unpatchable - 2018.hack.lu … · sintefict’ unpatchable:!...
TRANSCRIPT
![Page 1: Unpatchable - 2018.hack.lu … · SINTEFICT’ Unpatchable:! Living!with!avulnerable!implanted!device! @MarieGMoe!@iamthecavalry! #safersoonertogether! Marie!Moe,!PhD,!Research!ScienAstatSINTEF!](https://reader034.vdocuments.net/reader034/viewer/2022050201/5f547cd78a81be171253ec1a/html5/thumbnails/1.jpg)
SINTEF ICT
Unpatchable: Living with a vulnerable implanted device
@MarieGMoe @iamthecavalry #safersoonertogether
Marie Moe, PhD, Research ScienAst at SINTEF
Safer|Sooner|Together
![Page 2: Unpatchable - 2018.hack.lu … · SINTEFICT’ Unpatchable:! Living!with!avulnerable!implanted!device! @MarieGMoe!@iamthecavalry! #safersoonertogether! Marie!Moe,!PhD,!Research!ScienAstatSINTEF!](https://reader034.vdocuments.net/reader034/viewer/2022050201/5f547cd78a81be171253ec1a/html5/thumbnails/2.jpg)
Safer|Sooner|Together
Lorenzo Franceschi-‐Bicchierai, Vice Motherboard
SomeAmes, hackers make the worst paAents…
![Page 3: Unpatchable - 2018.hack.lu … · SINTEFICT’ Unpatchable:! Living!with!avulnerable!implanted!device! @MarieGMoe!@iamthecavalry! #safersoonertogether! Marie!Moe,!PhD,!Research!ScienAstatSINTEF!](https://reader034.vdocuments.net/reader034/viewer/2022050201/5f547cd78a81be171253ec1a/html5/thumbnails/3.jpg)
The stairs that almost killed me Safer|Sooner|Together
![Page 4: Unpatchable - 2018.hack.lu … · SINTEFICT’ Unpatchable:! Living!with!avulnerable!implanted!device! @MarieGMoe!@iamthecavalry! #safersoonertogether! Marie!Moe,!PhD,!Research!ScienAstatSINTEF!](https://reader034.vdocuments.net/reader034/viewer/2022050201/5f547cd78a81be171253ec1a/html5/thumbnails/4.jpg)
How the heart works
hOps://www.youtube.com/watch?v=d6RbN5lPqIU
![Page 5: Unpatchable - 2018.hack.lu … · SINTEFICT’ Unpatchable:! Living!with!avulnerable!implanted!device! @MarieGMoe!@iamthecavalry! #safersoonertogether! Marie!Moe,!PhD,!Research!ScienAstatSINTEF!](https://reader034.vdocuments.net/reader034/viewer/2022050201/5f547cd78a81be171253ec1a/html5/thumbnails/5.jpg)
Electrical system of the heart
![Page 6: Unpatchable - 2018.hack.lu … · SINTEFICT’ Unpatchable:! Living!with!avulnerable!implanted!device! @MarieGMoe!@iamthecavalry! #safersoonertogether! Marie!Moe,!PhD,!Research!ScienAstatSINTEF!](https://reader034.vdocuments.net/reader034/viewer/2022050201/5f547cd78a81be171253ec1a/html5/thumbnails/6.jpg)
Pacemaker
hOps://www.youtube.com/watch?v=-‐f2FKmMneXY
![Page 7: Unpatchable - 2018.hack.lu … · SINTEFICT’ Unpatchable:! Living!with!avulnerable!implanted!device! @MarieGMoe!@iamthecavalry! #safersoonertogether! Marie!Moe,!PhD,!Research!ScienAstatSINTEF!](https://reader034.vdocuments.net/reader034/viewer/2022050201/5f547cd78a81be171253ec1a/html5/thumbnails/7.jpg)
Leadless pacemaker Safer|Sooner|Together
