SlideShare a Scribd company logo

Unpatchable: 32C3 edition

Marie Elisabeth Gaup Moe
Marie Elisabeth Gaup Moe

Gradually we are all becoming more and more dependent on machines, we will be able to live longer with an increased quality of life due to machines integrated into our body. However, our dependence on technology grows faster than our ability to secure it, and a security failure of a medical device can have fatal consequences. This talk is about Marie's personal experience with being the host of a vulnerable medical implant, and how this has forced her to become a human part of the "Internet-of-Things".

Technology
1 of 27
Download to read offline
Concinnity  Risks   Unpatchable     Living  with  a  vulnerable  implanted  device   @MarieGMoe   @blackswanburst   Marie  Moe,  PhD,  Research  Scien?st  at  SINTEF   Eireann  LevereE,  Founder  and  CEO  of  Concinnity  Risks  
Hack  to  save  lives!  
  A  brief  history  of  my  heart…  
How  the  heart  works  
Electrical  system  of  the  heart  
Pacemaker  
  The  Internet  of  Medical  ”Things”  is  real,     and  Marie’s  heart  is  wired  into  it…  
①  Implantable  medical  device   –  ICD/Pacemaker/other  devices   –  MICS  (Medical  Implant   Communica?on  Service)   –  Bluetooth   ②  Access  point   –  POTS/GSM/SMS/email   ③  GSM/Telephone/Internet   ④  Telemetry  store   –  Programmers   –  Doctor’s  worksta?on   –  Telemetry  server  at  vendor   ⑤  Medical  staff   –  Social  engineering  
With  connec?vity  comes  vulnerability…  
Poten?al  impact   Pa?ent  privacy  issues   BaEery  exhaus?on   Device  malfunc?on   Death  threats  and  extor?on   Remote  assassina?on  scenario…  
  ”We  need  to  be  able  to  verify  the  soware  that   controls  our  lives”   Bruce  Schneier  on  “Volkswagen  and  Chea?ng  Soware”  
Previous  work   •  Kevin  Fu  et  al:   –  Pacemakers  and  implantable  cardiac  defibrillators:  Soware  radio  aEacks  and   zero-­‐power  defenses  (2008)   –  Mi?ga?ng  EMI  signal  injec?on  aEacks  against  analog  sensors  (2013)   •  Barnaby  Jack   •  Hardcoded  creden?als   •  Medical  device  honeypots   •  Drug  infusion  pumps  
Hacking  can  save  lives   Source:  h*p://www.fda.gov/MedicalDevices/Safety/AlertsandNo>ces/ucm456815.htm  
Medical  devices  do  get  infected     Source:  h*ps://securityledger.com/wp-­‐content/uploads/2015/06/AOA_MEDJACK_LAYOUT_6-­‐0_6-­‐3-­‐2015-­‐1.pdf  
WTF  are  you  doing  with  my  data?  
The  stairs  that  almost  killed  me  
Debugging  me      
Leadless  pacemaker  
The  future?  
Reflec?ons  on  trus?ng  machines  
Why?   Legacy   technology   No  soware  updates   Long  life?me  of   devices   No  security   tes?ng  or   monitoring   Medical  devices  are   ”black  boxes”   Proprietary   soware   More   connec?vity   Lack  of  regula?ons   Increased  aEack   surface  
How  to  solve  it?   Security   research   Informa?on  sharing   Third  party   collabora?on   Coordinated   disclosure   Vendor   awareness   Regula?on   Procurement   Safety  by  design   Security  tes?ng   Security   risk   monitoring   Security  updates   Incident  response   Cyber  insurance   Resilience  
  What  is  the  social  contract  for  the   code  in  our  bodies?  
Research  needed   •  Open  source  medical  devices   •  Medical  device  cryptography   •  Personal  area  network  monitoring   •  Jamming  protec?on   •  Forensics  evidence  capture  
Credits   Tony  Naggs  (@xa329)   Gunnar  Alendal  (@gradoisageek)   Alexandre  Dulaunoy  (@adulau)   Joshua  Corman  (@joshcorman)   Claus  Cramon  Houmann  (@ClausHoumann)   ScoE  Erven  (@scoEerven)   Beau  Woods  (@beauwoods)   Suzanne  Schwartz  (US  FDA)   Family  &  Friends    
Concinnity  Risks   Thank  you!         www.infosec.sintef.no   www.iamthecavalry.org   www.concinnity-­‐risks.com   @MarieGMoe   @blackswanburst  

