SlideShare a Scribd company logo

Unpatchable: 32C3 edition

Marie Elisabeth Gaup Moe
Marie Elisabeth Gaup Moe

Gradually we are all becoming more and more dependent on machines, we will be able to live longer with an increased quality of life due to machines integrated into our body. However, our dependence on technology grows faster than our ability to secure it, and a security failure of a medical device can have fatal consequences. This talk is about Marie's personal experience with being the host of a vulnerable medical implant, and how this has forced her to become a human part of the "Internet-of-Things".

1 of 27
Download to read offline
Concinnity  Risks   Unpatchable     Living  with  a  vulnerable  implanted  device   @MarieGMoe   @blackswanburst   Marie  Moe,  PhD,  Research  Scien?st  at  SINTEF   Eireann  LevereE,  Founder  and  CEO  of  Concinnity  Risks  
Hack  to  save  lives!  
  A  brief  history  of  my  heart…  
How  the  heart  works  
Electrical  system  of  the  heart  
Pacemaker  
  The  Internet  of  Medical  ”Things”  is  real,     and  Marie’s  heart  is  wired  into  it…  
①  Implantable  medical  device   –  ICD/Pacemaker/other  devices   –  MICS  (Medical  Implant   Communica?on  Service)   –  Bluetooth   ②  Access  point   –  POTS/GSM/SMS/email   ③  GSM/Telephone/Internet   ④  Telemetry  store   –  Programmers   –  Doctor’s  worksta?on   –  Telemetry  server  at  vendor   ⑤  Medical  staff   –  Social  engineering  
With  connec?vity  comes  vulnerability…  
Poten?al  impact   Pa?ent  privacy  issues   BaEery  exhaus?on   Device  malfunc?on   Death  threats  and  extor?on   Remote  assassina?on  scenario…  
  ”We  need  to  be  able  to  verify  the  soware  that   controls  our  lives”   Bruce  Schneier  on  “Volkswagen  and  Chea?ng  Soware”  
Previous  work   •  Kevin  Fu  et  al:   –  Pacemakers  and  implantable  cardiac  defibrillators:  Soware  radio  aEacks  and   zero-­‐power  defenses  (2008)   –  Mi?ga?ng  EMI  signal  injec?on  aEacks  against  analog  sensors  (2013)   •  Barnaby  Jack   •  Hardcoded  creden?als   •  Medical  device  honeypots   •  Drug  infusion  pumps  
Hacking  can  save  lives   Source:  h*p://www.fda.gov/MedicalDevices/Safety/AlertsandNo>ces/ucm456815.htm  
Medical  devices  do  get  infected     Source:  h*ps://securityledger.com/wp-­‐content/uploads/2015/06/AOA_MEDJACK_LAYOUT_6-­‐0_6-­‐3-­‐2015-­‐1.pdf  
WTF  are  you  doing  with  my  data?  
The  stairs  that  almost  killed  me  
Debugging  me      
Leadless  pacemaker  
The  future?  
Reflec?ons  on  trus?ng  machines  
Why?   Legacy   technology   No  soware  updates   Long  life?me  of   devices   No  security   tes?ng  or   monitoring   Medical  devices  are   ”black  boxes”   Proprietary   soware   More   connec?vity   Lack  of  regula?ons   Increased  aEack   surface  
How  to  solve  it?   Security   research   Informa?on  sharing   Third  party   collabora?on   Coordinated   disclosure   Vendor   awareness   Regula?on   Procurement   Safety  by  design   Security  tes?ng   Security   risk   monitoring   Security  updates   Incident  response   Cyber  insurance   Resilience  
  What  is  the  social  contract  for  the   code  in  our  bodies?  
Research  needed   •  Open  source  medical  devices   •  Medical  device  cryptography   •  Personal  area  network  monitoring   •  Jamming  protec?on   •  Forensics  evidence  capture  
Credits   Tony  Naggs  (@xa329)   Gunnar  Alendal  (@gradoisageek)   Alexandre  Dulaunoy  (@adulau)   Joshua  Corman  (@joshcorman)   Claus  Cramon  Houmann  (@ClausHoumann)   ScoE  Erven  (@scoEerven)   Beau  Woods  (@beauwoods)   Suzanne  Schwartz  (US  FDA)   Family  &  Friends    
Concinnity  Risks   Thank  you!         www.infosec.sintef.no   www.iamthecavalry.org   www.concinnity-­‐risks.com   @MarieGMoe   @blackswanburst  

