The Hacker Will See You Now

[Music] higher performance communication resources and faster and more reliable technology higher performance communication resources and faster and more reliable so how do we get to this place you know and this is kind of the example I give you we have a nice family here a mom dropping off her children to go to summer camp but what you can't see in this picture is that one of these children can't go to summer camp one of these children has Type 1 diabetes and that means that they have a significantly changed life they can't go without supervision they can't go without medical supervision because they have a lot of Demands on them so Mom doesn't feel comfortable any parent

wouldn't feel comfortable leaving their child um at a camp or at a sleepover with any of those situations ations now why is this how did that how is this um a problem for the parent and the child well as a type 1 diabetics have a NeverEnding cycle of stress first you're constantly having to take a child or a type 1 diabetic's blood sugar readings you have to poke your finger and you have to bleed and you have to go through this elaborate process then you have to do a bunch of math get some syringes and some vials out and get the exact right dosage and you have to inject yourself I don't know about you but I hate needles

nobody wants to inject themselves and nobody wants to inject their kid you also have to be precise about exactly how many carbohydrates the person is eating so you can get your math right you know and it's easy to look at any meal and figure out exactly you know to the number of carbs that are going to be in there right no problem but then there's all the unmeasurable things that a diabetic has to deal with is their blood sugar going up or down how much stress have they had how much sleep have they had there are all these factors God forbid if the child is going through puberty not only that but there's the stress of knowing that this occurs every

single time that you have to eat something four or five times a day every of the week every week of the year every year forever there's no break and that stress adds up but we have technology technology will come and cure all this there's insulin pumps people know I diabetics have insulin pumps and they're smart right because computers are smart we can figure all this out with a computer and we all trust computers they're great they can keep track of how much much insulin a person had earlier things that little children can't remember or grandmothers can't remember or heck anybody can remember right can track what their blood sugars are it can do a lot of really super smart

things the future of that is coming with connecting pieces together there is an artificial pancreas project which will join two pieces of Technology one piece of technology being the insulin pump which will act like a pancreas the other piece of techn ology acting as checking blood sugar and they transmit wirelessly magically and they'll talk to each other and you can eliminate the human out of making the decision doesn't that sound safe we'll have computers making decisions about this medicine um without the input of patients what a glorious life it'll be it'll be relaxing we can send all the kids to camp and parents of diabetic kids can get that well deserve time off right kids can have cupcakes and

sleepovers and you won't have to worry about it or can they right look at how other things have gone when we've computerized them right it's a great idea 15 20 years ago we'll do all of our shopping online that'll be safe and we'll do all of our Banking online too um and that hasn't worked out so great right we see it in the newspaper all the time as Security Professionals we we know how that goes there's fraud there's computer crime credit card numbers getting stolen we can't secure a $5 credit card Transaction what makes me think we can secure medical decisions or wireless communication between these devices when I can't do something really simple it's pretty

scary now a lot of this technology is being tied into cell phones your iPhone is going to be your primary platform or your Android device and that's going to connect your child your person your health specimen to the internet to the doctor to the rest of the world to the cloud how great do our cell phones work I mean we've never dropped calls that's never happened we've never had to reboot our phone are we going to we going to put that technology and trust with our children how about for restarting our heart oh I got to restart my phone before I can restart my heart just give me one minute and I got to put my

passcode in not so sure that's going to be good but then there's bad guys there's two threats here right there's inadvertent bad guys right we have malware on iPhones that could impact the medical the way a medical software works the way the communication with medical devices work but we also have Hollywood hackers right the ones that we're going to go after a patient we're going to do what Homeland did where we can break into a pacemaker or an insulin pump and kill somebody pretty far-fetched but technically possible but as we all know there aren't just one kind of hacker there's good hackers and bad hackers and I talk about this with my kids all the time I've got a 10-year-old

a six-year-old and a four-year-old and they say Dad what do you do for a living I say well uh kind of break into things and help people so that way they don't have their stuff broken into for real they're like can you break into stuff for me and get stuff like toys I was like no because with great power comes great responsibility as people as Security Professionals we have the ability to go and steal credit card numbers and to do really bad things on computer networks but we choose not to we choose to help people and to make those environments safer but how did we get here how do you get to that place and just a half hour

ago I was sitting in the chill out room and uh somebody sat down next to me and that kind of came up and he was like so um how do you hack how do you learn how to hack which is a great question and I kind of I've been asked that question numerous times people interested in the security Community I want to I want to hack I want to do what you do well I'll tell you how I got started and my dad loves to tell this story I was three years old and he said I figured out how a screwdriver worked and I went around the house and I took every doorknob off every door cuz I

wanted to figure out how it worked and I would take them apart and I would look and I would figure out okay if it this twists like this and then it goes like that okay great I never put any of them back but um but I took all the door knobs apart to take to figure out their workings and pretty much that's what I've been doing ever since is I just love to take things apart I want to know how something works and that's kind of what's fun about hacking is hacking isn't computers hacking is kind of a a way of thinking about things learning about how something works and then saying oh you know if I change this to that it'll do

something completely different and it doesn't matter if it's a computer program a web service a paperclip a door knob all of those things can be modified can be twisted to do something they weren't originally designed to do and I've kind of been doing that for fun for my entire life whether it's computers it's ham radio stuff Electronics hardware and it kind of led me to a place in 2011 as a type 1 diabetic I had access to an insulin pump and I got elbowed by a friend of mine at Defcon and he was like hey you should take take apart your insulin pump and figure out how it works and hack into it and I kind of laughed I

said sure I should and I thought about it and I was like well it has a radio it's got some Wireless interfaces I wonder if there's super awesome encryption I wonder if it's really safe and what I found was really scary I found that there really wasn't much security I was able to write a program to remotely turn off the insulin pump I was able to write a program to remotely change all the therapy settings on an insulin pump without the user's permission so I went to go give a little talk about it at black hat and it turned out to be a lot bigger than I thought it would be um and since then I've kind of

been thrust into an area of talking about medical devices because as a patient I understand what it is to wear one of those medical devices and be dependent upon it but as a security person I also understand the risks involved in the past 5 years I've gone out and bought hundreds of medical devices from all kinds of strange places in order to take them apart and figure out how they work some of them I get on eBay like kidney dialysis machines you didn't know you could buy one of those and get them delivered to your house but you can Craigslist is another good place kind of a gray market area of like what can you get there one of my favorite

stories to tell though is about coroners offices you know if you have a pacemaker and you die they have to take it out of you you can't just throw those lithium batteries and medical devices away what happens to those yeah there's a drawer or a box or a bag somewhere in the corners or a medical examiner's office that has all these medical devices in them and they still work and if you know the right people and you ask the right question questions in the right way you might be able to get your hands on some to be able to do research now after you get the creepy feeling off right because it's really kind of Frankenstein like to be like hey

you got any uh you got any corpses with pacemakers back there I'm I'm doing a project you know you really kind of have to it's hard to get these devices to do research and it's one of the reasons that it's slowing medical device research is slowing down it's easy to get access to a web server it's easy to get access to software but where do you go to get an MRI machine where do you go to get these big pieces of equipment that you really don't have access to to test them but you're really dependent people are really dependent upon them for life one of the touching stories that I have recently is is uh from Craigslist when a

this this woman up here I found an ad for an insulin pump that was for sale guy was selling it for I don't even remember how much but I ended up talking to him I said I'll buy it and he was well you know my wife was using it and she passed away and she was only 44 years old and you know I'm selling it because I need to get money to pay for these medical bills and I was like oh and he was like what are you going to do with it and I said well I'm going to use it for some security research and I kind of talked about a little bit what I what I was

doing with it and it has wireless interface and you know trying to make insulin pumps a little bit safer and he was like I want to give this to you I don't want to take any money because his wife was a social worker and she spent her entire life helping people helping people who didn't have any representation who weren't getting help through the normal means and she was like she would be so honored to have somebody take this device that's not being used anymore and have it looked at to help other people and to make other people safer and it made me realize this is the reason that we do this this is the reason I choose to do computer security

research on medical devices is because behind every one of these devices is a person it's a person depending upon that device to stay alive and that makes a big difference now ultimately I forced him to take the money because I have a research budget but it does kind of speak to what are we doing with these Tech what are we doing with technology why are we putting it in places where maybe it might not be a good fit but maybe it is a good fit what I see coming in the future is really exciting as a patient with type 1 diabetes I see some really cool stuff I see some stuff in FDA trials that would

make my life a lot easier but I also see it going really really fast we could just buy a Bluetooth chip throw it in there it'll be fine yeah sure it will and we're going so fast with what we can do with computers that we're not thinking about the consequences we're not thinking about the guard rails or what's coming around the next curve I get asked a lot by companies what do we do about that how do we implement this awesome computing power that can change people's lives in a way that's safe because we don't want to just say we'll forget about it computers are never going to be safe we won't use them because we're going

to well in every company we have people that do certain jobs we have doctors we have CEOs we have lawyers we have computer programmers and they do their jobs and if everybody does their job right compan super successful it's profitable whatever the company makes they sell a lot of works out great but what if you mix these up what if you have the doctor try and do the accounting what if you have the lawyer do the programming right everybody's got a certain job to do and what I'm finding more and more is when we integrate technology into medical devices or any of the internet of things kind of genre that there isn't anybody looking at

