Understanding and Exploiting Implanted Medical Devices

Presented at Black Hat USA 2018, Aug. 9, 2018, 3:50 p.m. (50 minutes)

There has been significant attention recently surrounding the risks associated with cyber vulnerabilities in critical medical devices. Understandably, people are concerned that an attacker may exploit a vulnerability to modify the delivery of patient therapy, such as altering the dosage of medicine, delivering insulin therapy, or administering a shock via a pacemaker. These concerns raise several questions, such as: How do these devices work? What does the typical attack surface for implanted medical device look like? What do exploits against these systems look like? How do manufacturers respond to potentially life-threatening security issues? This presentation will address all these questions.

This presentation is the culmination of an 18-month independent case study in implanted medical devices. The presenters will provide detailed technical findings on remote exploitation of a pacemaker systems, pacemaker infrastructure, and a neurostimulator system. Exploitation of these vulnerabilities allow for the disruption of therapy as well as the ability to execute shocks to a patient.

The researchers followed coordinated disclosure policies in an attempt to help mitigate the security concerns. What followed was an 18-month roller coaster of unresponsiveness, technical inefficiencies and misleading reactions. The researchers will walk the audience through the details of disclosure and discuss the responses from the manufacturer and coordination associated with DHS ICS-CERT and the FDA. How did the manufacturer initially respond? What tactics did the manufacturer use to attempt to dismiss the independent researchers? Was the response by the manufacturer adequate from a patient responsibility standpoint? Has the actual technical vulnerability even been addressed?


Presenters:

  • Jonathan Butts - CEO, QED
    Dr. Jonathan Butts is the founder of QED Secure Solutions and is the Committee Chair for the IFIP Working Group on Critical Infrastructure Protection. He has served as technical director for cyber security efforts supporting Presidential-directed projects and has presented at prestigious security conferences around the world. Jonathan is a respected published author on various topics including critical infrastructure protection, malware analysis, protocol verification and operationalizing military actions in cyberspace. Jonathan has performed research and worked extensively with the Department of Defense, Department of Homeland Security, Department of Energy, National Security Agency, Central Intelligence Agency and U.S. Secret Service.
  • Billy Rios - Founder, Whitescope
    Billy Rios is the founder of Whitescope LLC, a startup focused on embedded device security. Billy is recognized as one of the world's most respected experts on emerging threats related to Industrial Control Systems (ICS), Critical Infrastructure (CI), and, medical devices. He discovered thousands of security vulnerabilities in hardware and software supporting ICS and critical infrastructure. Billy has worked at Google where he led the front-line response for externally reported security issues and incidents. Prior to Google, Billy was the Security Program Manager at Internet Explorer (Microsoft).

Links:

Similar Presentations: