Se ha denunciado esta presentación.
Utilizamos tu perfil de LinkedIn y tus datos de actividad para personalizar los anuncios y mostrarte publicidad más relevante. Puedes cambiar tus preferencias de publicidad en cualquier momento.

Unpatchable: 32C3 edition

Gradually we are all becoming more and more dependent on machines, we will be able to live longer with an increased quality of life due to machines integrated into our body. However, our dependence on technology grows faster than our ability to secure it, and a security failure of a medical device can have fatal consequences. This talk is about Marie's personal experience with being the host of a vulnerable medical implant, and how this has forced her to become a human part of the "Internet-of-Things".

  • Sé el primero en comentar

  • Sé el primero en recomendar esto

Unpatchable: 32C3 edition

  1. 1. Concinnity  Risks   Unpatchable     Living  with  a  vulnerable  implanted  device   @MarieGMoe   @blackswanburst   Marie  Moe,  PhD,  Research  Scien?st  at  SINTEF   Eireann  LevereE,  Founder  and  CEO  of  Concinnity  Risks  
  2. 2. Hack  to  save  lives!  
  3. 3.   A  brief  history  of  my  heart…  
  4. 4. How  the  heart  works  
  5. 5. Electrical  system  of  the  heart  
  6. 6. Pacemaker  
  7. 7.   The  Internet  of  Medical  ”Things”  is  real,     and  Marie’s  heart  is  wired  into  it…  
  8. 8. ①  Implantable  medical  device   –  ICD/Pacemaker/other  devices   –  MICS  (Medical  Implant   Communica?on  Service)   –  Bluetooth   ②  Access  point   –  POTS/GSM/SMS/email   ③  GSM/Telephone/Internet   ④  Telemetry  store   –  Programmers   –  Doctor’s  worksta?on   –  Telemetry  server  at  vendor   ⑤  Medical  staff   –  Social  engineering  
  9. 9. With  connec?vity  comes  vulnerability…  
  10. 10. Poten?al  impact   Pa?ent  privacy  issues   BaEery  exhaus?on   Device  malfunc?on   Death  threats  and  extor?on   Remote  assassina?on  scenario…  
  11. 11.   ”We  need  to  be  able  to  verify  the  soware  that   controls  our  lives”   Bruce  Schneier  on  “Volkswagen  and  Chea?ng  Soware”  
  12. 12. Previous  work   •  Kevin  Fu  et  al:   –  Pacemakers  and  implantable  cardiac  defibrillators:  Soware  radio  aEacks  and   zero-­‐power  defenses  (2008)   –  Mi?ga?ng  EMI  signal  injec?on  aEacks  against  analog  sensors  (2013)   •  Barnaby  Jack   •  Hardcoded  creden?als   •  Medical  device  honeypots   •  Drug  infusion  pumps  
  13. 13. Hacking  can  save  lives   Source:  h*p://www.fda.gov/MedicalDevices/Safety/AlertsandNo>ces/ucm456815.htm  
  14. 14. Medical  devices  do  get  infected     Source:  h*ps://securityledger.com/wp-­‐content/uploads/2015/06/AOA_MEDJACK_LAYOUT_6-­‐0_6-­‐3-­‐2015-­‐1.pdf  
  15. 15. WTF  are  you  doing  with  my  data?  
  16. 16. The  stairs  that  almost  killed  me  
  17. 17. Debugging  me      
  18. 18. Leadless  pacemaker  
  19. 19. The  future?  
  20. 20. Reflec?ons  on  trus?ng  machines  
  21. 21. Why?   Legacy   technology   No  soware  updates   Long  life?me  of   devices   No  security   tes?ng  or   monitoring   Medical  devices  are   ”black  boxes”   Proprietary   soware   More   connec?vity   Lack  of  regula?ons   Increased  aEack   surface  
  22. 22. How  to  solve  it?   Security   research   Informa?on  sharing   Third  party   collabora?on   Coordinated   disclosure   Vendor   awareness   Regula?on   Procurement   Safety  by  design   Security  tes?ng   Security   risk   monitoring   Security  updates   Incident  response   Cyber  insurance   Resilience  
  23. 23.   What  is  the  social  contract  for  the   code  in  our  bodies?  
  24. 24. Research  needed   •  Open  source  medical  devices   •  Medical  device  cryptography   •  Personal  area  network  monitoring   •  Jamming  protec?on   •  Forensics  evidence  capture  
  25. 25. Credits   Tony  Naggs  (@xa329)   Gunnar  Alendal  (@gradoisageek)   Alexandre  Dulaunoy  (@adulau)   Joshua  Corman  (@joshcorman)   Claus  Cramon  Houmann  (@ClausHoumann)   ScoE  Erven  (@scoEerven)   Beau  Woods  (@beauwoods)   Suzanne  Schwartz  (US  FDA)   Family  &  Friends    
  26. 26. Concinnity  Risks   Thank  you!         www.infosec.sintef.no   www.iamthecavalry.org   www.concinnity-­‐risks.com   @MarieGMoe   @blackswanburst  

×