Submit Search
Upload
The Harsh Reality of Slow Movers
•
1 like
•
374 views
The Security of Things Forum
Follow
Medical device security and cyber risk: a presentation by Ben Ransford, CTO of Virta Labs
Read less
Read more
Technology
Report
Share
Report
Share
1 of 37
Download now
Download to read offline
Recommended
Patient Centric Cyber Monitoring with DocBox and Evolver
Patient Centric Cyber Monitoring with DocBox and Evolver
The Security of Things Forum
Medical Device Security: State of the Art -- NoConName, Barcelona, 2011
Medical Device Security: State of the Art -- NoConName, Barcelona, 2011
shawn_merdinger
Network Connected Medical Devices - A Case Study
Network Connected Medical Devices - A Case Study
SophiaPalmira
Medical device security presentation - Frank Siepmann
Medical device security presentation - Frank Siepmann
Frank Siepmann
CyberSecurity Medical Devices
CyberSecurity Medical Devices
Suresh Mandava
[Wroclaw #6] Medical device security
[Wroclaw #6] Medical device security
OWASP
Cybersecurity in medical devices
Cybersecurity in medical devices
SafisSolutions
Collaborative Approaches for Medical Device & Healthcare Cybersecurity
Collaborative Approaches for Medical Device & Healthcare Cybersecurity
Dr Dev Kambhampati
Recommended
Patient Centric Cyber Monitoring with DocBox and Evolver
Patient Centric Cyber Monitoring with DocBox and Evolver
The Security of Things Forum
Medical Device Security: State of the Art -- NoConName, Barcelona, 2011
Medical Device Security: State of the Art -- NoConName, Barcelona, 2011
shawn_merdinger
Network Connected Medical Devices - A Case Study
Network Connected Medical Devices - A Case Study
SophiaPalmira
Medical device security presentation - Frank Siepmann
Medical device security presentation - Frank Siepmann
Frank Siepmann
CyberSecurity Medical Devices
CyberSecurity Medical Devices
Suresh Mandava
[Wroclaw #6] Medical device security
[Wroclaw #6] Medical device security
OWASP
Cybersecurity in medical devices
Cybersecurity in medical devices
SafisSolutions
Collaborative Approaches for Medical Device & Healthcare Cybersecurity
Collaborative Approaches for Medical Device & Healthcare Cybersecurity
Dr Dev Kambhampati
Security for Implantable Medical Devices (IMDs)
Security for Implantable Medical Devices (IMDs)
HCL Technologies
Security for Healthcare Devices - Will Your Device Be Good Enough?
Security for Healthcare Devices - Will Your Device Be Good Enough?
Rio Valdes
Medical device security_anirudh
Medical device security_anirudh
anirudh duggal
Health apps regulation and quality control case studies and session 2 present...
Health apps regulation and quality control case studies and session 2 present...
3GDR
Securing the Healthcare Industry : Implantable Medical Devices
Securing the Healthcare Industry : Implantable Medical Devices
Tandhy Simanjuntak
Killed by code 2015
Killed by code 2015
Flaskdata.io
Security and Privacy in Implantable Medical Devices
Security and Privacy in Implantable Medical Devices
Michael Rushanan
Embedded systems in biomedical applications
Embedded systems in biomedical applications
Seminar Links
Implantable medical devices
Implantable medical devices
Neeraj Verma
IEC 80001 and Planning for Wi-Fi Capable Medical Devices
IEC 80001 and Planning for Wi-Fi Capable Medical Devices
Ali Youssef
Challenges and-opportunities-in-software-driven-medical-sciences
Challenges and-opportunities-in-software-driven-medical-sciences
PEPGRA Healthcare
Healthcare cyber powerpoint
Healthcare cyber powerpoint
safecities
Design of Self-Learning System for Diagnosing Health Parameters using ANFIS
Design of Self-Learning System for Diagnosing Health Parameters using ANFIS
IRJET Journal
What You Need to Know About Intelligent Network Segmentation
What You Need to Know About Intelligent Network Segmentation
Medigate
Ultra-Low Power, Secure IoT Platform for Predicting Cardiovascular Diseases
Ultra-Low Power, Secure IoT Platform for Predicting Cardiovascular Diseases
BHAVANA KONERU
The state of healthcare (ill)legality
The state of healthcare (ill)legality
anirudh duggal
Avaali-IOT HealthCare Applications
Avaali-IOT HealthCare Applications
Avaali Solutions
PreScouter Internet of Medical Things: Industry Roundtable Webinar
PreScouter Internet of Medical Things: Industry Roundtable Webinar
PreScouter
Capturing Data and Improving Outcomes for Humans and Machines Using the Inter...
