Delving into Medical Device Digital Forensics

hello okay so he kind of used my real name which it's generally just V my mom calls me Veronica so if you come talk to me just call me V it's easier that way so like he said some of us don't get to be left alone in a cardiologist office anymore uh I did 3 years ago when I came to Norway the first time I don't anymore I think it's cuz they Googled me so we're very excited to come present some of the research we've been doing at norof University College uh some might say it's a bit of an unhealthy Obsession that I might have well let's introduce ourselves so I'm V I'm an assistant

professor uh how do I get time off of work I bring my boss with me I mean I am a PhD student currently actually studying how to bulr bust logging for forensics and incident response on medical devices it's a dirty job someone's got to do it I'm also involved with Defcon and the biohacking village and a lot of other things that don't really matter but I'm also a cyborg it's probably the thing that I'm the most proud about I have my own walking talking ecosystem good afternoon I'm Em butfield I'm head of computing for norf University College and program lead for our digital forensics uh bachelor program both Veronica and I come with industry experience working with law

enforcement across the globe and really can we a passion to try and find out what evidence can we get back from any devices we look at from the entire ecosystem not just from a computer not just from a mobile phone but from absolutely anything and that's where this kind of talk stems from I think it is uh I still remember the first time that I asked the question of my cardiologist do we use pacemakers and defibrillators to determined time of death firstly he looked at me strangely because I'm asking questions about determining death and asking super technical questions only to be told no we do live a temp which I thought was very silly at the time because we have

something connected to a person yet we use Li temp that is accurate in a ballpark so what can you expect I hate to disappoint you we do not have the tech and the equipment that the public sector has I'm on a budget em doesn't want to give me lots of money so no we do not have the technology the fanciest thing you're going to see is some AI generated art but we would love access to all of that information and systems that were on the keynote this morning um but I think a lot of what we've done at the minute is very much not on a budget but it's completely achievable by anyone um you'll see as we talk that actually

it's specialized but at the same time it's not specialized no so let's manage expectations right now right I'm not going to probably show you something that's going to blow your mind I wasn't surprised as you were but we yet to share some of our research so what are we actually going to be talking about if you've Googled me seen some of my talks you know I have a so box I need one cuz I'm short but there is a difference between a medical device and a clinical device we are not talking about the desktop laptop equipment attached to medical devices that connects into the EHR it's not what we're talking about today the devices that we refer to are

the ones that are classified under the eum MDR and ivdr what is that it's a long boring document that manufacturers have to follow but it does Define what a medical device is now some of the things we've looked at is a patient monitor every hospital has them if you've ever been a patient you've been hooked up to one going to look at infusion pumps some of the devices we've actually forensically looked at CPAP machines pacemakers and icds buy me coffee and I'll tell you why uh cardiac programmers very proud I now own three of them how well that's my secret but there's a whole host can we show you every single one no I'll probably take up your whole day but we

are going to try and cover some of them I think the key thing for me was I never thought about medical devices until Veronica came and she'll explain why and the kind of forensic significance that they might have but also just the the security implications from such devices and kind of the vulnerabilities that might exist and how they could be exploited and the more you dig the more you find and the more you find the more you want to dig to the point that as Ronica says she owns far too many devices now and and each and every one of them has potential from both forensic and security perspectives I mean by a show of hands and I won't judge who yeah has

looked at medical devices in terms of vulnerabilities I see some hands I'm not the only weird one welcome to my club it's the COI hands that come up that suggest that maybe we shouldn't be looking at them well we made friends with the public sector just in case I get arrested for what I have so now we're friends but what is medical device for entics and yes I had to bring in some memes because why not any good presentation has them but medical devices seem like something that's foreign sexy new Hightech but it really isn't but before I dive into the forensics of it and the incident response of it potentially and what it holds kind of need to just do a

retrospective aw where we are and the statistics here were published by the H ISAC this year so this is a study that they conducted now this shouldn't surprise you medical devices have been vulnerable for years it's only now that we're really talking about it now 53% of these medical devices H ISAC looked at and analyzed had a at least one critical vulnerability which was remotely exploitable which would impact patient care why is this important well people like me are attached to these devices we carry them with us now if they have critical remote exploit abilities well it becomes a little bit different when someone standing in front of you with those devices because there are many people just like

me that potentially are walking around with a vulnerable device caveat that doesn't mean I'm not going to have my device I will rather have it than not have it but I think a big thing about these is that nobody's really considered the technology before so vulnerabilities seem to have increased I think we've discussed this many times they seem to have increased and there seems to be more security vulnerabilities now but in all honesty Hy a lot of this is because nobody's checked them before and considered them as anything that needs to be tested anything that needs to be secure it was a medical device that give support to different people in different ways but now when people start looking

at the opportunities that they allow then you can start seeing where are the holes what can we do how can we exploit them I mean the vulnerabilities that have been found and disclosed in the recent years has increased by 59% now that might seem like an alarming thing to me it's exciting but because it means more people are doing what they're looking at devices I am always in support of knowing what the vulnerability is so that I can fix it right better you know what's broken they know what is you know they not know now in a general Healthcare delivery organization one of the devices used most is an infusion pump right they almost in every room so

38% of the hospital networks are generally made up of infusion pumps now anyone here know what an infusion pump is right they deliver some serious drugs like morphine or pain medication so generally they are things we don't want to be remotely exploitable now 73% of the infusion pumps on the market have at least one remotely exploited able vulnerability so you can kind of see that there are lots of reasons why we should be looking at these devices I told you I'm going to have some amazing art AI is fantastic uh so what are some of the vulnerabilities well these shouldn't shock you too much these are things we've been dealing with in hardw manufacturing for years right we have

64% that is built into the software but lucky for us if it's in software what can we do we can fix them if we know about them now medical devices some might say Legacy will always be a problem and there is a reason a real reason for it we're dealing with Hardware components Hardware components within a human being's body so how do you do or how do you deal with a hardware vulnerability that's baked into a device you're going to call in the patient and say hey we're going to catch you open cuz we need your device even though it's a functioning medical device no there was a big recall on cardiac implants and pacemakers a few years back

because a big vulnerability dropped and because of a knee-jerk reaction from the manufacture they started patching without doing a real analysis and ended up bricking patient devices security doesn't always get it right cuz we did patch happiness ended up in patients having to come in and have physical surgeries right thank goodness it's not rechargeable by means of that the patient has to recharge the device because some of us would die but you have to go in because it's a whole unit so again just finding a vulnerability is one component fixing it when it's Hardware is much harder but lucky for us there is Hardway vulnerabilities and we'll tell you why it's a good thing sometimes now there are different

classes of medical devices so who here has a health watch like apple it's considered a medical device because it gives medical algorithms uh specifically the cardiac one that does adrial fibrillation now in those specific class 3 devices there was B abilities found but I think the more concerning ones is the classes of devices within people's bodies or attached to people's bodies or on Hospital networks you can see we practiced this really well we don't ever um so what we need to think about is why are these vulnerabilities important I mean it looks sexy from a security perspective saying that there's vulnerabilities in systems embedded in people's deves that are embedded inside their bodies but from a forensic perspective which is

kind of a big part of where we're coming from is these vulnerabilities allow evidence to be collected but also because they can be exploited maybe those devices hold the forensic evidence that maybe prove and this is maybe Hollywood style but prove how somebody died maybe somebody hacked into the pacemaker and managed to overpower the pacemaker and blow them up whatever it might be but maybe that evidence exists somewhere can we capture that evidence is it obtainable you've really gone Homeland there on us so who year has seen the Homeland episode called Unbreak My Heart I think it is what it was called where they have a patient monitor in the president's room you know and they managed to find his

serial number and did this whole sophisticated Hack That hack is not as unplausible as one might think right so anyone that does medical device Security will tell you that that day people's heads were on fire but no one considers DFI no one considers that these devices that are on a hospital Network might be the foothold onto your electronic Healthcare records we know cyber crime is motivated by what monetary gain how do we get more money we sell data now electronic Healthcare records is one of those things that's very lucrative for cyber criminals to sell and these devices are medical devices they functionally built not to be secure but to give treatment and record clinical data therefore they actually a

rich Treasure Trove for cyber criminals now the challenge we have is where do you get the devices from you can get dead bodies and drag them into your office and chop them up and pull out what you need you can potentially go and Source devices from different places um and hope that they have information and hope they have weaknesses that you can try and exploit so in South Africa it was fairly easy I had a friend at a coroner and by law they have to remove the Pacemakers and icds because they go boom in the incinerator so have a friend call a friend is helpful otherwise your old friend eBay shockingly now very easy to obtain

devices now I think I've got the algorithm down to sit and wait now I am not saying do as I do in fact I'm saying don't do as I do at home right that's the disclaimer but most of our devices are sourced currently since moving to Norway from eBay and one might think that you don't get devices from there but you do I don't know if they fell off a truck don't care I just want to be able to hack into them do some forensics and take it from there now you think forensics on medical devices if you've never performed forensics uh it might sound a little bit Fantastical if that's a word potentially but in terms of medical devices can we

use the same techniques do we have to advance techniques do we have to use uh the the fancy things that we saw in a keynote this morning well the answer is kind of no realistically what we're looking at is normal technology normal being technology that's been around for a long time it's just maybe used in a different way and therefore we can extract the same data from them as we do from computers mobile phones applications whatever it might be and still get all that data back and make use of it we can use all techniques just in a new way I think that was probably one of the dis most disillusioned I was when I looked at pacemaker data the

first time because it looks sleek it looks like it's got some new technology cuz it uses machine learning it is able to keep my heartbeating it's able to keep me upright all that amazing things and then you open it to come to disappointment that it just looks like a micro PC like micro computer with some components and it's not as fancy as you think it is but it's important understanding what's under the hood because people are intimidated by doing work on medical devices and that's the purpose of this talk is to kind of demystify these devices and say that it's actually accessible and easy well not easy but it is doable but don't tell everyone otherwise we won't be able to

get funding for future research okay so because we're academics and in forensic Sciences we have to come up with a process that kind of sort of follows a pattern that's repeatable reproducible and that we can document so there's three things that with every device that we've looked at that we've kind of had to use we've had to upskill to be able to do some medical engineering or just normal engineering but having to look at the device to figure out is it still working as it should there's no use doing forensics on a device if the data you're generating is coming from a flawed device it doesn't help us document what's on the devices but it serves another purpose it

helps us reverse engineer the hardware to potentially understand how we can interact with it cuz obviously there's many vulnerabilities on these devices that can be exploited however we need to find the door in as was said this morning jump the fence that would leave the least amount of breadcrumbs behind CU it is forensics then we get into the forensic side how do we extract that information so that we can make use of it and present it and analyze it and use that in wherever we go in the future now you got to think these medical devices deves are implanted they're embedded if somebody dies because Something's Happened on their medical device then that's a criminal case and therefore we

have to do things properly because it's going to go into the courts later on um so we have to consider just as we did on the keynote this morning all the different steps of the forensic process how do we extract how do we analyze and how do we do it in such a way that it's repeatable now medical devices offer an additional challenge of it's not always repeatable sometimes we have to really destroy the device and we've seen destroyed devices to be able to get the data back and somebody else won't be able to replicate that later that is just a challenge that we have to deal with in the future but I think it's a

challenge that iot sometimes faces as well is that by means of actually getting into the device we end up destroying it we void warranties uh I have realized now that every device I have opened there's no way it will ever be used as a medical device again it's labeled for human for nonhuman use at Big qu I'm not certified to open them up if I was certified to open them up and I could do it in a process that retains the Integrity of the device that's different but that certification will have to be done for every manufacturer every device which as you can see for digital forensics won't be a real achievable I mean I'd love to but some

manufacturers are nicer than others and will play ball and some just generally don't but the final one is probably how do we visualize the data right cuz it's Medical Data it's not data as we know so unfortunately we can't use our nice commercial forensic tools they don't know what to do with the data because it is in unique formats and better yet they come in different shapes and forms no medical device is exactly the same there is a pattern but they are different so it's coming into creative ways of either building your own visualizations or using clinical open-source software to visualize data to reconstruct what that data is I think this is one of those it's a

team player thing because not everybody will understand how to get the data from the device how to connect to it how to get it on a low level so then we can perform the forensics and then in particular understanding the clinical side of things I mean some of that data I think you need to study a long time as a doctor to understand parts of it um and to make sense of it so sometimes we'll have to pull in other people to assist but I think the important thing is forensics people know how to work with data right there's lots of instances of data that we don't understand what the data means but we can take it visualized to someone like a

medical examiner that can then look at the data in a format that they used to so I get asked this question regularly why are you so weird that you want to do your research well I have a device I'm curious about it because if someone's going to get killed it's going to be me right now I'm joking um but it is the connection from the cyber world to the real world so it matters cuz people's lives matter and it's only a matter of time before we see this exploited in the wild so let's look at a device let's look at our first device which is a implanted cardia device what this purpose of this device is it'll kick you