![Page 8: Unpatchable - 2018.hack.lu … · SINTEFICT’ Unpatchable:! Living!with!avulnerable!implanted!device! @MarieGMoe!@iamthecavalry! #safersoonertogether! Marie!Moe,!PhD,!Research!ScienAstatSINTEF!](https://reader034.vdocuments.net/reader034/viewer/2022050201/5f547cd78a81be171253ec1a/html5/thumbnails/8.jpg)
The future? Safer|Sooner|Together
![Page 9: Unpatchable - 2018.hack.lu … · SINTEFICT’ Unpatchable:! Living!with!avulnerable!implanted!device! @MarieGMoe!@iamthecavalry! #safersoonertogether! Marie!Moe,!PhD,!Research!ScienAstatSINTEF!](https://reader034.vdocuments.net/reader034/viewer/2022050201/5f547cd78a81be171253ec1a/html5/thumbnails/9.jpg)
TrusAng machines Safer|Sooner|Together
![Page 10: Unpatchable - 2018.hack.lu … · SINTEFICT’ Unpatchable:! Living!with!avulnerable!implanted!device! @MarieGMoe!@iamthecavalry! #safersoonertogether! Marie!Moe,!PhD,!Research!ScienAstatSINTEF!](https://reader034.vdocuments.net/reader034/viewer/2022050201/5f547cd78a81be171253ec1a/html5/thumbnails/10.jpg)
The Internet of Medical ”Things” is real,
and my heart is wired into it…
Safer|Sooner|Together
![Page 11: Unpatchable - 2018.hack.lu … · SINTEFICT’ Unpatchable:! Living!with!avulnerable!implanted!device! @MarieGMoe!@iamthecavalry! #safersoonertogether! Marie!Moe,!PhD,!Research!ScienAstatSINTEF!](https://reader034.vdocuments.net/reader034/viewer/2022050201/5f547cd78a81be171253ec1a/html5/thumbnails/11.jpg)
Remote monitoring
![Page 12: Unpatchable - 2018.hack.lu … · SINTEFICT’ Unpatchable:! Living!with!avulnerable!implanted!device! @MarieGMoe!@iamthecavalry! #safersoonertogether! Marie!Moe,!PhD,!Research!ScienAstatSINTEF!](https://reader034.vdocuments.net/reader034/viewer/2022050201/5f547cd78a81be171253ec1a/html5/thumbnails/12.jpg)
PotenAal threats
Safer|Sooner|Together
Device is vulnerable?
Access point is vulnerable?
Mobile network is compromised?
Server at vendor is compromised?
Web site that doctor logs in to is vulnerable?
![Page 13: Unpatchable - 2018.hack.lu … · SINTEFICT’ Unpatchable:! Living!with!avulnerable!implanted!device! @MarieGMoe!@iamthecavalry! #safersoonertogether! Marie!Moe,!PhD,!Research!ScienAstatSINTEF!](https://reader034.vdocuments.net/reader034/viewer/2022050201/5f547cd78a81be171253ec1a/html5/thumbnails/13.jpg)
”We need to be able to verify the so`ware that controls our lives”
Bruce Schneier on “Volkswagen and CheaAng So`ware”
Safer|Sooner|Together
![Page 14: Unpatchable - 2018.hack.lu … · SINTEFICT’ Unpatchable:! Living!with!avulnerable!implanted!device! @MarieGMoe!@iamthecavalry! #safersoonertogether! Marie!Moe,!PhD,!Research!ScienAstatSINTEF!](https://reader034.vdocuments.net/reader034/viewer/2022050201/5f547cd78a81be171253ec1a/html5/thumbnails/14.jpg)
Pacemakers are vulnerable
Source: Daniel Halperin, Thomas S. Heydt-‐Benjamin, Benjamin Ransford, Shane S. Clark, Benessa Defend, Will Morgan, Kevin Fu, Tadayoshi Kohno, and William H. Maisel. Pacemakers and implantable cardiac defibrillators: SoIware radio aKacks and zero-‐power defenses. In Proceedings of the 29th Annual IEEE Symposium on Security and Privacy, May 2008.
