Living with a vulnerable implanted device · Unpatchable Living with a vulnerable implanted device...
Transcript of Living with a vulnerable implanted device · Unpatchable Living with a vulnerable implanted device...
UnpatchableLivingwithavulnerableimplanteddevice
@MarieGMoe@SINTEF_Infosec
MarieMoe,PhD,ResearchScientistatSINTEF
Hacktosavelives!
Howtheheartworks
3https://www.youtube.com/watch?v=d6RbN5lPqIU
Electricalsystemoftheheart
4
Pacemaker
5https://www.youtube.com/watch?v=-f2FKmMneXY
Leadless pacemaker
Thefuture?
TheInternetofMedical”Things”isreal,andmyheartiswiredintoit…
Pacemaker/ICDProgrammer
Homemonitoringunit
CellularorTelephoneNetwork Webportal
InductivenearfieldcommunicationMICS/
ISM
POTS/SMS
Remotemonitoring
Withconnectivitycomesvulnerability…
10
PotentialthreatsDeviceisvulnerable?
Accesspointisvulnerable?
Mobilenetworkiscompromised?
Serveratvendoriscompromised?
Websitethatdoctorlogsintoisvulnerable?
PersonalInfrastructureYourrelianceonaninfrastructureisinverselyproportionaltohowinvisibleitistoyou.
Weallrelyonoxygen,ourlungs,andourhearts,buthowoftentowethinkaboutthem?
Howoftendowedomaintenanceordebugthem?
“Techisnotneutralnorvalue-free.”
BenZevenbergen, Troopers16
Thestairs that almost killed me
Debuggingme
”We need tobeable toverify the software thatcontrols our lives”
BruceSchneier on“VolkswagenandCheatingSoftware”
Reflections on trusting machines
Whentrustisbroken
http://www.startribune.com/guidant-to-pay-a-fine-of-296m/113367264/
Previouswork• KevinFuetal:
– Pacemakersandimplantablecardiacdefibrillators:Softwareradioattacksandzero-powerdefenses (2008)
– MitigatingEMIsignalinjectionattacksagainstanalogsensors(2013)
• BarnabyJack• Hardcodedcredentials• Medicaldevicehoneypots• Druginfusionpumps
20
Hackingcansavelives!
21http://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm456815.htm
WTFare you doing with mydata?
22
25
Researchneeded• Opensourcemedicaldevices• Medicaldevicecryptography• Personalareanetworkmonitoring• Jammingprotection• Forensicsevidencecapture
Thebenefitoutweighstherisk
CreditsÉireann Leverett (@blackswanburst)
TonyNaggs (@xa329)GunnarAlendal (@gradoisageek)
HugoCampos(@HugoOC)ScottErven (@scotterven)
Alexandre Dulaunoy (@adulau)ClausCramonHoumann (@ClausHoumann)
JoshuaCorman (@joshcorman)BeauWoods (@beauwoods)SuzanneSchwartz(USFDA)
Family&Friends
Thankyou!marie.moe@sintef.nowww.infosec.sintef.nowww.iamthecavalry.org
@MarieGMoe@SINTEF_Infosec