Recommended

How to Secure Your Medical Devices
How to Secure Your Medical DevicesHow to Secure Your Medical Devices
How to Secure Your Medical Devices
SecurityMetrics
 
HIS 2017 Marie Moe- Unpatchable-Living with a Vulnerable Implanted Device
HIS 2017 Marie Moe- Unpatchable-Living with a Vulnerable Implanted DeviceHIS 2017 Marie Moe- Unpatchable-Living with a Vulnerable Implanted Device
HIS 2017 Marie Moe- Unpatchable-Living with a Vulnerable Implanted Device
jamieayre
 
Open Source Insight: Securing Software Stacks, Election Security, FDA Pacema...
Open Source Insight: Securing Software Stacks, Election Security, FDA Pacema...Open Source Insight: Securing Software Stacks, Election Security, FDA Pacema...
Open Source Insight: Securing Software Stacks, Election Security, FDA Pacema...
Black Duck by Synopsys
 
Cybercrime and the Hidden Perils of Patient Data
Cybercrime and the Hidden Perils of Patient DataCybercrime and the Hidden Perils of Patient Data
Cybercrime and the Hidden Perils of Patient Data
Stephen Cobb
 
Securing Wearable Device Data
Securing Wearable Device DataSecuring Wearable Device Data
Securing Wearable Device Data
Seyedmostafa Safavi
 
Unpatchable: Living with a vulnerable implanted device
Unpatchable: Living with a vulnerable implanted deviceUnpatchable: Living with a vulnerable implanted device
Unpatchable: Living with a vulnerable implanted device
Marie Elisabeth Gaup Moe
 
Unpatchable: Troopers 2016 edition
Unpatchable: Troopers 2016 editionUnpatchable: Troopers 2016 edition
Unpatchable: Troopers 2016 edition
Marie Elisabeth Gaup Moe
 
The mobile health IT security challenge: way bigger than HIPAA?
The mobile health IT security challenge: way bigger than HIPAA?The mobile health IT security challenge: way bigger than HIPAA?
The mobile health IT security challenge: way bigger than HIPAA?
Stephen Cobb
 

Recommended

How to Secure Your Medical Devices
How to Secure Your Medical DevicesHow to Secure Your Medical Devices
How to Secure Your Medical Devices
SecurityMetrics
 
HIS 2017 Marie Moe- Unpatchable-Living with a Vulnerable Implanted Device
HIS 2017 Marie Moe- Unpatchable-Living with a Vulnerable Implanted DeviceHIS 2017 Marie Moe- Unpatchable-Living with a Vulnerable Implanted Device
HIS 2017 Marie Moe- Unpatchable-Living with a Vulnerable Implanted Device
jamieayre
 
Open Source Insight: Securing Software Stacks, Election Security, FDA Pacema...
Open Source Insight: Securing Software Stacks, Election Security, FDA Pacema...Open Source Insight: Securing Software Stacks, Election Security, FDA Pacema...
Open Source Insight: Securing Software Stacks, Election Security, FDA Pacema...
Black Duck by Synopsys
 
Cybercrime and the Hidden Perils of Patient Data
Cybercrime and the Hidden Perils of Patient DataCybercrime and the Hidden Perils of Patient Data
Cybercrime and the Hidden Perils of Patient Data
Stephen Cobb
 
Securing Wearable Device Data
Securing Wearable Device DataSecuring Wearable Device Data
Securing Wearable Device Data
Seyedmostafa Safavi
 
Unpatchable: Living with a vulnerable implanted device
Unpatchable: Living with a vulnerable implanted deviceUnpatchable: Living with a vulnerable implanted device
Unpatchable: Living with a vulnerable implanted device
Marie Elisabeth Gaup Moe
 
Unpatchable: Troopers 2016 edition
Unpatchable: Troopers 2016 editionUnpatchable: Troopers 2016 edition
Unpatchable: Troopers 2016 edition
Marie Elisabeth Gaup Moe
 
The mobile health IT security challenge: way bigger than HIPAA?
The mobile health IT security challenge: way bigger than HIPAA?The mobile health IT security challenge: way bigger than HIPAA?
The mobile health IT security challenge: way bigger than HIPAA?
Stephen Cobb
 
Why healthcare is the biggest target for cyberattacks-converted.pdf
Why healthcare is the biggest target for cyberattacks-converted.pdfWhy healthcare is the biggest target for cyberattacks-converted.pdf
Why healthcare is the biggest target for cyberattacks-converted.pdf
Sparity1
 
Medical Device Security: State of the Art -- NoConName, Barcelona, 2011
Medical Device Security: State of the Art -- NoConName, Barcelona, 2011 Medical Device Security: State of the Art -- NoConName, Barcelona, 2011
Medical Device Security: State of the Art -- NoConName, Barcelona, 2011
shawn_merdinger
 
mHealth Security: Stats and Solutions
mHealth Security: Stats and SolutionsmHealth Security: Stats and Solutions
mHealth Security: Stats and Solutions
Kristie Allison
 
mHealth Security: Stats and Solutions
mHealth Security: Stats and SolutionsmHealth Security: Stats and Solutions
mHealth Security: Stats and Solutions
ESET North America
 
Cybersecurity Challenges in the Healthcare Industry.pdf
Cybersecurity Challenges in the Healthcare Industry.pdfCybersecurity Challenges in the Healthcare Industry.pdf
Cybersecurity Challenges in the Healthcare Industry.pdf
MobibizIndia1
 
Cybersécurité des dispositifs médicaux
Cybersécurité des dispositifs médicauxCybersécurité des dispositifs médicaux
Cybersécurité des dispositifs médicaux
Market iT
 
IoT tietoturva terveydenhuollossa, 2017-03-21, gko
IoT tietoturva terveydenhuollossa, 2017-03-21, gkoIoT tietoturva terveydenhuollossa, 2017-03-21, gko
IoT tietoturva terveydenhuollossa, 2017-03-21, gko
Glen Koskela
 
I am the Cavalry (The Cavalry Is Us) Sourceconf September 2015
I am the Cavalry (The Cavalry Is Us) Sourceconf September 2015I am the Cavalry (The Cavalry Is Us) Sourceconf September 2015
I am the Cavalry (The Cavalry Is Us) Sourceconf September 2015
Claus Cramon Houmann
 
Killed by code 2015
Killed by code 2015Killed by code 2015
Killed by code 2015
Flaskdata.io
 
Killed by code 2015
Killed by code 2015Killed by code 2015
Killed by code 2015
Flaskdata.io
 
Privacy and Security by Design
Privacy and Security by DesignPrivacy and Security by Design
Privacy and Security by Design
Unisys Corporation
 
Protecting Healthcare Data from Hackers
Protecting Healthcare Data from HackersProtecting Healthcare Data from Hackers
Protecting Healthcare Data from Hackers
Joshua Spencer
 
Killed by code - mobile medical devices
Killed by code - mobile medical devicesKilled by code - mobile medical devices
Killed by code - mobile medical devices
Flaskdata.io
 
Running head Information security threats 1Information secur.docx
Running head Information security threats 1Information secur.docxRunning head Information security threats 1Information secur.docx
Running head Information security threats 1Information secur.docx
wlynn1
 
[Wroclaw #6] Medical device security
[Wroclaw #6] Medical device security[Wroclaw #6] Medical device security
[Wroclaw #6] Medical device security
OWASP
 
Cerner’s Lifesaving Sepsis Control Solution Shows the Potential of Bringing M...
Cerner’s Lifesaving Sepsis Control Solution Shows the Potential of Bringing M...Cerner’s Lifesaving Sepsis Control Solution Shows the Potential of Bringing M...
Cerner’s Lifesaving Sepsis Control Solution Shows the Potential of Bringing M...
Dana Gardner
 
Digital Innovation Impact in Life Sciences July
Digital Innovation Impact in Life Sciences JulyDigital Innovation Impact in Life Sciences July
Digital Innovation Impact in Life Sciences July
Paul Gulbin
 
Cybersecurity Challenges in Healthcare
Cybersecurity Challenges in HealthcareCybersecurity Challenges in Healthcare
Cybersecurity Challenges in Healthcare
Doug Copley
 