in the chest and wake you up when your heart decides to misbehave in short okay that is what's in my body well an upgraded version I'm obviously not going to show you guys what my device looks like like I said room full of hackers no no no I know

better well sure I'm happy to be the ethical um what do you call it research bunny that you can try and attack my device I might even tell you how no I won't so what does forensics look like on an implant right we know DD we know R we know E1 we know all those kind of forensic images hate to disappoint you that's not what you're going to get so depending on the manufacturer so this is not applicable to every single implant cuz every manufacturer has their own way of doing it a lot of them has a what do we call a PCB file the programmable database file that contains all the information most of this information currently is

clinical so how many time was treatment given the firmware is on there so it is not in the traditional format that you would expect it to be it's in a proprietary binary format currently the easiest forensic way to get a full capture of that without having to destroy the device or Take It Outside a human body is to use a cardiac programmer they have the ability to actually grab that full binary image but then you're kind of stuck because it's a proprietary binary format now you have to engage with a manufacturer and that goes right about 50% of the time so it's either a maybe or a not um European manufacturers tend to play ball

nicely the US lot is a little bit of a different kettle of fish but this PC this pdb file is super important because it tells us whether the patient received specific treatment it tells us what the settings are and when last it's been changed but that's basically the extent of an implant I think with medical devices if you've ever done pH forensics and we talk talking uh Nokia 1100s Samsung d500s that kind of age of device we're probably at that same stage now where there's lots of different variety of formats each and every one of them essentially needs decoding in some way so if you love hex then this kind of stuff is perfect for you because you can

pull it apart and find out all the evidence that's inside of it and not many people can currently yeah but before we move on so you've seen the device that's a cardiac implant you get SIM devices like that that goes for deep brain stimulation they are not quite the same as a cardiac implant there's one key difference the brain stimulators actually are rechargeable which mean they aren't restrained to the amount of storage they have so some of them might actually have a file system or an OS on them uh where the cardiac ones are reliant on x amount of CPU Cycles so they can only do certain amount of data storage for a certain amount of time was

some security sadly cuz we don't want to have a new device every 3 years I like going in once in 17 years but that's how long this device lasts this is an interesting story so this device is my dad's device uh he asks himself the question what he did to deserve me as a daughter but we've built a whole scenario around a patient dying using his data now he kindly gave me the device after I was done with it I just think he didn't trust what was done on the device so he didn't think that it would work anymore but the CPAP machine you would think is less foreign than an implant right lots of people have CPAP

machines so basic tools that we needed was a specific talk screw which is one of the things you find that you need and then depending on some Hardware to be able to do some Hardware Acquisitions now the disappointing or exciting depend how you look at it the data is on an SD card it's on an SD card using a standard file system that we know how to analyze we know how to extract it's nothing new it's disappointingly nothing sexy however it is easy to get a hold of we can use traditional forensic tools and techniques to extract the data to analyze it to interpret it and do some passing of the information yeah I think

the shocking part was that the claim is made within the FDA documentation as well as the manual that they offer secure delete now if you living in the EU you know the right to be deleted the right to be forgotten gdpr uh and data limitation so I decided Well in all things in science let's see if we can get some more SD cards on eBay and see if we can do good oldfashioned data recovery now the findings on that study well I say study a little project that we had we found that it was not secure delete but just a basic formatting that was being done so if you know the fat file system you know data recovery can

be fairly simple so again we were able to actually recover patient data from previous patients that sold the cards now the machine itself um depending on the version you have make on Linux um file system good thing about this it is encrypted both at rest and in transit but for the sake of not totally destroying the device uh we didn't want to go take the board apart but then Emin lost them because he took his eye off his luggage in Germany so the device is somewhere on eBay for sale but it wasn't just my device it was all my clothes and everything but that's a different story um soon as you touch this device as soon as you start opening

up you avoid the warranty which means it's no longer usable for and fit for human I was going to say consumption uh use uh and that's a challenge in itself I mean the SD card holds information that's really of interest that patient data the recoverable information that's perfect but to get to it we're now avoiding the warranty which kind of brings us back again to the early days of phones and and extracting that kind of data yeah so in terms of we can destroy devices I mean I can open them up and void them completely but in a real life digital forensic situation are we in the business of taking devices that are potentially super expensive like MRIs

