Journal
Ā
Ch2 Presentation
Ch2 Presentation
Pacific Coast School
Ā
Securing IoT medical devices
Securing IoT medical devices
Benjamin Biwer
Ā
14983184 industrial-security-system-using-auto-dialer
14983184 industrial-security-system-using-auto-dialer
a_subramaniyam
Ā
Vivek_Presentation1.pptx
Vivek_Presentation1.pptx
VishalLabde
Ā
Android Based Patient Health Monitoring System
Android Based Patient Health Monitoring System
IRJET Journal
Ā
Introduction to Random NumbersRandom numbers are extremely impor.docx
Introduction to Random NumbersRandom numbers are extremely impor.docx
vrickens
Ā
Wearable Electronic Medical Devices: What Fails & Why?
Wearable Electronic Medical Devices: What Fails & Why?
Cheryl Tulkoff
Ā
06.09.26.Handout
06.09.26.Handout
Mohammad Al-Ubaydli
Ā
ealth Monitoring System in Emergency Using IoT: A Review
ealth Monitoring System in Emergency Using IoT: A Review
IRJET Journal
Ā
IRJET-Design of Automatic Smart Medication Dispenser
IRJET-Design of Automatic Smart Medication Dispenser
IRJET Journal
Ā
Similar to The Harsh Reality of Slow Movers
(20)
Capturing Data and Improving Outcomes for Humans and Machines Using the Inter...
Capturing Data and Improving Outcomes for Humans and Machines Using the Inter...
Ā
Proper Use of Tools
Proper Use of Tools
Ā
Realtime embedded systems
Realtime embedded systems
Ā
06.09.26.Handout
06.09.26.Handout
Ā
IOT_BASED_PATIENT_MONITORING_SYSTEM_Anan.docx
IOT_BASED_PATIENT_MONITORING_SYSTEM_Anan.docx
Ā
IOT BASED HEALTH MONITORING BY USING PULSE OXIMETER AND ECG
IOT BASED HEALTH MONITORING BY USING PULSE OXIMETER AND ECG
Ā
Presentation
Presentation
Ā
Maintain Peace of Mind 24/7 with Lab Monitoring and Alerting
Maintain Peace of Mind 24/7 with Lab Monitoring and Alerting
Ā
Emergency Tracking System for Women using Body Sensors Via Wrist Watches usin...
Emergency Tracking System for Women using Body Sensors Via Wrist Watches usin...
Ā
ATM System using Augmented Reality Technology
ATM System using Augmented Reality Technology
Ā
Ch2 Presentation
Ch2 Presentation
Ā
Securing IoT medical devices
Securing IoT medical devices
Ā
14983184 industrial-security-system-using-auto-dialer
14983184 industrial-security-system-using-auto-dialer
Ā
Vivek_Presentation1.pptx
Vivek_Presentation1.pptx
Ā
Android Based Patient Health Monitoring System
Android Based Patient Health Monitoring System
Ā
Introduction to Random NumbersRandom numbers are extremely impor.docx
Introduction to Random NumbersRandom numbers are extremely impor.docx
Ā
Wearable Electronic Medical Devices: What Fails & Why?
Wearable Electronic Medical Devices: What Fails & Why?
Ā
06.09.26.Handout
06.09.26.Handout
Ā
ealth Monitoring System in Emergency Using IoT: A Review
ealth Monitoring System in Emergency Using IoT: A Review
Ā
IRJET-Design of Automatic Smart Medication Dispenser
IRJET-Design of Automatic Smart Medication Dispenser
Ā
Recently uploaded
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions
Ā
FULL ENJOY š 8264348440 š Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY š 8264348440 š Call Girls in Diplomatic Enclave | Delhi
soniya singh
Ā
Slack Application Development 101 Slides
Slack Application Development 101 Slides
praypatel2
Ā
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
Rafal Los
Ā
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
Softradix Technologies
Ā
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
Ridwan Fadjar
Ā
Swan(sea) Song ā personal research during my six years at Swansea ... and bey...
Swan(sea) Song ā personal research during my six years at Swansea ... and bey...