Security for Implantable Medical Devices (IMDs)
Security for Implantable Medical Devices (IMDs)Security for Implantable Medical Devices (IMDs)
Security for Implantable Medical Devices (IMDs)
HCL Technologies
 
security and privacy for medical implantable devices
security and privacy for medical implantable devicessecurity and privacy for medical implantable devices
security and privacy for medical implantable devices
Ajay Ohri
 
Cyberforsikring - Når lønner det seg?
Cyberforsikring - Når lønner det seg?Cyberforsikring - Når lønner det seg?
Cyberforsikring - Når lønner det seg?
Marie Elisabeth Gaup Moe
 
Med hjertet på Internett - Sikkerhet i min personlige infrastruktur
Med hjertet på Internett - Sikkerhet i min personlige infrastrukturMed hjertet på Internett - Sikkerhet i min personlige infrastruktur
Med hjertet på Internett - Sikkerhet i min personlige infrastruktur
Marie Elisabeth Gaup Moe
 

More Related Content

Similar to Unpatchable: 32C3 edition

Why healthcare is the biggest target for cyberattacks-converted.pdf
Why healthcare is the biggest target for cyberattacks-converted.pdfWhy healthcare is the biggest target for cyberattacks-converted.pdf
Why healthcare is the biggest target for cyberattacks-converted.pdf
Sparity1
 
Medical Device Security: State of the Art -- NoConName, Barcelona, 2011
Medical Device Security: State of the Art -- NoConName, Barcelona, 2011 Medical Device Security: State of the Art -- NoConName, Barcelona, 2011
Medical Device Security: State of the Art -- NoConName, Barcelona, 2011
shawn_merdinger
 
mHealth Security: Stats and Solutions
mHealth Security: Stats and SolutionsmHealth Security: Stats and Solutions
mHealth Security: Stats and Solutions
Kristie Allison
 
mHealth Security: Stats and Solutions
mHealth Security: Stats and SolutionsmHealth Security: Stats and Solutions
mHealth Security: Stats and Solutions
ESET North America
 
Cybersecurity Challenges in the Healthcare Industry.pdf
Cybersecurity Challenges in the Healthcare Industry.pdfCybersecurity Challenges in the Healthcare Industry.pdf
Cybersecurity Challenges in the Healthcare Industry.pdf
MobibizIndia1
 
Cybersécurité des dispositifs médicaux
Cybersécurité des dispositifs médicauxCybersécurité des dispositifs médicaux
Cybersécurité des dispositifs médicaux
Market iT
 
IoT tietoturva terveydenhuollossa, 2017-03-21, gko
IoT tietoturva terveydenhuollossa, 2017-03-21, gkoIoT tietoturva terveydenhuollossa, 2017-03-21, gko
IoT tietoturva terveydenhuollossa, 2017-03-21, gko
Glen Koskela
 
I am the Cavalry (The Cavalry Is Us) Sourceconf September 2015
I am the Cavalry (The Cavalry Is Us) Sourceconf September 2015I am the Cavalry (The Cavalry Is Us) Sourceconf September 2015
I am the Cavalry (The Cavalry Is Us) Sourceconf September 2015
Claus Cramon Houmann
 
Killed by code 2015
Killed by code 2015Killed by code 2015
Killed by code 2015
Flaskdata.io
 
Killed by code 2015
Killed by code 2015Killed by code 2015
Killed by code 2015
Flaskdata.io
 
Privacy and Security by Design
Privacy and Security by DesignPrivacy and Security by Design
Privacy and Security by Design
Unisys Corporation
 
Protecting Healthcare Data from Hackers
Protecting Healthcare Data from HackersProtecting Healthcare Data from Hackers
Protecting Healthcare Data from Hackers
Joshua Spencer
 
Killed by code - mobile medical devices
Killed by code - mobile medical devicesKilled by code - mobile medical devices
Killed by code - mobile medical devices
Flaskdata.io
 
Running head Information security threats 1Information secur.docx
Running head Information security threats 1Information secur.docxRunning head Information security threats 1Information secur.docx
Running head Information security threats 1Information secur.docx
wlynn1
 
[Wroclaw #6] Medical device security
[Wroclaw #6] Medical device security[Wroclaw #6] Medical device security
[Wroclaw #6] Medical device security
OWASP
 
Cerner’s Lifesaving Sepsis Control Solution Shows the Potential of Bringing M...
Cerner’s Lifesaving Sepsis Control Solution Shows the Potential of Bringing M...Cerner’s Lifesaving Sepsis Control Solution Shows the Potential of Bringing M...
Cerner’s Lifesaving Sepsis Control Solution Shows the Potential of Bringing M...
Dana Gardner
 
Digital Innovation Impact in Life Sciences July
Digital Innovation Impact in Life Sciences JulyDigital Innovation Impact in Life Sciences July
Digital Innovation Impact in Life Sciences July
Paul Gulbin
 
Cybersecurity Challenges in Healthcare
Cybersecurity Challenges in HealthcareCybersecurity Challenges in Healthcare
Cybersecurity Challenges in Healthcare
Doug Copley
 
Security for Implantable Medical Devices (IMDs)
Security for Implantable Medical Devices (IMDs)Security for Implantable Medical Devices (IMDs)
Security for Implantable Medical Devices (IMDs)
HCL Technologies
 
security and privacy for medical implantable devices
security and privacy for medical implantable devicessecurity and privacy for medical implantable devices
security and privacy for medical implantable devices
Ajay Ohri
 

Similar to Unpatchable: 32C3 edition (20)

Why healthcare is the biggest target for cyberattacks-converted.pdf
Why healthcare is the biggest target for cyberattacks-converted.pdfWhy healthcare is the biggest target for cyberattacks-converted.pdf
Why healthcare is the biggest target for cyberattacks-converted.pdf
 
Medical Device Security: State of the Art -- NoConName, Barcelona, 2011
Medical Device Security: State of the Art -- NoConName, Barcelona, 2011 Medical Device Security: State of the Art -- NoConName, Barcelona, 2011
Medical Device Security: State of the Art -- NoConName, Barcelona, 2011
 
mHealth Security: Stats and Solutions
mHealth Security: Stats and SolutionsmHealth Security: Stats and Solutions
mHealth Security: Stats and Solutions
 
mHealth Security: Stats and Solutions
mHealth Security: Stats and SolutionsmHealth Security: Stats and Solutions
mHealth Security: Stats and Solutions
 
Cybersecurity Challenges in the Healthcare Industry.pdf
Cybersecurity Challenges in the Healthcare Industry.pdfCybersecurity Challenges in the Healthcare Industry.pdf
Cybersecurity Challenges in the Healthcare Industry.pdf
 
Cybersécurité des dispositifs médicaux
Cybersécurité des dispositifs médicauxCybersécurité des dispositifs médicaux
Cybersécurité des dispositifs médicaux
 
IoT tietoturva terveydenhuollossa, 2017-03-21, gko
IoT tietoturva terveydenhuollossa, 2017-03-21, gkoIoT tietoturva terveydenhuollossa, 2017-03-21, gko
IoT tietoturva terveydenhuollossa, 2017-03-21, gko
 
I am the Cavalry (The Cavalry Is Us) Sourceconf September 2015
I am the Cavalry (The Cavalry Is Us) Sourceconf September 2015I am the Cavalry (The Cavalry Is Us) Sourceconf September 2015
I am the Cavalry (The Cavalry Is Us) Sourceconf September 2015
 
Killed by code 2015
Killed by code 2015Killed by code 2015
Killed by code 2015
 
Killed by code 2015
Killed by code 2015Killed by code 2015
Killed by code 2015
 
Privacy and Security by Design
Privacy and Security by DesignPrivacy and Security by Design
Privacy and Security by Design
 
Protecting Healthcare Data from Hackers
Protecting Healthcare Data from HackersProtecting Healthcare Data from Hackers
Protecting Healthcare Data from Hackers
 
Killed by code - mobile medical devices
Killed by code - mobile medical devicesKilled by code - mobile medical devices
Killed by code - mobile medical devices
 
Running head Information security threats 1Information secur.docx
Running head Information security threats 1Information secur.docxRunning head Information security threats 1Information secur.docx
Running head Information security threats 1Information secur.docx
 
[Wroclaw #6] Medical device security
[Wroclaw #6] Medical device security[Wroclaw #6] Medical device security
[Wroclaw #6] Medical device security
 
Cerner’s Lifesaving Sepsis Control Solution Shows the Potential of Bringing M...
Cerner’s Lifesaving Sepsis Control Solution Shows the Potential of Bringing M...Cerner’s Lifesaving Sepsis Control Solution Shows the Potential of Bringing M...
Cerner’s Lifesaving Sepsis Control Solution Shows the Potential of Bringing M...
 