Capturing Data and Improving Outcomes for Humans and Machines Using the Inter...
Altoros
Proper Use of Tools
Proper Use of Tools
MLG College of Learning, Inc
Realtime embedded systems
Realtime embedded systems
Faisal Shehzad
06.09.26.Handout
06.09.26.Handout
Mohammad Al-Ubaydli
More Related Content
What's hot
Security for Implantable Medical Devices (IMDs)
Security for Implantable Medical Devices (IMDs)
HCL Technologies
Security for Healthcare Devices - Will Your Device Be Good Enough?
Security for Healthcare Devices - Will Your Device Be Good Enough?
Rio Valdes
Medical device security_anirudh
Medical device security_anirudh
anirudh duggal
Health apps regulation and quality control case studies and session 2 present...
Health apps regulation and quality control case studies and session 2 present...
3GDR
Securing the Healthcare Industry : Implantable Medical Devices
Securing the Healthcare Industry : Implantable Medical Devices
Tandhy Simanjuntak
Killed by code 2015
Killed by code 2015
Flaskdata.io
Security and Privacy in Implantable Medical Devices
Security and Privacy in Implantable Medical Devices
Michael Rushanan
Embedded systems in biomedical applications
Embedded systems in biomedical applications
Seminar Links
Implantable medical devices
Implantable medical devices
Neeraj Verma
IEC 80001 and Planning for Wi-Fi Capable Medical Devices
IEC 80001 and Planning for Wi-Fi Capable Medical Devices
Ali Youssef
Challenges and-opportunities-in-software-driven-medical-sciences
Challenges and-opportunities-in-software-driven-medical-sciences
PEPGRA Healthcare
Healthcare cyber powerpoint
Healthcare cyber powerpoint
safecities
Design of Self-Learning System for Diagnosing Health Parameters using ANFIS
Design of Self-Learning System for Diagnosing Health Parameters using ANFIS
IRJET Journal
What You Need to Know About Intelligent Network Segmentation
What You Need to Know About Intelligent Network Segmentation
Medigate
Ultra-Low Power, Secure IoT Platform for Predicting Cardiovascular Diseases
Ultra-Low Power, Secure IoT Platform for Predicting Cardiovascular Diseases
BHAVANA KONERU
The state of healthcare (ill)legality
The state of healthcare (ill)legality
anirudh duggal
Avaali-IOT HealthCare Applications
Avaali-IOT HealthCare Applications
Avaali Solutions
PreScouter Internet of Medical Things: Industry Roundtable Webinar
PreScouter Internet of Medical Things: Industry Roundtable Webinar
PreScouter
What's hot
(18)
Security for Implantable Medical Devices (IMDs)
Security for Implantable Medical Devices (IMDs)
Security for Healthcare Devices - Will Your Device Be Good Enough?
Security for Healthcare Devices - Will Your Device Be Good Enough?
Medical device security_anirudh
Medical device security_anirudh
Health apps regulation and quality control case studies and session 2 present...
Health apps regulation and quality control case studies and session 2 present...