Recommended

How to Secure Your Medical Devices
How to Secure Your Medical DevicesHow to Secure Your Medical Devices
How to Secure Your Medical DevicesSecurityMetrics
 
HIS 2017 Marie Moe- Unpatchable-Living with a Vulnerable Implanted Device
HIS 2017 Marie Moe- Unpatchable-Living with a Vulnerable Implanted DeviceHIS 2017 Marie Moe- Unpatchable-Living with a Vulnerable Implanted Device
HIS 2017 Marie Moe- Unpatchable-Living with a Vulnerable Implanted Devicejamieayre
 
Open Source Insight: Securing Software Stacks, Election Security, FDA Pacema...
Open Source Insight: Securing Software Stacks, Election Security, FDA Pacema...Open Source Insight: Securing Software Stacks, Election Security, FDA Pacema...
Open Source Insight: Securing Software Stacks, Election Security, FDA Pacema...Black Duck by Synopsys
 
Cybercrime and the Hidden Perils of Patient Data
Cybercrime and the Hidden Perils of Patient DataCybercrime and the Hidden Perils of Patient Data
Cybercrime and the Hidden Perils of Patient DataStephen Cobb
 
Securing Wearable Device Data
Securing Wearable Device DataSecuring Wearable Device Data
Securing Wearable Device DataSeyedmostafa Safavi
 
Unpatchable: Living with a vulnerable implanted device
Unpatchable: Living with a vulnerable implanted deviceUnpatchable: Living with a vulnerable implanted device
Unpatchable: Living with a vulnerable implanted deviceMarie Elisabeth Gaup Moe
 
Unpatchable: Troopers 2016 edition
Unpatchable: Troopers 2016 editionUnpatchable: Troopers 2016 edition
Unpatchable: Troopers 2016 editionMarie Elisabeth Gaup Moe
 
The mobile health IT security challenge: way bigger than HIPAA?
The mobile health IT security challenge: way bigger than HIPAA?The mobile health IT security challenge: way bigger than HIPAA?
The mobile health IT security challenge: way bigger than HIPAA?Stephen Cobb
 

Recommended

How to Secure Your Medical Devices
How to Secure Your Medical DevicesHow to Secure Your Medical Devices
How to Secure Your Medical DevicesSecurityMetrics
 
HIS 2017 Marie Moe- Unpatchable-Living with a Vulnerable Implanted Device
HIS 2017 Marie Moe- Unpatchable-Living with a Vulnerable Implanted DeviceHIS 2017 Marie Moe- Unpatchable-Living with a Vulnerable Implanted Device
HIS 2017 Marie Moe- Unpatchable-Living with a Vulnerable Implanted Devicejamieayre
 
Open Source Insight: Securing Software Stacks, Election Security, FDA Pacema...
Open Source Insight: Securing Software Stacks, Election Security, FDA Pacema...Open Source Insight: Securing Software Stacks, Election Security, FDA Pacema...
Open Source Insight: Securing Software Stacks, Election Security, FDA Pacema...Black Duck by Synopsys
 
Cybercrime and the Hidden Perils of Patient Data
Cybercrime and the Hidden Perils of Patient DataCybercrime and the Hidden Perils of Patient Data
Cybercrime and the Hidden Perils of Patient DataStephen Cobb
 
Securing Wearable Device Data
Securing Wearable Device DataSecuring Wearable Device Data
Securing Wearable Device DataSeyedmostafa Safavi
 
Unpatchable: Living with a vulnerable implanted device
Unpatchable: Living with a vulnerable implanted deviceUnpatchable: Living with a vulnerable implanted device
Unpatchable: Living with a vulnerable implanted deviceMarie Elisabeth Gaup Moe
 
Unpatchable: Troopers 2016 edition
Unpatchable: Troopers 2016 editionUnpatchable: Troopers 2016 edition
Unpatchable: Troopers 2016 editionMarie Elisabeth Gaup Moe
 
The mobile health IT security challenge: way bigger than HIPAA?
The mobile health IT security challenge: way bigger than HIPAA?The mobile health IT security challenge: way bigger than HIPAA?
The mobile health IT security challenge: way bigger than HIPAA?Stephen Cobb
 
Why healthcare is the biggest target for cyberattacks-converted.pdf
Why healthcare is the biggest target for cyberattacks-converted.pdfWhy healthcare is the biggest target for cyberattacks-converted.pdf
Why healthcare is the biggest target for cyberattacks-converted.pdfSparity1
 
Medical Device Security: State of the Art -- NoConName, Barcelona, 2011
Medical Device Security: State of the Art -- NoConName, Barcelona, 2011 Medical Device Security: State of the Art -- NoConName, Barcelona, 2011
Medical Device Security: State of the Art -- NoConName, Barcelona, 2011 shawn_merdinger
 
mHealth Security: Stats and Solutions
mHealth Security: Stats and SolutionsmHealth Security: Stats and Solutions
mHealth Security: Stats and SolutionsESET North America
 
mHealth Security: Stats and Solutions
mHealth Security: Stats and SolutionsmHealth Security: Stats and Solutions
mHealth Security: Stats and SolutionsKristie Allison
 
Cybersecurity Challenges in the Healthcare Industry.pdf
Cybersecurity Challenges in the Healthcare Industry.pdfCybersecurity Challenges in the Healthcare Industry.pdf
Cybersecurity Challenges in the Healthcare Industry.pdfMobibizIndia1
 
Cybersécurité des dispositifs médicaux
Cybersécurité des dispositifs médicauxCybersécurité des dispositifs médicaux
Cybersécurité des dispositifs médicauxMarket iT
 
IoT tietoturva terveydenhuollossa, 2017-03-21, gko
IoT tietoturva terveydenhuollossa, 2017-03-21, gkoIoT tietoturva terveydenhuollossa, 2017-03-21, gko
IoT tietoturva terveydenhuollossa, 2017-03-21, gkoGlen Koskela
 
I am the Cavalry (The Cavalry Is Us) Sourceconf September 2015
I am the Cavalry (The Cavalry Is Us) Sourceconf September 2015I am the Cavalry (The Cavalry Is Us) Sourceconf September 2015
I am the Cavalry (The Cavalry Is Us) Sourceconf September 2015Claus Cramon Houmann
 
Killed by code 2015
Killed by code 2015Killed by code 2015
Killed by code 2015Flaskdata.io
 
Killed by code 2015
Killed by code 2015Killed by code 2015
Killed by code 2015Flaskdata.io
 
Privacy and Security by Design
Privacy and Security by DesignPrivacy and Security by Design
Privacy and Security by DesignUnisys Corporation
 
Protecting Healthcare Data from Hackers
Protecting Healthcare Data from HackersProtecting Healthcare Data from Hackers
Protecting Healthcare Data from HackersJoshua Spencer
 
Killed by code - mobile medical devices
Killed by code - mobile medical devicesKilled by code - mobile medical devices
Killed by code - mobile medical devicesFlaskdata.io
 
Running head Information security threats 1Information secur.docx
Running head Information security threats 1Information secur.docxRunning head Information security threats 1Information secur.docx
Running head Information security threats 1Information secur.docxwlynn1
 
[Wroclaw #6] Medical device security
[Wroclaw #6] Medical device security[Wroclaw #6] Medical device security
[Wroclaw #6] Medical device securityOWASP
 
Cerner’s Lifesaving Sepsis Control Solution Shows the Potential of Bringing M...
Cerner’s Lifesaving Sepsis Control Solution Shows the Potential of Bringing M...Cerner’s Lifesaving Sepsis Control Solution Shows the Potential of Bringing M...
Cerner’s Lifesaving Sepsis Control Solution Shows the Potential of Bringing M...Dana Gardner
 
Digital Innovation Impact in Life Sciences July
Digital Innovation Impact in Life Sciences JulyDigital Innovation Impact in Life Sciences July
Digital Innovation Impact in Life Sciences JulyPaul Gulbin
 
Cybersecurity Challenges in Healthcare
Cybersecurity Challenges in HealthcareCybersecurity Challenges in Healthcare
Cybersecurity Challenges in HealthcareDoug Copley
 
Security for Implantable Medical Devices (IMDs)
Security for Implantable Medical Devices (IMDs)Security for Implantable Medical Devices (IMDs)
Security for Implantable Medical Devices (IMDs)HCL Technologies
 
security and privacy for medical implantable devices
security and privacy for medical implantable devicessecurity and privacy for medical implantable devices
security and privacy for medical implantable devicesAjay Ohri
 
Cyberforsikring - Når lønner det seg?
Cyberforsikring - Når lønner det seg?Cyberforsikring - Når lønner det seg?
Cyberforsikring - Når lønner det seg?Marie Elisabeth Gaup Moe
 
Med hjertet på Internett - Sikkerhet i min personlige infrastruktur
Med hjertet på Internett - Sikkerhet i min personlige infrastrukturMed hjertet på Internett - Sikkerhet i min personlige infrastruktur
Med hjertet på Internett - Sikkerhet i min personlige infrastrukturMarie Elisabeth Gaup Moe
 

More Related Content

Similar to Unpatchable: 32C3 edition

Why healthcare is the biggest target for cyberattacks-converted.pdf
Why healthcare is the biggest target for cyberattacks-converted.pdfWhy healthcare is the biggest target for cyberattacks-converted.pdf
Why healthcare is the biggest target for cyberattacks-converted.pdfSparity1
 
Medical Device Security: State of the Art -- NoConName, Barcelona, 2011
Medical Device Security: State of the Art -- NoConName, Barcelona, 2011 Medical Device Security: State of the Art -- NoConName, Barcelona, 2011
Medical Device Security: State of the Art -- NoConName, Barcelona, 2011 shawn_merdinger
 
mHealth Security: Stats and Solutions
mHealth Security: Stats and SolutionsmHealth Security: Stats and Solutions
mHealth Security: Stats and SolutionsESET North America
 
mHealth Security: Stats and Solutions
mHealth Security: Stats and SolutionsmHealth Security: Stats and Solutions
mHealth Security: Stats and SolutionsKristie Allison
 
Cybersecurity Challenges in the Healthcare Industry.pdf
Cybersecurity Challenges in the Healthcare Industry.pdfCybersecurity Challenges in the Healthcare Industry.pdf
Cybersecurity Challenges in the Healthcare Industry.pdfMobibizIndia1
 
Cybersécurité des dispositifs médicaux
Cybersécurité des dispositifs médicauxCybersécurité des dispositifs médicaux
Cybersécurité des dispositifs médicauxMarket iT
 
IoT tietoturva terveydenhuollossa, 2017-03-21, gko
IoT tietoturva terveydenhuollossa, 2017-03-21, gkoIoT tietoturva terveydenhuollossa, 2017-03-21, gko
IoT tietoturva terveydenhuollossa, 2017-03-21, gkoGlen Koskela
 
I am the Cavalry (The Cavalry Is Us) Sourceconf September 2015
I am the Cavalry (The Cavalry Is Us) Sourceconf September 2015I am the Cavalry (The Cavalry Is Us) Sourceconf September 2015
I am the Cavalry (The Cavalry Is Us) Sourceconf September 2015Claus Cramon Houmann
 
Killed by code 2015
Killed by code 2015Killed by code 2015
Killed by code 2015Flaskdata.io
 
Killed by code 2015
Killed by code 2015Killed by code 2015
Killed by code 2015Flaskdata.io
 
Privacy and Security by Design
Privacy and Security by DesignPrivacy and Security by Design
Privacy and Security by DesignUnisys Corporation
 
Protecting Healthcare Data from Hackers
Protecting Healthcare Data from HackersProtecting Healthcare Data from Hackers
Protecting Healthcare Data from HackersJoshua Spencer
 
Killed by code - mobile medical devices
Killed by code - mobile medical devicesKilled by code - mobile medical devices
Killed by code - mobile medical devicesFlaskdata.io
 
Running head Information security threats 1Information secur.docx
Running head Information security threats 1Information secur.docxRunning head Information security threats 1Information secur.docx
Running head Information security threats 1Information secur.docxwlynn1
 
[Wroclaw #6] Medical device security
[Wroclaw #6] Medical device security[Wroclaw #6] Medical device security
[Wroclaw #6] Medical device securityOWASP
 
Cerner’s Lifesaving Sepsis Control Solution Shows the Potential of Bringing M...
Cerner’s Lifesaving Sepsis Control Solution Shows the Potential of Bringing M...Cerner’s Lifesaving Sepsis Control Solution Shows the Potential of Bringing M...
Cerner’s Lifesaving Sepsis Control Solution Shows the Potential of Bringing M...Dana Gardner
 
Digital Innovation Impact in Life Sciences July
Digital Innovation Impact in Life Sciences JulyDigital Innovation Impact in Life Sciences July
Digital Innovation Impact in Life Sciences JulyPaul Gulbin
 
Cybersecurity Challenges in Healthcare
Cybersecurity Challenges in HealthcareCybersecurity Challenges in Healthcare
Cybersecurity Challenges in HealthcareDoug Copley
 
Security for Implantable Medical Devices (IMDs)
Security for Implantable Medical Devices (IMDs)Security for Implantable Medical Devices (IMDs)
Security for Implantable Medical Devices (IMDs)HCL Technologies
 
security and privacy for medical implantable devices
security and privacy for medical implantable devicessecurity and privacy for medical implantable devices
security and privacy for medical implantable devicesAjay Ohri
 

Similar to Unpatchable: 32C3 edition (20)

Why healthcare is the biggest target for cyberattacks-converted.pdf
Why healthcare is the biggest target for cyberattacks-converted.pdfWhy healthcare is the biggest target for cyberattacks-converted.pdf
Why healthcare is the biggest target for cyberattacks-converted.pdf
 
Medical Device Security: State of the Art -- NoConName, Barcelona, 2011
Medical Device Security: State of the Art -- NoConName, Barcelona, 2011 Medical Device Security: State of the Art -- NoConName, Barcelona, 2011
Medical Device Security: State of the Art -- NoConName, Barcelona, 2011
 
mHealth Security: Stats and Solutions
mHealth Security: Stats and SolutionsmHealth Security: Stats and Solutions
mHealth Security: Stats and Solutions
 
mHealth Security: Stats and Solutions
mHealth Security: Stats and SolutionsmHealth Security: Stats and Solutions
mHealth Security: Stats and Solutions
 
Cybersecurity Challenges in the Healthcare Industry.pdf
Cybersecurity Challenges in the Healthcare Industry.pdfCybersecurity Challenges in the Healthcare Industry.pdf
Cybersecurity Challenges in the Healthcare Industry.pdf
 
Cybersécurité des dispositifs médicaux
Cybersécurité des dispositifs médicauxCybersécurité des dispositifs médicaux
Cybersécurité des dispositifs médicaux
 
IoT tietoturva terveydenhuollossa, 2017-03-21, gko
IoT tietoturva terveydenhuollossa, 2017-03-21, gkoIoT tietoturva terveydenhuollossa, 2017-03-21, gko
IoT tietoturva terveydenhuollossa, 2017-03-21, gko
 
I am the Cavalry (The Cavalry Is Us) Sourceconf September 2015
I am the Cavalry (The Cavalry Is Us) Sourceconf September 2015I am the Cavalry (The Cavalry Is Us) Sourceconf September 2015
I am the Cavalry (The Cavalry Is Us) Sourceconf September 2015
 
Killed by code 2015
Killed by code 2015Killed by code 2015
Killed by code 2015
 
Killed by code 2015
Killed by code 2015Killed by code 2015
Killed by code 2015
 
Privacy and Security by Design
Privacy and Security by DesignPrivacy and Security by Design
Privacy and Security by Design
 
Protecting Healthcare Data from Hackers
Protecting Healthcare Data from HackersProtecting Healthcare Data from Hackers
Protecting Healthcare Data from Hackers
 
Killed by code - mobile medical devices
Killed by code - mobile medical devicesKilled by code - mobile medical devices
Killed by code - mobile medical devices
 
Running head Information security threats 1Information secur.docx
Running head Information security threats 1Information secur.docxRunning head Information security threats 1Information secur.docx
Running head Information security threats 1Information secur.docx
 
[Wroclaw #6] Medical device security
[Wroclaw #6] Medical device security[Wroclaw #6] Medical device security
[Wroclaw #6] Medical device security
 
Cerner’s Lifesaving Sepsis Control Solution Shows the Potential of Bringing M...
Cerner’s Lifesaving Sepsis Control Solution Shows the Potential of Bringing M...Cerner’s Lifesaving Sepsis Control Solution Shows the Potential of Bringing M...
Cerner’s Lifesaving Sepsis Control Solution Shows the Potential of Bringing M...
 
Digital Innovation Impact in Life Sciences July
Digital Innovation Impact in Life Sciences JulyDigital Innovation Impact in Life Sciences July
Digital Innovation Impact in Life Sciences July
 
Cybersecurity Challenges in Healthcare
Cybersecurity Challenges in HealthcareCybersecurity Challenges in Healthcare
Cybersecurity Challenges in Healthcare
 
Security for Implantable Medical Devices (IMDs)
Security for Implantable Medical Devices (IMDs)Security for Implantable Medical Devices (IMDs)
Security for Implantable Medical Devices (IMDs)
 
security and privacy for medical implantable devices
security and privacy for medical implantable devicessecurity and privacy for medical implantable devices
security and privacy for medical implantable devices
 

More from Marie Elisabeth Gaup Moe

Med hjertet på Internett - Sikkerhet i min personlige infrastruktur
Med hjertet på Internett - Sikkerhet i min personlige infrastrukturMed hjertet på Internett - Sikkerhet i min personlige infrastruktur
Med hjertet på Internett - Sikkerhet i min personlige infrastrukturMarie Elisabeth Gaup Moe
 
Når cyberangrep får fysiske konsekvenser
Når cyberangrep får fysiske konsekvenserNår cyberangrep får fysiske konsekvenser
Når cyberangrep får fysiske konsekvenserMarie Elisabeth Gaup Moe
 
Software Security: Hvordan bygge sikre systemer?
Software Security: Hvordan bygge sikre systemer?Software Security: Hvordan bygge sikre systemer?
Software Security: Hvordan bygge sikre systemer?Marie Elisabeth Gaup Moe
 
Informasjonssikkerhet og personvern: Hva må vi tenke på ved tilgjengeliggjøri...
Informasjonssikkerhet og personvern: Hva må vi tenke på ved tilgjengeliggjøri...Informasjonssikkerhet og personvern: Hva må vi tenke på ved tilgjengeliggjøri...
Informasjonssikkerhet og personvern: Hva må vi tenke på ved tilgjengeliggjøri...Marie Elisabeth Gaup Moe
 
Er smarte systemer dumme på sikkerhet? -Hvordan ITS krever enda mer intellige...
Er smarte systemer dumme på sikkerhet? -Hvordan ITS krever enda mer intellige...Er smarte systemer dumme på sikkerhet? -Hvordan ITS krever enda mer intellige...
Er smarte systemer dumme på sikkerhet? -Hvordan ITS krever enda mer intellige...Marie Elisabeth Gaup Moe
 

More from Marie Elisabeth Gaup Moe (11)

Cyberforsikring - Når lønner det seg?
Cyberforsikring - Når lønner det seg?Cyberforsikring - Når lønner det seg?
Cyberforsikring - Når lønner det seg?
 
Med hjertet på Internett - Sikkerhet i min personlige infrastruktur
Med hjertet på Internett - Sikkerhet i min personlige infrastrukturMed hjertet på Internett - Sikkerhet i min personlige infrastruktur
Med hjertet på Internett - Sikkerhet i min personlige infrastruktur
 
Does it pay to be cyber-insured
Does it pay to be cyber-insuredDoes it pay to be cyber-insured
Does it pay to be cyber-insured
 
Når cyberangrep får fysiske konsekvenser
Når cyberangrep får fysiske konsekvenserNår cyberangrep får fysiske konsekvenser
Når cyberangrep får fysiske konsekvenser
 
From Ukraine to Pacemakers!
From Ukraine to Pacemakers!From Ukraine to Pacemakers!
From Ukraine to Pacemakers!
 
Sikkerhet i Internet of Things
Sikkerhet i Internet of ThingsSikkerhet i Internet of Things
Sikkerhet i Internet of Things
 
Software Security: Hvordan bygge sikre systemer?
Software Security: Hvordan bygge sikre systemer?Software Security: Hvordan bygge sikre systemer?
Software Security: Hvordan bygge sikre systemer?
 
Informasjonssikkerhet og personvern: Hva må vi tenke på ved tilgjengeliggjøri...
Informasjonssikkerhet og personvern: Hva må vi tenke på ved tilgjengeliggjøri...Informasjonssikkerhet og personvern: Hva må vi tenke på ved tilgjengeliggjøri...
Informasjonssikkerhet og personvern: Hva må vi tenke på ved tilgjengeliggjøri...
 
Incident handling of cyber espionage
Incident handling of cyber espionageIncident handling of cyber espionage
Incident handling of cyber espionage
 
NorCERT - Hva gjør vi når det brenner?
NorCERT - Hva gjør vi når det brenner?NorCERT - Hva gjør vi når det brenner?
NorCERT - Hva gjør vi når det brenner?
 
Er smarte systemer dumme på sikkerhet? -Hvordan ITS krever enda mer intellige...
Er smarte systemer dumme på sikkerhet? -Hvordan ITS krever enda mer intellige...Er smarte systemer dumme på sikkerhet? -Hvordan ITS krever enda mer intellige...
Er smarte systemer dumme på sikkerhet? -Hvordan ITS krever enda mer intellige...
 