off the market because we've now done forensics on them no I don't think anyone's going to be happy with us least the hospitals won't be because those are machines that they replace once in a while so the key thing to This research is can we get in without compromising the Integrity of the device itself now in terms of this one we had a spare one that we wanted to destroy and open and we found that it had the ability to connect to the board itself which a lot of these devices have now Security Professionals will go why did they do something like that well because Diagnostics has to happen debugging has to be happening and technicians need to

be able to debug and figure out if a device is working as it should now that means once you've got physical access to devices it becomes super easy to get into them because we know potentially this is a component of the design so a lot of the times this is just to give you an idea we have to face many uh decisions like how are we going to go in which way is going to be least destructive which way is going to yield the evidence or the information we want to have I wish I had the answer to say to you it's X but the forensic answer is it depends on the device but if we can be lazy we'll be lazy and

so we'll just look at the SD card and from that we'll pull out a variety of different information that gives us everything about the machine its settings its patient data structures of treatments that have taken place which includes so when we opened the device we found an EDF format now EDF format is a format that's been around for as long as I have and there I've just given away my birth here but it has been around for ages and you find well documented things in sleep studies cuz what is the S machine doing it is monitoring your sleeping pattern as well as your breathing so in applied data science because there's a lot of studies done we

could find a documented structure and it is in asy so it's totally human readable and in plain text so you can imagine on those SD cards that we recovered the data we could actually do a trend analysis on who the patient is how they slept what therapies they get what device it came from and all these very nice pieces of information now forensically these things are important because we can determine whether anyone is tampered with data but we can also determine whether or not a patient receiv received the equal clinical therapy that the setting says it should receive so if someone's change the settings there is indications that it's happened so we'll be able to say that a patient didn't not

receive appropriate care again I'm lazy emin's lazy so if we can find code to do what we need to do we will again went to the applied data science space and found some nice python libraries that pass this information out and gives it to us because we we like to do things easy but why reinvent the wheel so using matlb if you really want to you can actually put out the signal you know the medical signals and determine the Sleep patterns or you find open source software that does it for you now in the cpab community when you do a little bit of enton research you actually find that patients got fed up with the care and

the deny of denial of access to their data that someone built a tool that parses the information so that you can make informed decisions right and this has been maintained and is freely available and can be used to actually visualize the data now our students at norof University College actually does medical device forensics and this is from a scenario that I built around tricking my dad's machine to not sense his breathing so I could simulate him dying and put him under a top and take photos um but we are able to say what is the settings and the fact that the machine didn't respond when he had an event insulin pump pumps are the same

there's a huge underground community of patients that have built software that allows you to Red dat or an insulin pump so essentially it uses the fat file system it's on an SD card even if things are securely deleted it's all perfectly recoverable and we can find information about past dat uh past patients and all the information that was stored on there about their treatments uh the kind of system that was used and also the pii so information that's very specific to them um you need specialist knowledge I think to be able to pass that information this stuff it means nothing to me Veronica spent a lot of time looking at this but it's just about sleep patterns but the

medical experts will understand this and have more perspective on it yeah I might be the weird exception to the rule I want to understand how these things work I necessarily won't go testify in court just to what emin's referring to is knowing where your line is I did consult on a case involving a pacemaker where in a murder case uh short story cuz I can't give you the long one is the fact that I was able to verify date and time on the device I was able to verify the Integrity of the report that was taken uh but I was not allowed even though I'm a patient since 19 and I understand these things at heart testify to what it

meant whether the patient received the appropriate therapy a medical specialist was brought in but because we could confirm the Integrity of the data it made his job a lot easier this was probably the most fun I had because I went totally old school it's a device I've never come into contact with in South Africa it's a patient monitor network bridge so it bridges into the hospital Network and connects to other devices cuz what can go wrong one would assume that because it's a network bridge that it is fairly secure now if you look here we can see that it's run running tedex kind of gives it away uh so we know one Avenue to go research but we also know that

they've got some proprietary software on there I think this fits nicely back with the CPAP machine in that there's a hell of a lot of information out there that you can find just by Googling everything from people that have decided to pull apart the system before to look at a file data to understand and interpret that information and build tools that will pause that information to people that just want to share people like Veronica who just want to share information out there about what the device does what it's capable of and what it's made up of so this is where you're Googling should really be the starting point for a lot of these kind of research purposes so I bought this

device because it was a late night shopping I I tend to do that half asleep and then oh surprise more packages my husband's not impressed cuz he's just another one I'm like don't ask questions first thing I did was I did a good oldfashioned Google I go to the manual now one WR expect these manuals aren't readily available Med wench is your friend every technician and nurse practitioner puts these manuals on that they've scanned from their hospitals CU what happens to manuals they get lost right so sharing his caring in the medical world and those things contain heck of a load of information it's actually overwhelming uh the FDA publishes some of the documentation uh e MDR does as

well so if you read Around theed Ed black areas of things that's proprietary and confidential you can get a gist of what is going on on this device now once we did the research and I identified which board it was I mean it gives me access to a lot uh I found some known vulnerabilities now everyone should be or perhaps isn't with this spectrum meltdown attacks now this is on a Hardway board so this means that it's not something that can easily be mitigated now two out of the three cves this board was impacted why do we care about this in forensics uh like said this morning it is our hold into a device it's the hold

that we need to climb through now this is just one example most of these devices when you start looking into the boards you will find a whole host of vulnerabilities on them and I think this kind of research is where the fields of forensics and security really cross over so looking for vulnerabilities exploiting vulnerabilities was not necessarily something that was ever in forensics but is really important to get into these new systems and new devices which is why the community needs to grow and expand and share information of how to break into these systems how to then attack and steal the information not only from the perspective of someone exploiting it for nefarious purposes but also for

legitimate legal purposes so before we so just to be clear so one of the things I belong to the biohacking village in Vegas and I am the calvary which um does a lot of This research ethically by the code of conduct that we have when we find exploited vulnerabilities that haven't been reported on we will report it responsibly to the manufacturers now that might not sound as fun but because we are dealing with human beings and potential things that can impact harm we do tend to report these as we find them and work with the manufacturers on fixing them so we are very much for responsible disclosure uh none of these that we are showing today or the methods

are undocumented these are well documented things that others have found in these devices so in terms of this device it soon became apparent that perhaps we weren't going to be able to use our forensic tools I was very shocked to find a bunch of USB ports at the back and decided well what's going to happen if I put a USB mouse and keyboard in am I going to be able to break out of the kiosk if you've ever tried to break into kiosks or get them to go sticky Keys is normally your your friend in this instance it was Lally literally pressing the Windows button and there's Windows saying hi I'm yeah what can I do for

you but then doing more research I realized that this was a version of Windows I haven't seen before cuz it is embedded Windows uh who year has ever done PDA Fric that's how old school it is so it is I think window C5 on this specific one but the developer guides gave us a lot of information on potentially how we could connect to this device as you can see we've got ethernet USB that we already saw without opening the device gpio u l Square C and it had an SD card they tried to hide it under the board but it was quite apparent that they was something there so kudos for trying this thing was very perplexing

because even when I did the forensic acquisition of the SD card it soon became apparent that it doesn't have a C drive it doesn't have a root drive it's not the traditional embedded windows that I knew so I did some more research on the developer tools and realized there's a whole host of tools that offer me access into the device why because developers need access to program these boards and work with them so what did we do we used the remote viewer right it's not very sexy what it does it takes conition from your PC to the device and allows you to use your computer as a screen but it gives you access to the

operating system which allows you to do a whole lot more and I didn't need an a password at all it was literally just identifying the IP address of the device and then connecting these two pieces of software up now we did the acquisition traditionally I'm not going to tell you for the SD card how we did the acquisition that's boring but we used the update tool now this specific board has a tool that allows you to do a cold boot a warm boot or actually save binary images of the data contained so the operating system the file system the boot loader and all of those there now this is probably the closest we're going to get without

having to rip the board apart uh so that is this is what we did it's a binary image right it should be readable um sad was my realization that it wasn't because it was also an operating file system that I've never encountered who here has encountered T fat yeah I didn't either until that time so everything was a proprietary binary format that was not in any ways or means viewable but reading a little bit more I was able to build the same Visual Basic environment and use open source code to translate the binary images into file system files this gives your logical files and we can then use our standard forensic tools to do the