Securing the Healthcare Industry : Implantable Medical Devices
Securing the Healthcare Industry : Implantable Medical Devices
Killed by code 2015
Killed by code 2015
Security and Privacy in Implantable Medical Devices
Security and Privacy in Implantable Medical Devices
Embedded systems in biomedical applications
Embedded systems in biomedical applications
Implantable medical devices
Implantable medical devices
IEC 80001 and Planning for Wi-Fi Capable Medical Devices
IEC 80001 and Planning for Wi-Fi Capable Medical Devices
Challenges and-opportunities-in-software-driven-medical-sciences
Challenges and-opportunities-in-software-driven-medical-sciences
Healthcare cyber powerpoint
Healthcare cyber powerpoint
Design of Self-Learning System for Diagnosing Health Parameters using ANFIS
Design of Self-Learning System for Diagnosing Health Parameters using ANFIS
What You Need to Know About Intelligent Network Segmentation
What You Need to Know About Intelligent Network Segmentation
Ultra-Low Power, Secure IoT Platform for Predicting Cardiovascular Diseases
Ultra-Low Power, Secure IoT Platform for Predicting Cardiovascular Diseases
The state of healthcare (ill)legality
The state of healthcare (ill)legality
Avaali-IOT HealthCare Applications
Avaali-IOT HealthCare Applications
PreScouter Internet of Medical Things: Industry Roundtable Webinar
PreScouter Internet of Medical Things: Industry Roundtable Webinar
Similar to The Harsh Reality of Slow Movers
Capturing Data and Improving Outcomes for Humans and Machines Using the Inter...
Capturing Data and Improving Outcomes for Humans and Machines Using the Inter...
Altoros
Proper Use of Tools
Proper Use of Tools
MLG College of Learning, Inc
Realtime embedded systems
Realtime embedded systems
Faisal Shehzad
06.09.26.Handout
06.09.26.Handout
Mohammad Al-Ubaydli
IOT_BASED_PATIENT_MONITORING_SYSTEM_Anan.docx
IOT_BASED_PATIENT_MONITORING_SYSTEM_Anan.docx
hashelectrolabs
IOT BASED HEALTH MONITORING BY USING PULSE OXIMETER AND ECG
IOT BASED HEALTH MONITORING BY USING PULSE OXIMETER AND ECG
PonselvanV
Presentation
Presentation
VarshaRathore15
Maintain Peace of Mind 24/7 with Lab Monitoring and Alerting
Maintain Peace of Mind 24/7 with Lab Monitoring and Alerting
Elemental Machines
Emergency Tracking System for Women using Body Sensors Via Wrist Watches usin...
Emergency Tracking System for Women using Body Sensors Via Wrist Watches usin...
IRJET Journal
ATM System using Augmented Reality Technology
ATM System using Augmented Reality Technology
IRJET Journal
Ch2 Presentation
Ch2 Presentation
Pacific Coast School
Securing IoT medical devices
Securing IoT medical devices
Benjamin Biwer
14983184 industrial-security-system-using-auto-dialer
14983184 industrial-security-system-using-auto-dialer
a_subramaniyam
Vivek_Presentation1.pptx
Vivek_Presentation1.pptx
VishalLabde
Android Based Patient Health Monitoring System
Android Based Patient Health Monitoring System
IRJET Journal
Introduction to Random NumbersRandom numbers are extremely impor.docx
Introduction to Random NumbersRandom numbers are extremely impor.docx
vrickens
Wearable Electronic Medical Devices: What Fails & Why?
Wearable Electronic Medical Devices: What Fails & Why?
Cheryl Tulkoff
06.09.26.Handout
06.09.26.Handout
Mohammad Al-Ubaydli
ealth Monitoring System in Emergency Using IoT: A Review
ealth Monitoring System in Emergency Using IoT: A Review
IRJET Journal
IRJET-Design of Automatic Smart Medication Dispenser
IRJET-Design of Automatic Smart Medication Dispenser
IRJET Journal
Similar to The Harsh Reality of Slow Movers
(20)
Capturing Data and Improving Outcomes for Humans and Machines Using the Inter...
Capturing Data and Improving Outcomes for Humans and Machines Using the Inter...
Proper Use of Tools
Proper Use of Tools
Realtime embedded systems
Realtime embedded systems
06.09.26.Handout
06.09.26.Handout
IOT_BASED_PATIENT_MONITORING_SYSTEM_Anan.docx
IOT_BASED_PATIENT_MONITORING_SYSTEM_Anan.docx
IOT BASED HEALTH MONITORING BY USING PULSE OXIMETER AND ECG
IOT BASED HEALTH MONITORING BY USING PULSE OXIMETER AND ECG
Presentation
Presentation
Maintain Peace of Mind 24/7 with Lab Monitoring and Alerting
Maintain Peace of Mind 24/7 with Lab Monitoring and Alerting
Emergency Tracking System for Women using Body Sensors Via Wrist Watches usin...
Emergency Tracking System for Women using Body Sensors Via Wrist Watches usin...
ATM System using Augmented Reality Technology
ATM System using Augmented Reality Technology
Ch2 Presentation
Ch2 Presentation
Securing IoT medical devices
Securing IoT medical devices
14983184 industrial-security-system-using-auto-dialer
14983184 industrial-security-system-using-auto-dialer
Vivek_Presentation1.pptx
Vivek_Presentation1.pptx
Android Based Patient Health Monitoring System
Android Based Patient Health Monitoring System
Introduction to Random NumbersRandom numbers are extremely impor.docx
Introduction to Random NumbersRandom numbers are extremely impor.docx
Wearable Electronic Medical Devices: What Fails & Why?
Wearable Electronic Medical Devices: What Fails & Why?
06.09.26.Handout
06.09.26.Handout
ealth Monitoring System in Emergency Using IoT: A Review
ealth Monitoring System in Emergency Using IoT: A Review
IRJET-Design of Automatic Smart Medication Dispenser
IRJET-Design of Automatic Smart Medication Dispenser
Recently uploaded
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
Alan Dix
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
Alex Barbosa Coqueiro
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
2toLead Limited
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Precisely
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
DianaGray10
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
Kalema Edgar
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
comworks
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
hariprasad279825
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
Florian Wilhelm
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
Miki Katsuragi
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
Alfredo García Lavilla
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
Rizwan Syed
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
BookNet Canada
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
ScyllaDB
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
Lorenzo Miniero
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
BookNet Canada
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
Slibray Presentation
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
Sri Ambati
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
gvaughan
Recently uploaded
(20)
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
The Harsh Reality of Slow Movers
1.
☤ TM Not So
Fast! The Harsh Reality of Slow Movers Ben Ransford, Ph.D.Virta Laboratories, Inc.ben@virtalabs.com @secthings 2015
2.
Not So Fast!
@secthings 2015 © ben@virtalabs.com TM –George Santayana, The Life of Reason vol. 1 “Those who cannot remember the past are condemned to repeat it.” 2
3.
Not So Fast!
@secthings 2015 © ben@virtalabs.com TM Outline • Medical-device security: a cautionary tale • Lessons for IoT • Outside-the-box anomaly/malware detection 3
4.
Not So Fast!
@secthings 2015 © ben@virtalabs.com TM Amazing devices! 4 1957 Photos: Medtronic, Computer History Museum
5.
Not So Fast!
@secthings 2015 © ben@virtalabs.com TM Amazing devices! 5 Therac-25 (ca. 1980s) Photo: SIUE
6.
Not So Fast!
@secthings 2015 © ben@virtalabs.com TM Amazing devices! 6 EFIBRILLATOR (AED) W mated external defibrillators ntessential software-based ty. The term defibrillator that use large electrical that might otherwise lead e divided into two types: types of defibrillators treat adically different in design lowing analogy: implanted s external defibrillators are er are prescribed and tuned er are available for general two further classifications automated. Trained health external defibrillators to . Our work analyzes the efibrillators (AEDs) that a g may use to treat a more rdiac arrhythmias such as Fig. 1. The Cardiac Science G3 Plus exploited to install our custom firmware. The AED displays DEVICE COMPROMISED. administered can be 150-300 Joules, which can be administered multiple times on one battery before the device requires a External Defibrillator (1985–) Photo: Steve Hanna et al., “Take Two Software Updates and See Me in the Morning…”, USENIX HealthTech 2011
7.
Not So Fast!
@secthings 2015 © ben@virtalabs.com TM Amazing devices! 7 Patient monitor Infusion pump Photos: Philips, Hospira, The Register/Medtronic Insulin pump
8.
Not So Fast!
@secthings 2015 © ben@virtalabs.com TM Amazing devices! 8 2003 pacemaker 2013 pacemaker prototype Photos: Ben Ransford; Medtronic
9.
Not So Fast!
@secthings 2015 © ben@virtalabs.com TM What Could Go Wrong? • Increasing software dependence • Increasing software complexity • Deeper integration with medical records, hospital IT, patients’ homes & bodies • 1980s: 6% of recalls due to software* • 2005–9: 18% of recalls due to software* 9 * Hanna et al., HealthTech 2011
10.
Not So Fast!
@secthings 2015 © ben@virtalabs.com TM Amazing harmful devices! 10 Therac-25 (ca. 1980s, recalled 1987) Photo: SIUE
11.
Not So Fast!
@secthings 2015 © ben@virtalabs.com TM Amazing open devices! 11 EFIBRILLATOR (AED) W mated external defibrillators ntessential software-based ty. The term defibrillator that use large electrical that might otherwise lead e divided into two types: types of defibrillators treat adically different in design lowing analogy: implanted s external defibrillators are er are prescribed and tuned er are available for general two further classifications automated. Trained health external defibrillators to . Our work analyzes the efibrillators (AEDs) that a g may use to treat a more rdiac arrhythmias such as Fig. 1. The Cardiac Science G3 Plus exploited to install our custom firmware. The AED displays DEVICE COMPROMISED. administered can be 150-300 Joules, which can be administered multiple times on one battery before the device requires a External Defibrillator (1985–) Photos: Hanna et al., “Take Two Software Updates and See Me in the Morning…”, USENIX HealthTech 2011 return address is checked, which allows us to redirect progra flow into arbitrary code. Fig. 2. AEDUpdate buffer overflow. Executed code includes a message b showing the potential flow of the vulnerability from the AED (if the firmw were replaced) to the software.
12.
Not So Fast!
@secthings 2015 © ben@virtalabs.com TM 2008: 😺⇠👜 • Academic study of an implantable defibrillator (IEEE S&P ‘08) • Focused security community on medical devices… oopsie! 12 Photos: Medtronic, Ben Ransford
13.
Not So Fast!
@secthings 2015 © ben@virtalabs.com TM 13 • No authentication • No encryption • Unauthorized shocks Photos: Ben Ransford
14.
Not So Fast!
@secthings 2015 © ben@virtalabs.com TM 2009–2011 • Insulin pump & defibrillator hacks (Barnaby Jack, J. Radcliffe, others) • No authentication • Unauthorized bolus 14 Photo: The Register/Medtronic
15.
Not So Fast!
@secthings 2015 © ben@virtalabs.com TM Wall Street Journal, June 2013, on a catheterization lab shut down by malware “...records show that malware had infected computer equipment needed for procedures to open blocked arteries after heart attacks.” 15 2013
16.
Not So Fast!
@secthings 2015 © ben@virtalabs.com TM 2013 • Pharmaceutical compounder (HealthTech ’13) • Must be on network, patching forbidden 16 Photo: Ben Ransford
17.
Not So Fast!
@secthings 2015 © ben@virtalabs.com TM 17 Photo: Ohemaa's MD Major hospitals say: 3–5 years: >90% of medical devices will be on the network
18.
Not So Fast!
@secthings 2015 © ben@virtalabs.com TM Lessons for IoT! 18
19.
Not So Fast!
@secthings 2015 © ben@virtalabs.com TM A RECIPE FOR SUCCESS 19
20.
Not So Fast!
@secthings 2015 © ben@virtalabs.com TM Don’t Patch the OS • Microsoft has figured out Windows security by now • The Linux kernel is perfect, always works • “Alternative” OSes won’t be targeted 20
21.
Not So Fast!
@secthings 2015 © ben@virtalabs.com TM Don’t Patch Libraries • You wrote all of the device’s code & libraries • No need to update OpenSSL, PHP, Apache, etc. 21
22.
Not So Fast!
@secthings 2015 © ben@virtalabs.com TM Use Default Secrets • Use default passwords whenever possible • Make passwords difficult to change • Ship master keys w/ devices • Hard-code credentials 22
23.
Not So Fast!