Alan Dix
Ā
Scaling API-first ā The story of a global engineering organization
Scaling API-first ā The story of a global engineering organization
Radu Cotescu
Ā
WhatsApp 9892124323 āCall Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 āCall Girls In Kalyan ( Mumbai ) secure service
Pooja Nehwal
Ā
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
Michael W. Hawkins
Ā
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
Gabriella Davis
Ā
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
OnBoard
Ā
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
Sinan KOZAK
Ā
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
Allon Mureinik
Ā
How to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
naman860154
Ā
Transcript: #StandardsGoals for 2024: Whatās new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: Whatās new for BISAC - Tech Forum 2024
BookNet Canada
Ā
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
Enterprise Knowledge
Ā
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
Paola De la Torre
Ā
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
naman860154
Ā
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
Ā
Recently uploaded
(20)
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
Ā
FULL ENJOY š 8264348440 š Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY š 8264348440 š Call Girls in Diplomatic Enclave | Delhi
Ā
Slack Application Development 101 Slides
Slack Application Development 101 Slides
Ā
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
Ā
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
Ā
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
Ā
Swan(sea) Song ā personal research during my six years at Swansea ... and bey...
Swan(sea) Song ā personal research during my six years at Swansea ... and bey...
Ā
Scaling API-first ā The story of a global engineering organization
Scaling API-first ā The story of a global engineering organization
Ā
WhatsApp 9892124323 āCall Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 āCall Girls In Kalyan ( Mumbai ) secure service
Ā
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
Ā
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
Ā
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
Ā
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
Ā
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
Ā
How to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
Ā
Transcript: #StandardsGoals for 2024: Whatās new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: Whatās new for BISAC - Tech Forum 2024
Ā
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
Ā
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
Ā
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
Ā
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Ā
The Harsh Reality of Slow Movers
1.
ā¤ TM Not So
Fast! The Harsh Reality of Slow Movers Ben Ransford, Ph.D.Virta Laboratories, Inc.ben@virtalabs.com @secthings 2015
2.
Not So Fast!
@secthings 2015 Ā© ben@virtalabs.com TM āGeorge Santayana, The Life of Reason vol. 1 āThose who cannot remember the past are condemned to repeat it.ā 2
3.
Not So Fast!
@secthings 2015 Ā© ben@virtalabs.com TM Outline ā¢ Medical-device security: a cautionary tale ā¢ Lessons for IoT ā¢ Outside-the-box anomaly/malware detection 3
4.
Not So Fast!
@secthings 2015 Ā© ben@virtalabs.com TM Amazing devices! 4 1957 Photos: Medtronic, Computer History Museum
5.
Not So Fast!
@secthings 2015 Ā© ben@virtalabs.com TM Amazing devices! 5 Therac-25 (ca. 1980s) Photo: SIUE
6.
Not So Fast!
@secthings 2015 Ā© ben@virtalabs.com TM Amazing devices! 6 EFIBRILLATOR (AED) W mated external deļ¬brillators ntessential software-based ty. The term deļ¬brillator that use large electrical that might otherwise lead e divided into two types: types of deļ¬brillators treat adically different in design lowing analogy: implanted s external deļ¬brillators are er are prescribed and tuned er are available for general two further classiļ¬cations automated. Trained health external deļ¬brillators to . Our work analyzes the eļ¬brillators (AEDs) that a g may use to treat a more rdiac arrhythmias such as Fig. 1. The Cardiac Science G3 Plus exploited to install our custom ļ¬rmware. The AED displays DEVICE COMPROMISED. administered can be 150-300 Joules, which can be administered multiple times on one battery before the device requires a External Deļ¬brillator (1985ā) Photo: Steve Hanna et al., āTake Two Software Updates and See Me in the Morningā¦ā, USENIX HealthTech 2011
7.
Not So Fast!
@secthings 2015 Ā© ben@virtalabs.com TM Amazing devices! 7 Patient monitor Infusion pump Photos: Philips, Hospira, The Register/Medtronic Insulin pump
8.
Not So Fast!
@secthings 2015 Ā© ben@virtalabs.com TM Amazing devices! 8 2003āØ pacemaker 2013āØ pacemaker prototype Photos: Ben Ransford; Medtronic
9.
Not So Fast!
@secthings 2015 Ā© ben@virtalabs.com TM What Could Go Wrong? ā¢ Increasing software dependence ā¢ Increasing software complexity ā¢ Deeper integration with medical records, hospital IT, patientsā homes & bodies ā¢ 1980s: 6% of recalls due to software* ā¢ 2005ā9: 18% of recalls due to software* 9 * Hanna et al., HealthTech 2011
10.
Not So Fast!
@secthings 2015 Ā© ben@virtalabs.com TM Amazing harmful devices! 10 Therac-25 (ca. 1980s, recalled 1987) Photo: SIUE
11.
Not So Fast!