![Page 15: Unpatchable - 2018.hack.lu … · SINTEFICT’ Unpatchable:! Living!with!avulnerable!implanted!device! @MarieGMoe!@iamthecavalry! #safersoonertogether! Marie!Moe,!PhD,!Research!ScienAstatSINTEF!](https://reader034.vdocuments.net/reader034/viewer/2022050201/5f547cd78a81be171253ec1a/html5/thumbnails/15.jpg)
Source: hKp://www.vice.com/en_uk/read/i-‐worked-‐out-‐how-‐to-‐remotely-‐weaponise-‐a-‐pacemaker
![Page 16: Unpatchable - 2018.hack.lu … · SINTEFICT’ Unpatchable:! Living!with!avulnerable!implanted!device! @MarieGMoe!@iamthecavalry! #safersoonertogether! Marie!Moe,!PhD,!Research!ScienAstatSINTEF!](https://reader034.vdocuments.net/reader034/viewer/2022050201/5f547cd78a81be171253ec1a/html5/thumbnails/16.jpg)
Source: hKp://www.wired.com/2015/06/hackers-‐can-‐send-‐fatal-‐doses-‐hospital-‐drug-‐pumps/
![Page 17: Unpatchable - 2018.hack.lu … · SINTEFICT’ Unpatchable:! Living!with!avulnerable!implanted!device! @MarieGMoe!@iamthecavalry! #safersoonertogether! Marie!Moe,!PhD,!Research!ScienAstatSINTEF!](https://reader034.vdocuments.net/reader034/viewer/2022050201/5f547cd78a81be171253ec1a/html5/thumbnails/17.jpg)
Source: hKp://www.fda.gov/MedicalDevices/Safety/AlertsandNoZces/ucm456815.htm
![Page 18: Unpatchable - 2018.hack.lu … · SINTEFICT’ Unpatchable:! Living!with!avulnerable!implanted!device! @MarieGMoe!@iamthecavalry! #safersoonertogether! Marie!Moe,!PhD,!Research!ScienAstatSINTEF!](https://reader034.vdocuments.net/reader034/viewer/2022050201/5f547cd78a81be171253ec1a/html5/thumbnails/18.jpg)
Medical devices do get infected
Source: hKps://securityledger.com/wp-‐content/uploads/2015/06/AOA_MEDJACK_LAYOUT_6-‐0_6-‐3-‐2015-‐1.pdf
![Page 19: Unpatchable - 2018.hack.lu … · SINTEFICT’ Unpatchable:! Living!with!avulnerable!implanted!device! @MarieGMoe!@iamthecavalry! #safersoonertogether! Marie!Moe,!PhD,!Research!ScienAstatSINTEF!](https://reader034.vdocuments.net/reader034/viewer/2022050201/5f547cd78a81be171253ec1a/html5/thumbnails/19.jpg)
Default or hard-‐coded passwords
Source: hKp://www.pcworld.com/arZcle/2987813/thousands-‐of-‐medical-‐devices-‐are-‐vulnerable-‐to-‐hacking-‐security-‐researchers-‐say.html
![Page 20: Unpatchable - 2018.hack.lu … · SINTEFICT’ Unpatchable:! Living!with!avulnerable!implanted!device! @MarieGMoe!@iamthecavalry! #safersoonertogether! Marie!Moe,!PhD,!Research!ScienAstatSINTEF!](https://reader034.vdocuments.net/reader034/viewer/2022050201/5f547cd78a81be171253ec1a/html5/thumbnails/20.jpg)
Malicious so`ware updates
Source : Dr. Kevin Fu: "On the Technical Debt of Medical Device Security”, hKp://www.naefronZers.org/File.aspx?id=50750
![Page 21: Unpatchable - 2018.hack.lu … · SINTEFICT’ Unpatchable:! Living!with!avulnerable!implanted!device! @MarieGMoe!@iamthecavalry! #safersoonertogether! Marie!Moe,!PhD,!Research!ScienAstatSINTEF!](https://reader034.vdocuments.net/reader034/viewer/2022050201/5f547cd78a81be171253ec1a/html5/thumbnails/21.jpg)
Cloud safety?