@secthings 2015 © ben@virtalabs.com TM Be Very Liberal in What You Accept • Download software via insecure channels • Don’t cryptographically sign software • It’s probably fine • Who would tamper with firmware? • Anyway tampering is illegal 23 II. AUTOMATED EXTERNAL DEFIBRILLATOR (AED) OVERVIEW In this section, we introduce automated external defibrillators and discuss why they represent a quintessential software-based medical device to investigate security. The term defibrillator refers to a broad class of devices that use large electrical shocks to treat cardiac arrhythmias that might otherwise lead to a fatal outcome. Defibrillators are divided into two types: implantable or external. While both types of defibrillators treat cardiac arrhythmias, the devices are radically different in design and purpose. One could draw the following analogy: implanted defibrillators are to mobile phones as external defibrillators are to public phone call boxes. The former are prescribed and tuned to a particular person whereas the latter are available for general use when you can find one. There are two further classifications of external defibrillators: manual or automated. Trained health care professionals may use manual external defibrillators to treat a wide range of arrhythmias. Our work analyzes the second class: automated external defibrillators (AEDs) that a person with limited medical training may use to treat a more limited (but common) number of cardiac arrhythmias such as ventricular fibrillation. Fig. 1. The Cardiac Science G3 Plus exploited to install our custom firmware. The AED displays DEVICE COMPROMISED. administered can be 150-300 Joules, which can be administered Photo: Steve Hanna et al., “Take Two Software Updates and See Me in the Morning…”, USENIX HealthTech 2011
24.
Not So Fast!
@secthings 2015 © ben@virtalabs.com TM Obscurity == Security • Nobody will scan your devices • Nobody will obtain your firmware via JTAG • Compilation is the same as encryption • Leave a network port open for “debugging” 24 Photo: Dotmed
25.
Not So Fast!
@secthings 2015 © ben@virtalabs.com TM 25 VOILÀ!
26.
Not So Fast!
@secthings 2015 © ben@virtalabs.com TM Deep Integration → Fixity • Once something works, don’t want to touch it • Sometimes replacement is really hard • Environment changes → threats change too 26 Major surgery, ~10yr battery Photo: Ben Ransford
27.
Not So Fast!
@secthings 2015 © ben@virtalabs.com TM IoT and Slow Movers • You want integration + customer dependence? • All bets are off once a Thing is deployed • Customers will depend on your old/stale code • Customers will depend on your old URLs • You think you know how customers will use your product, but you don’t • Optimize products & processes for patchability 27
28.
Not So Fast!
@secthings 2015 © ben@virtalabs.com TM The Mess We’re In • Major healthcare breaches afoot (Anthem: 80M!) • Attackers roost on systems that won’t get patched (TrapX “Medjack” report) • Backward thinking about patching • Perimeter security is not a solution • “Endpoint security” vendors ignore medical devices (as they ignore Things) 28
29.
Not So Fast!
@secthings 2015 © ben@virtalabs.com TM 29
30.
Not So Fast!
@secthings 2015 © ben@virtalabs.com TM Outside the Box • Nonintrusive monitoring • No software installation • Devices stay in service • Use the power side channel to infer tasks, detect unusual behavior incl. malware 30 (In beta!) Photo: Ben Ransford/Virta Labs
31.
Not So Fast!
@secthings 2015 © ben@virtalabs.com TM 31 Photo: Atomic Toasters
32.
Not So Fast!
@secthings 2015 © ben@virtalabs.com TM 32
33.
Not So Fast!
@secthings 2015 © ben@virtalabs.com TM Current Consumption Varies • Today’s CPUs and software are careful to use power management! • Modern systems exhibit high dynamic range • Workloads ➞ patterns of high/low • CPU busy ➞ more current • Peripherals busy ➞ more current • Idle time ➞ less current 33 Image: Apple
34.
Not So Fast!
@secthings 2015 © ben@virtalabs.com TM Learning from Analog Data • Collect data during representative activity • Constantly collect power signals • Featurize signals, feed features to machine learning • Feed analysis results back to customers • Crowdsource problems across customers 34
35.
Not So Fast!
@secthings 2015 © ben@virtalabs.com TM Q’s We Can A • What state is the device in? Have we seen this state before? • Does the device have certain kinds of malware? • How fast is it doing its work? 35
36.
Not So Fast!
@secthings 2015 © ben@virtalabs.com TM 36 VIRTA LABORATORIES UNKNOWN MALWARE
37.
Not So Fast!
@secthings 2015 © ben@virtalabs.com TM Takeaways • For IoT manufacturers: Recognize security debt, plan for long lifecycle • For users: Insist on coherent patching strategies that have a time dimension • For security researchers: Roll up sleeves Twitter: @virtalabs / @br_ Beta program: https://www.virtalabs.com/ 37
Download now