Recently uploaded

Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 

Recently uploaded (20)

Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 

Unpatchable: 32C3 edition

  • 1. Concinnity  Risks   Unpatchable     Living  with  a  vulnerable  implanted  device   @MarieGMoe   @blackswanburst   Marie  Moe,  PhD,  Research  Scien?st  at  SINTEF   Eireann  LevereE,  Founder  and  CEO  of  Concinnity  Risks  
  • 2. Hack  to  save  lives!  
  • 3.   A  brief  history  of  my  heart…  
  • 4. How  the  heart  works  
  • 5. Electrical  system  of  the  heart  
  • 7.   The  Internet  of  Medical  ”Things”  is  real,     and  Marie’s  heart  is  wired  into  it…  
  • 8. ①  Implantable  medical  device   –  ICD/Pacemaker/other  devices   –  MICS  (Medical  Implant   Communica?on  Service)   –  Bluetooth   ②  Access  point   –  POTS/GSM/SMS/email   ③  GSM/Telephone/Internet   ④  Telemetry  store   –  Programmers   –  Doctor’s  worksta?on   –  Telemetry  server  at  vendor   ⑤  Medical  staff   –  Social  engineering  
  • 9. With  connec?vity  comes  vulnerability…  
  • 10. Poten?al  impact   Pa?ent  privacy  issues   BaEery  exhaus?on   Device  malfunc?on   Death  threats  and  extor?on   Remote  assassina?on  scenario…  
  • 11.   ”We  need  to  be  able  to  verify  the  soware  that   controls  our  lives”   Bruce  Schneier  on  “Volkswagen  and  Chea?ng  Soware”  
  • 12. Previous  work   •  Kevin  Fu  et  al:   –  Pacemakers  and  implantable  cardiac  defibrillators:  Soware  radio  aEacks  and   zero-­‐power  defenses  (2008)   –  Mi?ga?ng  EMI  signal  injec?on  aEacks  against  analog  sensors  (2013)   •  Barnaby  Jack   •  Hardcoded  creden?als   •  Medical  device  honeypots   •  Drug  infusion  pumps  
  • 13. Hacking  can  save  lives   Source:  h*p://www.fda.gov/MedicalDevices/Safety/AlertsandNo>ces/ucm456815.htm  
  • 14. Medical  devices  do  get  infected     Source:  h*ps://securityledger.com/wp-­‐content/uploads/2015/06/AOA_MEDJACK_LAYOUT_6-­‐0_6-­‐3-­‐2015-­‐1.pdf  
  • 15. WTF  are  you  doing  with  my  data?  
  • 16. The  stairs  that  almost  killed  me  
  • 20. Reflec?ons  on  trus?ng  machines  
  • 21. Why?   Legacy   technology   No  soware  updates   Long  life?me  of   devices   No  security   tes?ng  or   monitoring   Medical  devices  are   ”black  boxes”   Proprietary   soware   More   connec?vity   Lack  of  regula?ons   Increased  aEack   surface  
  • 22. How  to  solve  it?   Security   research   Informa?on  sharing   Third  party   collabora?on   Coordinated   disclosure   Vendor   awareness   Regula?on   Procurement   Safety  by  design   Security  tes?ng   Security   risk   monitoring   Security  updates   Incident  response   Cyber  insurance   Resilience  
  • 23.
  • 24.   What  is  the  social  contract  for  the   code  in  our  bodies?  
  • 25. Research  needed   •  Open  source  medical  devices   •  Medical  device  cryptography   •  Personal  area  network  monitoring   •  Jamming  protec?on   •  Forensics  evidence  capture  
  • 26. Credits   Tony  Naggs  (@xa329)   Gunnar  Alendal  (@gradoisageek)   Alexandre  Dulaunoy  (@adulau)   Joshua  Corman  (@joshcorman)   Claus  Cramon  Houmann  (@ClausHoumann)   ScoE  Erven  (@scoEerven)   Beau  Woods  (@beauwoods)   Suzanne  Schwartz  (US  FDA)   Family  &  Friends    
  • 27. Concinnity  Risks   Thank  you!         www.infosec.sintef.no   www.iamthecavalry.org   www.concinnity-­‐risks.com   @MarieGMoe   @blackswanburst