hOps://t.co/XndBSPbAta
![Page 22: Unpatchable - 2018.hack.lu … · SINTEFICT’ Unpatchable:! Living!with!avulnerable!implanted!device! @MarieGMoe!@iamthecavalry! #safersoonertogether! Marie!Moe,!PhD,!Research!ScienAstatSINTEF!](https://reader034.vdocuments.net/reader034/viewer/2022050201/5f547cd78a81be171253ec1a/html5/thumbnails/22.jpg)
PotenAal impact
PaAent privacy issues
BaOery exhausAon
Device malfuncAon
Death threats and extorAon
Remote assassinaAon scenario…
Safer|Sooner|Together
![Page 23: Unpatchable - 2018.hack.lu … · SINTEFICT’ Unpatchable:! Living!with!avulnerable!implanted!device! @MarieGMoe!@iamthecavalry! #safersoonertogether! Marie!Moe,!PhD,!Research!ScienAstatSINTEF!](https://reader034.vdocuments.net/reader034/viewer/2022050201/5f547cd78a81be171253ec1a/html5/thumbnails/23.jpg)
Why?
Legacy technology
No so`ware updates Long lifeAme of devices
No security tesAng or monitoring
Medical devices are ”black boxes”
Proprietary so`ware
More connecAvity
Lack of regulaAons Increased aOack surface
Safer|Sooner|Together
![Page 24: Unpatchable - 2018.hack.lu … · SINTEFICT’ Unpatchable:! Living!with!avulnerable!implanted!device! @MarieGMoe!@iamthecavalry! #safersoonertogether! Marie!Moe,!PhD,!Research!ScienAstatSINTEF!](https://reader034.vdocuments.net/reader034/viewer/2022050201/5f547cd78a81be171253ec1a/html5/thumbnails/24.jpg)
“Malicious intent is not a prerequisite to paAent
safety issues” ScoO Erven, Security Researcher at ProAviA
Safer|Sooner|Together
![Page 25: Unpatchable - 2018.hack.lu … · SINTEFICT’ Unpatchable:! Living!with!avulnerable!implanted!device! @MarieGMoe!@iamthecavalry! #safersoonertogether! Marie!Moe,!PhD,!Research!ScienAstatSINTEF!](https://reader034.vdocuments.net/reader034/viewer/2022050201/5f547cd78a81be171253ec1a/html5/thumbnails/25.jpg)
How to solve it?
Security research
InformaAon sharing Third party collaboraAon Coordinated disclosure
Vendor awareness
RegulaAon Procurement
Safety by design Security tesAng
Security risk
monitoring
Security updates Incident response Cyber insurance Resilience
Safer|Sooner|Together
![Page 26: Unpatchable - 2018.hack.lu … · SINTEFICT’ Unpatchable:! Living!with!avulnerable!implanted!device! @MarieGMoe!@iamthecavalry! #safersoonertogether! Marie!Moe,!PhD,!Research!ScienAstatSINTEF!](https://reader034.vdocuments.net/reader034/viewer/2022050201/5f547cd78a81be171253ec1a/html5/thumbnails/26.jpg)
The Cavalry isn’t coming… It falls to us Problem Statement
Our society is adopAng connected technology faster than we are able to secure it.
Mission Statement To ensure connected technologies with the potenAal to impact public safety and human life are worthy of our trust.