analysis um same things were found on the SD card may be slightly simpler to get a hold of the SD card data uh but the information is there and we can do standard analysis pull information out we can find things inside of the the registry because it uses a embedded Windows the registry is there given us things like typed URLs uh information about systems uh applications that have been run also so one of the things once we had that and we had both images we could compare with fuzzy hashing and hash values to confirm that what we're seeing on the SD card is in fact a backup and not all the data so that we can verify

it but this acquisition was done without ever opening up the device now one might think Windows registry they all feel and look the same embedded windows are slightly different it's a compact version so your registry editor that you're using now won't work and as such we needed to make use of an older version of registry Editor to actually look at the data so these are the core findings from the Windows registry that we were able to recover while some of them are useful uh there's not a lot but this is because it's a resource constraint device uh we have the machine G or identifier so we can identify each machine uniquely uh we had limited USB information like I mean

three or four entries and not to the extent that you can get today um typed URLs will also first in first out so not a lot noted again resource constraint devices again traditional forensic techniques can be used it's nothing new it's just used slightly differently this information um was easily extractable I think it's fair to say it was well documented there was information all over the web that you could search for to find and that seems to be the case for a lot of the medical devices and making use of that open- Source intelligence in the first place gives you a lot of access to the information that's in the backend and again the fact

is that secure delete is not as we would know it in forensics it is sometimes just a factory reset or clear out of you know the root directory it's not really anything comprehensive so General data recovery would work how are we looking on time you can leave some time for questions if you like we're going to finish up and then we will take some time okay so future research a we've got a heck of a lot of equipment that's just come in that we need to look at uh I love the fact that I'm paid to actually look at Medical Equipment it's amazing um it's probably an unhealthy Obsession but we have more devices that needs to

be examined uh up until the point that I get banned from Ebay that is where I will Source my devices then I'll find alternate rotes but the acquisition process is fairly still Hardware based right it does leave some destructive elements uh and it is going to be that way because of how the devices are manufactured and the fact that these things last 10 plus years uh the newer devices are actually according to the FDA cyber security guidance now having to come with the ability to be forensically acquired that's going to probably be another 5 years before we see those things in market so the future is bright and we will see more capabilities to do that but what we see

is a range of different operating systems and a larger ecosystem so whilst we're talking about physical devices now what we also need to think about is the applications that connect to those devices are they on Android are they on iOS we can then again use more traditional forensic techniques to extract that data and it is or Rich um is terrifying I think about how easy it is for to gather that information and make use of it once you have access to the physical device the operating system is your friend it will give you all the information and a lot of the time the manufacturers don't understand the underl Ling operating system or even the file system because the rules of how

data is stored and deleted is is handled by the file system and the operating system plays a role in that so whilst they build applications on top of these layers the rules still apply from the file system to the operating system but it might be shocking to know that my cardiac patient monitor is running on Android and it's got an EXT file system it's things in forensics we know um so it's nothing new it's nothing strange but I think the key finding is we need more people to do research into this right uh we need that the task team to take on board and actually consider medical devices as a problem now we have to acknowledge that medical

devices does not have a functional requirement for forensics and security by virtue of this they not ever going to be massively pushed to be secure I got asked the question V would you ever want a username and password on your implant and the answer is no why because when I'm having a cardiac issue I don't have time to give a username and password to the nurses and doctors I want them to have access immediately so availability of devices cannot be overtaken by security but the these devices will never be the Lynch pin within an investigation there will be something that adds information that maybe gives a timeline or a suggestive intelligence that we can then use and correlate with

other information so we're not suggesting that these are going to be the golden bullet but they will assist and they are a different source of information that is generally overlooked at the moment it's more a circumstantial evidence it it adds to the case and the same with the implants that have been used in court cases they're not the determining Factor they're simply in support of other evidence now how do you get started in this a lot of ENT you research right if you can Google you can find a manual you might even find it on the manufacturer's website where it asks you are you a doctor and if you lie good enough and you just say Yes And You Lie

from your location a lot of these manufacturer give you the technical manual the operator's manual and the clinical manual what more do you need need to understand what the device is doing without ever opening it the caveat there is do not lie Veronica is just suggesting one way of gathering information and she is not encouraging people to lie on applications I think the biggest thing that I've learned from these things and that this was kind of the inspiration for my PhD is the logs suck on these devices they absolutely don't contain any robust logging of any means or form the logs are riddled with vulnerabilities we saw lots of things where sensitive data has been disclosed