@secthings 2015 Ā© ben@virtalabs.com TM Amazing open devices! 11 EFIBRILLATOR (AED) W mated external deļ¬brillators ntessential software-based ty. The term deļ¬brillator that use large electrical that might otherwise lead e divided into two types: types of deļ¬brillators treat adically different in design lowing analogy: implanted s external deļ¬brillators are er are prescribed and tuned er are available for general two further classiļ¬cations automated. Trained health external deļ¬brillators to . Our work analyzes the eļ¬brillators (AEDs) that a g may use to treat a more rdiac arrhythmias such as Fig. 1. The Cardiac Science G3 Plus exploited to install our custom ļ¬rmware. The AED displays DEVICE COMPROMISED. administered can be 150-300 Joules, which can be administered multiple times on one battery before the device requires a External Deļ¬brillator (1985ā) Photos: Hanna et al., āTake Two Software Updates and See Me in the Morningā¦ā, USENIX HealthTech 2011 return address is checked, which allows us to redirect progra ļ¬ow into arbitrary code. Fig. 2. AEDUpdate buffer overļ¬ow. Executed code includes a message b showing the potential ļ¬ow of the vulnerability from the AED (if the ļ¬rmw were replaced) to the software.
12.
Not So Fast!
@secthings 2015 Ā© ben@virtalabs.com TM 2008: šŗā š ā¢ Academic study of an implantable deļ¬brillator (IEEE S&P ā08) ā¢ Focused security community on medical devicesā¦ oopsie! 12 Photos: Medtronic, Ben Ransford
13.
Not So Fast!
@secthings 2015 Ā© ben@virtalabs.com TM 13 ā¢ No authentication ā¢ No encryption ā¢ Unauthorized shocks Photos: Ben Ransford
14.
Not So Fast!
@secthings 2015 Ā© ben@virtalabs.com TM 2009ā2011 ā¢ Insulin pump & deļ¬brillator hacks (Barnaby Jack, J. Radcliļ¬e, others) ā¢ No authentication ā¢ Unauthorized bolus 14 Photo: The Register/Medtronic
15.
Not So Fast!
@secthings 2015 Ā© ben@virtalabs.com TM Wall Street Journal, June 2013, on a catheterization lab shut down by malware ā...records show that malware had infected computer equipment needed for procedures to open blocked arteries after heart attacks.ā 15 2013
16.
Not So Fast!
@secthings 2015 Ā© ben@virtalabs.com TM 2013 ā¢ Pharmaceutical compounder (HealthTech ā13) ā¢ Must be on network, patching forbidden 16 Photo: Ben Ransford
17.
Not So Fast!
@secthings 2015 Ā© ben@virtalabs.com TM 17 Photo: Ohemaa's MD Major hospitals say: 3ā5 years: >90% of medical devices will be on the network
18.
Not So Fast!
@secthings 2015 Ā© ben@virtalabs.com TM Lessons for IoT! 18
19.
Not So Fast!
@secthings 2015 Ā© ben@virtalabs.com TM A RECIPE FOR SUCCESS 19
20.
Not So Fast!
@secthings 2015 Ā© ben@virtalabs.com TM Donāt Patch the OS ā¢ Microsoft has ļ¬gured out Windows security by now ā¢ The Linux kernel is perfect, always works ā¢ āAlternativeā OSes wonāt be targeted 20
21.
Not So Fast!
@secthings 2015 Ā© ben@virtalabs.com TM Donāt Patch Libraries ā¢ You wrote all of the deviceās code & libraries ā¢ No need to update OpenSSL, PHP, Apache, etc. 21
22.
Not So Fast!
@secthings 2015 Ā© ben@virtalabs.com TM Use Default Secrets ā¢ Use default passwords whenever possible ā¢ Make passwords diļ¬cult to change ā¢ Ship master keys w/ devices ā¢ Hard-code credentials 22
23.
Not So Fast!
@secthings 2015 Ā© ben@virtalabs.com TM Be Very Liberal in What You Accept ā¢ Download software via insecure channels ā¢ Donāt cryptographically sign software ā¢ Itās probably ļ¬ne ā¢ Who would tamper with ļ¬rmware? ā¢ Anyway tampering is illegal 23 II. AUTOMATED EXTERNAL DEFIBRILLATOR (AED) OVERVIEW In this section, we introduce automated external deļ¬brillators and discuss why they represent a quintessential software-based medical device to investigate security. The term deļ¬brillator refers to a broad class of devices that use large electrical shocks to treat cardiac arrhythmias that might otherwise lead to a fatal outcome. Deļ¬brillators are divided into two types: implantable or external. While both types of deļ¬brillators treat cardiac arrhythmias, the devices are radically different in design and purpose. One could draw the following analogy: implanted deļ¬brillators are to mobile phones as external deļ¬brillators are to public phone call boxes. The former are prescribed and tuned to a particular person whereas the latter are available for general use when you can ļ¬nd one. There are two further classiļ¬cations of external deļ¬brillators: manual or automated. Trained health care professionals may use manual external deļ¬brillators to treat a wide range of arrhythmias. Our work analyzes the second class: automated external deļ¬brillators (AEDs) that a person with limited medical training may use to treat a more limited (but common) number of cardiac arrhythmias such as ventricular ļ¬brillation. Fig. 1. The Cardiac Science G3 Plus exploited to install our custom ļ¬rmware. The AED displays DEVICE COMPROMISED. administered can be 150-300 Joules, which can be administered Photo: Steve Hanna et al., āTake Two Software Updates and See Me in the Morningā¦ā, USENIX HealthTech 2011
24.