Digital Innovation Impact in Life Sciences July
Digital Innovation Impact in Life Sciences JulyDigital Innovation Impact in Life Sciences July
Digital Innovation Impact in Life Sciences July
 
Cybersecurity Challenges in Healthcare
Cybersecurity Challenges in HealthcareCybersecurity Challenges in Healthcare
Cybersecurity Challenges in Healthcare
 
Security for Implantable Medical Devices (IMDs)
Security for Implantable Medical Devices (IMDs)Security for Implantable Medical Devices (IMDs)
Security for Implantable Medical Devices (IMDs)
 
security and privacy for medical implantable devices
security and privacy for medical implantable devicessecurity and privacy for medical implantable devices
security and privacy for medical implantable devices
 

More from Marie Elisabeth Gaup Moe

Cyberforsikring - Når lønner det seg?
Cyberforsikring - Når lønner det seg?Cyberforsikring - Når lønner det seg?
Cyberforsikring - Når lønner det seg?
Marie Elisabeth Gaup Moe
 
Med hjertet på Internett - Sikkerhet i min personlige infrastruktur
Med hjertet på Internett - Sikkerhet i min personlige infrastrukturMed hjertet på Internett - Sikkerhet i min personlige infrastruktur
Med hjertet på Internett - Sikkerhet i min personlige infrastruktur
Marie Elisabeth Gaup Moe
 
Does it pay to be cyber-insured
Does it pay to be cyber-insuredDoes it pay to be cyber-insured
Does it pay to be cyber-insured
Marie Elisabeth Gaup Moe
 
Når cyberangrep får fysiske konsekvenser
Når cyberangrep får fysiske konsekvenserNår cyberangrep får fysiske konsekvenser
Når cyberangrep får fysiske konsekvenser
Marie Elisabeth Gaup Moe
 
From Ukraine to Pacemakers!
From Ukraine to Pacemakers!From Ukraine to Pacemakers!
From Ukraine to Pacemakers!
Marie Elisabeth Gaup Moe
 
Sikkerhet i Internet of Things
Sikkerhet i Internet of ThingsSikkerhet i Internet of Things
Sikkerhet i Internet of Things
Marie Elisabeth Gaup Moe
 
Software Security: Hvordan bygge sikre systemer?
Software Security: Hvordan bygge sikre systemer?Software Security: Hvordan bygge sikre systemer?
Software Security: Hvordan bygge sikre systemer?
Marie Elisabeth Gaup Moe
 
Informasjonssikkerhet og personvern: Hva må vi tenke på ved tilgjengeliggjøri...
Informasjonssikkerhet og personvern: Hva må vi tenke på ved tilgjengeliggjøri...Informasjonssikkerhet og personvern: Hva må vi tenke på ved tilgjengeliggjøri...
Informasjonssikkerhet og personvern: Hva må vi tenke på ved tilgjengeliggjøri...
Marie Elisabeth Gaup Moe
 
Incident handling of cyber espionage
Incident handling of cyber espionageIncident handling of cyber espionage
Incident handling of cyber espionage
Marie Elisabeth Gaup Moe
 
NorCERT - Hva gjør vi når det brenner?
NorCERT - Hva gjør vi når det brenner?NorCERT - Hva gjør vi når det brenner?
NorCERT - Hva gjør vi når det brenner?
Marie Elisabeth Gaup Moe
 
Er smarte systemer dumme på sikkerhet? -Hvordan ITS krever enda mer intellige...
Er smarte systemer dumme på sikkerhet? -Hvordan ITS krever enda mer intellige...Er smarte systemer dumme på sikkerhet? -Hvordan ITS krever enda mer intellige...
Er smarte systemer dumme på sikkerhet? -Hvordan ITS krever enda mer intellige...
Marie Elisabeth Gaup Moe
 

More from Marie Elisabeth Gaup Moe (11)

Cyberforsikring - Når lønner det seg?
Cyberforsikring - Når lønner det seg?Cyberforsikring - Når lønner det seg?
Cyberforsikring - Når lønner det seg?
 