Collec;ng exisAng research, researchers, and resources Connec;ng researchers with each other, industry, media, policy, and legal
Collabora;ng across a broad range of backgrounds, interests, and skillsets Catalyzing posiAve acAon sooner than it would have happened on its own
Why Trust, public safety, human life How EducaAon, outreach, research Who Infosec research community Who Global, grass roots iniAaAve What Long-‐term vision for cyber safety
Medical AutomoAve Connected Home Public
Infrastructure
Safer|Sooner|Together hOps://iamthecavalry.org @iamthecavalry
![Page 27: Unpatchable - 2018.hack.lu … · SINTEFICT’ Unpatchable:! Living!with!avulnerable!implanted!device! @MarieGMoe!@iamthecavalry! #safersoonertogether! Marie!Moe,!PhD,!Research!ScienAstatSINTEF!](https://reader034.vdocuments.net/reader034/viewer/2022050201/5f547cd78a81be171253ec1a/html5/thumbnails/27.jpg)
“There will be bugs”
Safer|Sooner|Together
Joshua Corman of I am The Cavalry
![Page 28: Unpatchable - 2018.hack.lu … · SINTEFICT’ Unpatchable:! Living!with!avulnerable!implanted!device! @MarieGMoe!@iamthecavalry! #safersoonertogether! Marie!Moe,!PhD,!Research!ScienAstatSINTEF!](https://reader034.vdocuments.net/reader034/viewer/2022050201/5f547cd78a81be171253ec1a/html5/thumbnails/28.jpg)
Debugging me
Safer|Sooner|Together
![Page 29: Unpatchable - 2018.hack.lu … · SINTEFICT’ Unpatchable:! Living!with!avulnerable!implanted!device! @MarieGMoe!@iamthecavalry! #safersoonertogether! Marie!Moe,!PhD,!Research!ScienAstatSINTEF!](https://reader034.vdocuments.net/reader034/viewer/2022050201/5f547cd78a81be171253ec1a/html5/thumbnails/29.jpg)
You can’t patch me!
Safer|Sooner|Together
![Page 30: Unpatchable - 2018.hack.lu … · SINTEFICT’ Unpatchable:! Living!with!avulnerable!implanted!device! @MarieGMoe!@iamthecavalry! #safersoonertogether! Marie!Moe,!PhD,!Research!ScienAstatSINTEF!](https://reader034.vdocuments.net/reader034/viewer/2022050201/5f547cd78a81be171253ec1a/html5/thumbnails/30.jpg)
The benefit outweighs the risk
Safer|Sooner|Together
![Page 31: Unpatchable - 2018.hack.lu … · SINTEFICT’ Unpatchable:! Living!with!avulnerable!implanted!device! @MarieGMoe!@iamthecavalry! #safersoonertogether! Marie!Moe,!PhD,!Research!ScienAstatSINTEF!](https://reader034.vdocuments.net/reader034/viewer/2022050201/5f547cd78a81be171253ec1a/html5/thumbnails/31.jpg)
Credits
Alexandre Dulaunoy (@adulau) Éireann LevereO (@blackswanburst) Joshua Corman (@joshcorman)
Claus Cramon Houmann (@ClausHoumann) ScoO Erven (@scoOerven) Beau Woods (@beauwoods) Suzanne Schwartz (US FDA)
Family & Friends
Safer|Sooner|Together
![Page 32: Unpatchable - 2018.hack.lu … · SINTEFICT’ Unpatchable:! Living!with!avulnerable!implanted!device! @MarieGMoe!@iamthecavalry! #safersoonertogether! Marie!Moe,!PhD,!Research!ScienAstatSINTEF!](https://reader034.vdocuments.net/reader034/viewer/2022050201/5f547cd78a81be171253ec1a/html5/thumbnails/32.jpg)
SINTEF ICT
Thank you!
[email protected] hOps://www.iamthecavalry.org
@MarieGMoe @iamthecavalry #safersoonertogether
Safer|Sooner|Together