security security is assigned to somebody with hopes that it'll get taken care of so many organizations I go into that are medical Centric have an IT team with nobody in security somebody gets assigned to be uh their Hippa security officer and they're like yeah I don't no I I pray is what I do so how are we expected how we how can we expect them to be secure or to securely implement this type of technology for people security Specialists are so you know I tell these companies to go out and get somebody that's going to help them in in their area of specialty whether it's making Medical devices implementing medical devices or Internet enabled toasters

whatever it may be but it's not that simple you have to find somebody that's technically credible right you can't just go get somebody that knows web services really well and have them start securing a Bluetooth connection we all know that security is way too broad of a topic there are areas that you're good at and there's areas that you don't know that much about so you have to find a good match there you have to also understand all aspects of the business you can't go into an organization and say well I know that this home router costs $20 but we need to put Ultra super encryption in it and we're going to have to spend $100,000 to secure

it from a business perspective that doesn't make any sense you can't make those decisions and be successful you can't have super security all the time more importantly balancing risk versus practicality is something that the medical industry faces all the time I look at little kids that have insulin pumps and they're like well you should just put a passcode on the insulin pump sure let me explain to the four-year-old that they need to pick an 8 to 16 character passcode two they can't have two consecutive characters when they can't spell not only that in an emergency situation how would that child be able to communicate that with the caregiver they wouldn't I go into hospitals one of the

first times I went into a hospital I went to the emergency room as a consultant and I saw a big magnet and I was like what's the magnet for and they were like oh if you have a patient with a pacemaker if you put the magnet over their heart it'll turn the pacemaker off there's a magnetic switch in there so that way they can turn that off in the case of an emergency and I was like that's brilliant short range but also you need the ability to turn things off you need the ability to save the patient's life you have to keep that in mind when securing these medical devices if you put super encryption on there and hide

the keys really well and do all the things that we've been trained to do as Security Professionals are we putting a person's life at risk we have to balance that risk versus practicality most importantly what I'm seeing now is that you need a security specialist that's going to go to battle with you not just in the design process but for the entire life cycle of the device last month the FDA submitted some or published some guidance on post approval cyber security and what that means is what do you do with devices that are already out on the market Market patching vendors are having a really hard time with this because they go through the FDA approval process and

then they're like that device has gone I don't have to worry about it ever again but we all know that's not true these devices need patching they have vulnerabilities that are going to be found how do you do that I see a lot of the hosp case that happened last year it took them over a year to respond to a vulnerability uh that was reported because they just had no plan they had no ability to patch things and a lot of medical devices out in the field are the same way so what does the future hold you know I did an interview last month that kind of talked about crypto locker and the whole crypto Locker story

that happened in Hollywood which I don't think would have really been a story if somebody made up the number of $3.4 million being held Ransom ultimately it was $177,000 but we see this all the time companies getting their files locked up and encrypted then they have to pay a ransom for it to work what about the dangerous consequence of your medical device is now encrypted you need to pay a you need to pay this Ransom otherwise I'm not going to turn it back on I think that that's a possibility especially with connected devices and it's a scary consequence too because that person pretty much has to pay there is no backup file for that it's not all bad news

though good guys are trying and they're trying hard the FDA has been issuing cyber security guidance and the real question that comes to the FDA is the FDA is responsible for approving medicine for people to use safely they're not computer scientists they're not security Engineers so they're a group of people that have lab coats and chemistry degrees they don't necessarily have the skill to be able to make decisions like that but more vexing is do they have the permission to the FDA can't just go and do whatever they want they are told by Congress what their powers are so they give guidance not regulation because they don't they're not certain if they have the ability to regulate software on

medical devices it's kind of up in the air and I'm sure that all of you kind of know how great our political system is going right now so I don't think there's going to be any clarification from Congress anytime soon over how we can regulate those areas so it's really kind of up to some up to the companies as well as up to the FDA giving these guidance recommendations there's also a lot of Grassroots movements I in the Cavalry um came out with the uh hypocritic oath for connected medical devices talking about how to make these devices safer people in our community are reaching out talking to Congress talking to legislators trying to make things safer

doing more research together to collaborate and make these devices safe to use that brings us back to the family is this mom going to be able to drop off her type 1 diabetic anytime soon I don't know you know as a diabetic my thankfully none of my children are diabetic but I'm not sure if I would trust them or trust the device to make decisions on behalf for them but maybe that's just me being a parent but as we go forward as we use this technology and develop it I think that there's some really exciting things that can happen and we can really change people's lives I would hate to think of my children not being able to have

random cupcakes or having sleepovers at somebody's house are not going to summer camp so I keep working and I think all of us as a security Community keep working to try and make that possible and try and make those dreams come true thank you very much I hope you enjoy the talk if you have any questions you can see me or you can email me or yell at me thank you very

much