Not So Fast!
@secthings 2015 Ā© ben@virtalabs.com TM Obscurity == Security ā¢ Nobody will scan your devices ā¢ Nobody will obtain your ļ¬rmware via JTAG ā¢ Compilation is the same as encryption ā¢ Leave a network port open for ādebuggingā 24 Photo: Dotmed
25.
Not So Fast!
@secthings 2015 Ā© ben@virtalabs.com TM 25 VOILĆ!
26.
Not So Fast!
@secthings 2015 Ā© ben@virtalabs.com TM Deep Integration ā Fixity ā¢ Once something works, donāt want to touch it ā¢ Sometimes replacement is really hard ā¢ Environment changes ā threats change too 26 Major surgery,āØ ~10yr battery Photo: Ben Ransford
27.
Not So Fast!
@secthings 2015 Ā© ben@virtalabs.com TM IoT and Slow Movers ā¢ You want integration + customer dependence? ā¢ All bets are oļ¬ once a Thing is deployed ā¢ Customers will depend on your old/stale code ā¢ Customers will depend on your old URLs ā¢ You think you know how customers will use your product, but you donāt ā¢ Optimize products & processes for patchability 27
28.
Not So Fast!
@secthings 2015 Ā© ben@virtalabs.com TM The Mess Weāre In ā¢ Major healthcare breaches afoot (Anthem: 80M!) ā¢ Attackers roost on systems that wonāt get patched (TrapX āMedjackā report) ā¢ Backward thinking about patching ā¢ Perimeter security is not a solution ā¢ āEndpoint securityā vendors ignore medical devices (as they ignore Things) 28
29.
Not So Fast!
@secthings 2015 Ā© ben@virtalabs.com TM 29
30.
Not So Fast!
@secthings 2015 Ā© ben@virtalabs.com TM Outside the Box ā¢ Nonintrusive monitoring ā¢ No software installation ā¢ Devices stay in service ā¢ Use the power side channel to infer tasks, detect unusual behavior incl. malware 30 (In beta!) Photo: Ben Ransford/Virta Labs
31.
Not So Fast!
@secthings 2015 Ā© ben@virtalabs.com TM 31 Photo: Atomic Toasters
32.
Not So Fast!
@secthings 2015 Ā© ben@virtalabs.com TM 32
33.
Not So Fast!
@secthings 2015 Ā© ben@virtalabs.com TM Current Consumption Varies ā¢ Todayās CPUs and software are careful to use power management! ā¢ Modern systems exhibit high dynamic range ā¢ Workloads ā patterns of high/low ā¢ CPU busy ā more current ā¢ Peripherals busy ā more current ā¢ Idle time ā less current 33 Image: Apple
34.
Not So Fast!
@secthings 2015 Ā© ben@virtalabs.com TM Learning from Analog Data ā¢ Collect data during representative activity ā¢ Constantly collect power signals ā¢ Featurize signals, feed features to machine learning ā¢ Feed analysis results back to customers ā¢ Crowdsource problems across customers 34
35.
Not So Fast!
@secthings 2015 Ā© ben@virtalabs.com TM Qās We Can A ā¢ What state is the device in? Have we seen this state before? ā¢ Does the device have certain kinds of malware? ā¢ How fast is it doing its work? 35
36.
Not So Fast!
@secthings 2015 Ā© ben@virtalabs.com TM 36 VIRTA LABORATORIES UNKNOWN MALWARE
37.
Not So Fast!
@secthings 2015 Ā© ben@virtalabs.com TM Takeaways ā¢ For IoT manufacturers: Recognize security debt, plan for long lifecycle ā¢ For users: Insist on coherent patching strategies that have a time dimension ā¢ For security researchers: Roll up sleevesāØ āØ āØ Twitter: @virtalabs / @br_āØ Beta program: https://www.virtalabs.com/ 37
Download now