let me tell you every medical device as I stand here before you today contains Logs with printed PL text JWT tokens uh you know exposed URLs uh app keys and secrets patient data because they are built with clinicians in mind and they built with debugging in mind not for the purposes of security or incident response and with that you are rid of US unless you have any more

questions thank you Emin and v i see hand at the back yes thank you very much for the talk very interesting uh was wondering if there's any personal health medical device with the wireless module say Bluetooth that you manag to find a fully remote exploit to because that's the sexiest part right so I have a unique take on vulnerabilities so I'm going to stand like this cuz the I can't see you uh one of the things is yeah we found I mean we found Bluetooth attacks we found wireless attacks heaven knows my device has got what they refer to as Telemetry C which is Wireless which communicates in plain text I have RF as a backup and

I have Bluetooth right all of these modules will become vulnerable at some point that is the sexy part of it but I think where I get excited is can I tell what I've done to compromise the device is it you know I find a vulnerability I exploit the vulnerability but then I want to do the forensics on it to determine whether or not there's logs there's artifact I only have to get in once but to fix things and make things more secure and do forensics is a bit of a continuous Challenge and that's kind of where I enjoy doing what I do but if we find vulnerabilities we do responsibly disclose it and we do disclose

mechanisms in what we find for forensics like if I find no access to logs that I've connected onto that is something that we will tell the manufacturer and suggest that they add in in future releases if possible any other we do we will come

ACX so some of the devices I do have I legally cannot yet publicly disclose some of the vulnerabilities due to the fact of the manufacturer and working with him to fix it because I'm under contract so whilst I'd love to be able to do these um demos legally I don't and I am a you know visitor in this country so keep watching the space when that time runs out on when we can publish we will publish hi so what I was left wondering is um speaking of the cardiac programmers you said you can basically dump the data from a device can you do that covertly or do you have to be in such a close proximity that basically

you can't just sniff everyone's data around the room so I'm going to tell you why I'm not allowed into a hospital room alone anymore in South Africa we would manag to do a man in the- Middle attack with exactly that by you know just sniffing the authentication between programmer and patient um a the doctor didn't assume anything else of me because they don't think that it's something to be worried about uh the old Telemetry that most of these devices have as a backup is in plain text right so if you at the appropriate time is able to sniff the traffic you get the golden authentication token that means that every device that has from that

manufacturer you could do a replay attack there is actually well documented uh research on that from other manufacturers um I can't say their name because I'm going to get into trouble again um but there has been a mass Reco and things like that I remember attending blackhead where a friend of mine Billy Rios was doing uh an attack with a programmer that they were able to put malware on because a lot of these cardiac programmers run a Windows variant to answer your question close proximity still requ generally speaking actually not that close anymore not now not but then yes um the range I think is 50 m now and increasing ever so often as technology increases but we do call them

the stars have to align attack right it's not just that that has to align it's a bunch of other elements which makes these attack attacks still unlikely it's more likely that my device accidentally goes into what is referred to as vvi mode which it thinks it's being debugged and it's constantly going to go we have a lab on campus that interferes with my device and actually puts it into vvi mode because of the electric interference um which means it could potentially drain the battery um there's other attacks of magnets being used to put it into debug mode but like I said they find something they improve upon it in the Next Generation but if you have a medical

device it's going to be vulnerable if not now in 2 years when someone has got nothing better to do and they found a vulnerability it's a thing we need to become comfortable with time for one more question anybody I have one question um more on the forensics in general um tool validation has been a big thing in some jurisdictions on uh the uh admissibility of forensic evidence so yeah of course in uh decades uh Gone by in case ftk were the big two in North America anyway is tool validation a problem when you're talking about Gathering evidence uh with various open- Source tools and developer kits and so on I think if you can show

that it is reproducible repeatable and that you've tested it numerous times then it becomes easier to be admissible in court uh it is not your traditional forensics right whilst the analysis is the acquisition can and will be disputed in court uh this case that I consulted on in fact uh the manufactur picked up the device dumped the data and destroyed it because it's biohazard right but in any investigation we would never destroy a device that we're looking at but that was their process and it was approved and the courts accepted it as such so it's still developing we're still making lots of mistakes and the more it gets tested in court the more we will be able

to refine the processes but a lot of these things probably won't pass the test for going to court yet if I'm honest with you and that's