Med hjertet på Internett - Sikkerhet i min personlige infrastruktur
Med hjertet på Internett - Sikkerhet i min personlige infrastrukturMed hjertet på Internett - Sikkerhet i min personlige infrastruktur
Med hjertet på Internett - Sikkerhet i min personlige infrastruktur
 
Does it pay to be cyber-insured
Does it pay to be cyber-insuredDoes it pay to be cyber-insured
Does it pay to be cyber-insured
 
Når cyberangrep får fysiske konsekvenser
Når cyberangrep får fysiske konsekvenserNår cyberangrep får fysiske konsekvenser
Når cyberangrep får fysiske konsekvenser
 
From Ukraine to Pacemakers!
From Ukraine to Pacemakers!From Ukraine to Pacemakers!
From Ukraine to Pacemakers!
 
Sikkerhet i Internet of Things
Sikkerhet i Internet of ThingsSikkerhet i Internet of Things
Sikkerhet i Internet of Things
 
Software Security: Hvordan bygge sikre systemer?
Software Security: Hvordan bygge sikre systemer?Software Security: Hvordan bygge sikre systemer?
Software Security: Hvordan bygge sikre systemer?
 
Informasjonssikkerhet og personvern: Hva må vi tenke på ved tilgjengeliggjøri...
Informasjonssikkerhet og personvern: Hva må vi tenke på ved tilgjengeliggjøri...Informasjonssikkerhet og personvern: Hva må vi tenke på ved tilgjengeliggjøri...
Informasjonssikkerhet og personvern: Hva må vi tenke på ved tilgjengeliggjøri...
 
Incident handling of cyber espionage
Incident handling of cyber espionageIncident handling of cyber espionage
Incident handling of cyber espionage
 
NorCERT - Hva gjør vi når det brenner?
NorCERT - Hva gjør vi når det brenner?NorCERT - Hva gjør vi når det brenner?
NorCERT - Hva gjør vi når det brenner?
 
Er smarte systemer dumme på sikkerhet? -Hvordan ITS krever enda mer intellige...
Er smarte systemer dumme på sikkerhet? -Hvordan ITS krever enda mer intellige...Er smarte systemer dumme på sikkerhet? -Hvordan ITS krever enda mer intellige...
Er smarte systemer dumme på sikkerhet? -Hvordan ITS krever enda mer intellige...
 

Recently uploaded

みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
名前 です男
 
UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6
DianaGray10
 
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfUnlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Malak Abu Hammad
 
20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
Matthew Sinclair
 
GraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracyGraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracy
Tomaz Bratanic
 
Serial Arm Control in Real Time Presentation
Serial Arm Control in Real Time PresentationSerial Arm Control in Real Time Presentation
Serial Arm Control in Real Time Presentation
tolgahangng
 
GenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizationsGenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizations
kumardaparthi1024
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
Quotidiano Piemontese
 
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUHCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
panagenda
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
danishmna97
 
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with SlackLet's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
shyamraj55
 
Best 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERPBest 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERP
Pixlogix Infotech
 
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
Neo4j
 
20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
Matthew Sinclair
 
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
Neo4j
 
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdfUni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems S.M.S.A.
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Paige Cruz
 
Mariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceXMariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceX
Mariano Tinti
 
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc
 
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Speck&Tech
 

Recently uploaded (20)

みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
 
UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6
 
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfUnlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
 
20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
 
GraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracyGraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracy
 
Serial Arm Control in Real Time Presentation
Serial Arm Control in Real Time PresentationSerial Arm Control in Real Time Presentation
Serial Arm Control in Real Time Presentation
 
GenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizationsGenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizations
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
 
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUHCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
 
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with SlackLet's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
 
Best 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERPBest 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERP
 
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
 
20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
 
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
 
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdfUni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdf
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
 
Mariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceXMariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceX
 
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy Survey
 
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
 

Unpatchable: 32C3 edition

  • 1. Concinnity  Risks   Unpatchable     Living  with  a  vulnerable  implanted  device   @MarieGMoe   @blackswanburst   Marie  Moe,  PhD,  Research  Scien?st  at  SINTEF   Eireann  LevereE,  Founder  and  CEO  of  Concinnity  Risks  
  • 2. Hack  to  save  lives!  
  • 3.   A  brief  history  of  my  heart…  
  • 4. How  the  heart  works  
  • 5. Electrical  system  of  the  heart  
  • 7.   The  Internet  of  Medical  ”Things”  is  real,     and  Marie’s  heart  is  wired  into  it…  
  • 8. ①  Implantable  medical  device   –  ICD/Pacemaker/other  devices   –  MICS  (Medical  Implant   Communica?on  Service)   –  Bluetooth   ②  Access  point   –  POTS/GSM/SMS/email   ③  GSM/Telephone/Internet   ④  Telemetry  store   –  Programmers   –  Doctor’s  worksta?on   –  Telemetry  server  at  vendor   ⑤  Medical  staff   –  Social  engineering  
  • 9. With  connec?vity  comes  vulnerability…  
  • 10. Poten?al  impact   Pa?ent  privacy  issues   BaEery  exhaus?on   Device  malfunc?on   Death  threats  and  extor?on   Remote  assassina?on  scenario…  
  • 11.   ”We  need  to  be  able  to  verify  the  soware  that   controls  our  lives”   Bruce  Schneier  on  “Volkswagen  and  Chea?ng  Soware”  
  • 12. Previous  work   •  Kevin  Fu  et  al:   –  Pacemakers  and  implantable  cardiac  defibrillators:  Soware  radio  aEacks  and   zero-­‐power  defenses  (2008)   –  Mi?ga?ng  EMI  signal  injec?on  aEacks  against  analog  sensors  (2013)   •  Barnaby  Jack   •  Hardcoded  creden?als   •  Medical  device  honeypots   •  Drug  infusion  pumps  
  • 13. Hacking  can  save  lives   Source:  h*p://www.fda.gov/MedicalDevices/Safety/AlertsandNo>ces/ucm456815.htm  
  • 14. Medical  devices  do  get  infected     Source:  h*ps://securityledger.com/wp-­‐content/uploads/2015/06/AOA_MEDJACK_LAYOUT_6-­‐0_6-­‐3-­‐2015-­‐1.pdf  
  • 15. WTF  are  you  doing  with  my  data?  
  • 16. The  stairs  that  almost  killed  me  
  • 20. Reflec?ons  on  trus?ng  machines  
  • 21. Why?   Legacy   technology   No  soware  updates   Long  life?me  of   devices   No  security   tes?ng  or   monitoring   Medical  devices  are   ”black  boxes”   Proprietary   soware   More   connec?vity   Lack  of  regula?ons   Increased  aEack   surface  
  • 22. How  to  solve  it?   Security   research   Informa?on  sharing   Third  party   collabora?on   Coordinated   disclosure   Vendor   awareness   Regula?on   Procurement   Safety  by  design   Security  tes?ng   Security   risk   monitoring   Security  updates   Incident  response   Cyber  insurance   Resilience  
  • 23.
  • 24.   What  is  the  social  contract  for  the   code  in  our  bodies?  
  • 25. Research  needed   •  Open  source  medical  devices   •  Medical  device  cryptography   •  Personal  area  network  monitoring   •  Jamming  protec?on   •  Forensics  evidence  capture  
  • 26. Credits   Tony  Naggs  (@xa329)   Gunnar  Alendal  (@gradoisageek)   Alexandre  Dulaunoy  (@adulau)   Joshua  Corman  (@joshcorman)   Claus  Cramon  Houmann  (@ClausHoumann)   ScoE  Erven  (@scoEerven)   Beau  Woods  (@beauwoods)   Suzanne  Schwartz  (US  FDA)   Family  &  Friends    
  • 27. Concinnity  Risks   Thank  you!         www.infosec.sintef.no   www.iamthecavalry.org   www.concinnity-­‐risks.com   @MarieGMoe   @blackswanburst