Unpatchable: Living with a vulnerable implanted device

Presented at 32C3 (2015), Dec. 28, 2015, 11 p.m. (60 minutes).

Gradually we are all becoming more and more dependent on machines, we will be able to live longer with an increased quality of life due to machines integrated into our body. However, our dependence on technology grows faster than our ability to secure it, and a security failure of a medical device can have fatal consequences. This talk is about Marie's personal experience with being the host of a vulnerable medical implant, and how this has forced her to become a human part of the "Internet-of-Things".

Marie's life depends on the functioning of a medical device, a pacemaker that generates each and every beat of her heart. This computer inside of her may fail due to hardware and software issues, due to misconfigurations or network-connectivity.

Yes, you read that correctly. The pacemaker has a wireless interface for remote monitoring forcing the patient to become a human part of the Internet-of-Things. As a security-professional Marie is worried about her heart's attack surface. How can she trust the machine inside her body, when it is running on proprietary code and there is no transparency? This is why she went shopping on eBay to acquire medical devices that can communicate with her pacemaker, and started a hacking project together with her friend Éireann.

This talk will be focused on the problem that we have these life critical devices with vulnerabilities that can't easily be patched without performing surgery on patients, Marie's personal experience with being the host of such a device, and how the hacker community can proceed to work with the vendors to secure the devices.


Presenters:

  • Marie Moe
    Marie Moe is passionate about incident handling and information sharing, she cares about public safety and securing systems that may impact human lives, this is why she has joined the grassroots organisation “I Am The Cavalry". Marie is a research scientist at SINTEF ICT, and has a Ph. D. in information security. She has experience as a team leader at NorCERT, the Norwegian national CERT. Marie also teaches a class on incident management and contingency planning at Gjøvik University College in Norway. Marie loves to break crypto protocols, but gets angry when its in her own body.
  • Éireann Leverett as Eireann Leverett
    Eireann hates writing bios in the third person. He once placed second in an Eireann Leverett impersonation contest. He is sometimes jealous of his own moustache for being more famous than he is. Eireann Leverett has founded a new company to explore the benefits, costs, and potential problems of cyber insurance. He continues to study the boundaries between technology and economics. He is back at CCC this year to assist Dr Marie Moe in a presentation on medical devices and their privacy, security, and safety. He is an advisor to ENISA, a member of a few programming committees, and graduate of Cambridge university. He has worked as a developer, quality assurance analyst, penetration tester, researcher, and catastronomics quant. You should of course ignore all this, and just judge the talk as one talk. His work can primarily be summed up with this single phrase: Own your own critical national infrastructure today!

Links:

Similar Presentations: