 Next talk will start now and will be Unpatchable Living with a Vulnerable Implanted Device by Dr. Marie Moe and Erin Leverett. Give them a warm round of applause please. So I'm here today to talk to you about a subject that is really close to my heart. I have a medical implant, a pacemaker that is generating every single beat of my heart. But how can I trust my own heart when it's being controlled by a machine running on proprietary code and there's no transparency? So I'm a patient but I'm also a security researcher. I'm a hacker because I like to figure out how things work. That's why I started a project on breaking my own heart together with Erin and a couple of friends because I really want to know what protocols are running in this machine inside my body? Is the crypto correctly implemented? Does it even have crypto? So I'm here to inspire you here today. I want more people to hack to save lives because we are all becoming more and more dependent on machines. Maybe some of you in the audience also have medical implants. Maybe you know someone that's also depending on medical implants. Imagine that this is your heartbeat and it's being controlled by a device. A device that might fail due to software bugs, due to hardware failures. Wouldn't you also like to know if it has security vulnerabilities? If it can be trusted? Something to think about, right? Marie is an incredibly brave woman and when she asked me to give this talk it made me nervous, right? It's such a personal story, such a journey as well and she's going to talk to you about a lot of things, right? Not just hacking medical devices from a safety point of view but also some of the privacy concerns, some of the transparency concerns, some of the consent concerns. So there's a lot to get through in the next hour, but I think you're going to enjoy it quite a lot. So let me tell you the story about my heart. So four years ago I got my medical implants. It was kind of an emergency situation because my heart was starting to beat really slow, so I needed to have the pacemaker. I had no choice. After I got the implant, since I was a security researcher, of course I started to look up information about how it worked and I googled for information. I found the technical manual of my pacemaker and I started to read it and I was quite surprised when I learned that my pacemaker has two wireless interfaces. There's one interface that is really close field communication, near field communication that is being used when I'm at checkups at the hospital where the pacemaker technician or doctor uses a programming device and places it really close to my pacemaker and it's possible to use that communication to adjust the settings. But it also has another wireless interface that I was not aware of that I was not informed of as a patient. It has a possibility for remote monitoring or telemetry where you can have an access point in your house that will communicate with the pacemaker on a couple of meters distance and it can collect logs from the pacemaker and send them to a server at the vendor and there's a web interface where the doctor can log in and retrieve my information. And I have no access to the data that is being collected by my device. So imagine for a moment that you were buying a new phone or buying a new laptop. You would do your homework, right? You would understand what interfaces were there, but in Marie's case she's just given advice and then later she gets to go and read the manual, right? So she's the epitome of an informed consumer in this space and we want a lot more informed consumers in this space, which is why we're giving this talk. Now I don't know about you, but I'm used to hacking industrial systems. I haven't done as much medical research in the past. So when I first started this project, I knew literally nothing about Marie's heart or even my own and she had to teach me how the heart works and how her pacemaker works. So would you mind explaining some details to the audience that'll be relevant through the rest of the presentation? Yeah actually I think we're going to show you a video of how the heart works. So it's a little bit of biology introduction here before we start with the technical details. So just play the video. A normal heartbeat rate and rhythm is called normal sinus rhythm. The heart's pumping action is driven by electrical stimulation within the heart muscle. The heart's electrical system allows it to beat in an organized, synchronized pattern. Every normal heartbeat has four steps. Step one, as blood flows into the heart, an electrical impulse from an upper area of the right atrium, also known as the sinus node, causes the atria to contract. When the atria contract, they squeeze the blood into the ventricles. Step three, there is a very short pause, only about a fraction of a second. And step four, the ventricles contract, pumping the blood to the body. A heart normally beats between 60 to 100 times per minute. Electrical signals in your heart can become blocked or irregular, causing a disruption in your heart's normal rhythm. When the heart's rhythm is too fast, too slow, or out of order, an arrhythmia, also called a rhythm disorder, occurs. When your heart beats out of rhythm, it may not deliver enough blood to your body. Rhythm disorders can be caused by a number of factors, including disease, heredity, medications, or other factors. So for those of you who are already aware of that, apologies, but I needed to learn that. I needed to learn the basics before we even got started, right? So this is a diagram of the electrical system of the heart. So as you see, it's a sinus node that is generating the pulse. And in my case, I had a problem with the signal being generated by the sinus node, not reaching the lower heart chamber. It's something called the AV block, or heart block. So occasionally, this will cause an arrhythmia that makes the heart pause. If you don't have a heartbeat for like eight, 10 seconds, you lose your consciousness. And that was what happened to me. I just suddenly found myself lying on the floor, and I didn't remember how I got there. And it turned out that it was my heart that had taken a break. So that's how I discovered that I had this issue. So this is where the signal is blocked on the way down to the lower heart chamber. But there is a backup function in the heart that can make a so-called backup pulse. And I had that backup pulse when I went to the emergency room. So I had a pulse around 30, 40 beats per minute. And that's generated by some cells in the lower heart chamber. So after I got the pacemaker, my heart started to become a little bit more lazy. So it's not certain that I will have this backup pulse anymore if the pacemaker stops working. So currently, my heart is 100% running on the pacemaker. So let's also look at how the pacemaker works. I have another video of that. So this is my little friend that is running my heart. A pacemaker is a miniaturized computer that is used to treat a slow heartbeat. It is about the size of a couple of stacked silver dollars and weighs approximately 17 to 25 grams. It is usually surgically placed or implanted just under the skin in the chest area. The device sends a tiny electrical pulse down a thin coated wire called a lead into your heart. This stimulates the heart to beat. These impulses are very tiny and most people do not feel them. While the device helps your heart maintain its rhythm, it also stores information about your heart that can be retrieved by your doctor to program the device. Remember that. Yeah, you did see the ones and zeros at the end of the video. That's what we want to know more about because this information that is being collected by the pacemaker, how it works, how the code looks like, it's all closed source, it's proprietary information and that's why we need more security researchers. We need more third-party testing to be sure that we can trust this code. And you can imagine that we're doing some of this research as well, but I'm not going to break Marie's heart on stage. I'm not going to drop Ode on some medical devices. So if you came for that, it's not worth staying. The rest of the presentation will be about some of the things we've found and how this works and how you might approach this research and some of the people who did this research before because there's plenty of others and we'd like to give a shout out to those who've done great research in advance. But essentially this point is very relevant, that the internet of medical things is already here and Marie is wired into it. She's a bit younger than your average pacemaker patient but she was thrust into this situation where she had to think about things in a very different way. Like you did a master's break in crypto and also a PhD in information security. Did you imagine the things you learned about SSHing and network security might one day apply to your heart and your own body? No, I never figured out that my research would eventually end up inside my own body. That's something I never talked about. And also there's a lot of people that don't think about how the medical devices actually work. So when I ask this question to health care professionals, they look at me like I'm crazy. They have never talked about this before that there actually is code inside my body and someone has programmed it. Someone has written this code and did they think about that this would actually control someone's life and be my own personal critical infrastructure? Yeah, personal infrastructure, right? On a physical level. And also I think it's the point that you made is important to reiterate that you go and see your doctor and you ask these questions about whether anyone can hack into my heart and they probably look at you and go like don't you worry if you're a pretty little head about that, right? But Marie used to head up the Norwegian computer emergency response team for a couple years and knows a lot of hackers and knows what she's talking about, right? So when she asks her doctor these questions, they're very legitimate questions and the doctors probably don't know anything about code but they need to move towards a place where they can answer those questions with some honesty and certainty and treat them with the dignity that they deserve. Shall we show them a little bit more about the total ecosystem of devices that we're talking about at least in this particular talk? Okay, so this was all new to me. I mean I've moved around in networks and done some penetration testing and some stuff in the past but I didn't know much about implantable medical devices. So we've got a couple of them there, the ICD, which is the in-cardio defibrillator, that's some of the work that you saw from Barnaby Jack, which we'll mention later was on those particular devices. We've got the pacemakers and of course other devices could be in this diagram as well, like we could be talking about insulin pumps or other things in the future. The device itself speaks to box number two, which we'll tell you a little bit more about in a moment using a protocol commonly referred to as MIX. A number of different devices use this medical implant communication service and Marie shocked me yesterday when she found a couple of devices that potentially use Bluetooth. So would you like to tell them a little bit more about the access point and I'll join in? Yeah, so the access point is the device that you can typically have on your bedstand that will, depending on your configuration, contact your pacemaker at regular intervals, for instance once during the night. It will start communication with the pacemaker, a couple of meters distance and we start collecting logs and these logs will then be sent. It can be via SMS or other means to a server. So there's a lot of my personal information that it can end up different places in this diagram. So of course it's in my own device. It will be then communicated via this access point and also then via the seller network and then it will also be stored in the telemetry server. Potentially when I go for the checkups my personal information will also end up in my doctor's workstation or in the electronic patient records and there's a lot of things that can go wrong here. Yeah, you can see it's using famously secure methods of communication that have never been backdoored or compromised by anyone ever before, even here at this conference, probably even this time around. So these are some things that are concerning. The data also travels often to other countries and so there are questions about jurisdiction in terms of privacy laws in terms of some of this data and some of you can go and look deeper into that as well. The telemetry store thing I think is important. Some of this is a telemetry store such as the server at the vendor. So the vendor owns some machine somewhere that collects data from Marie's heart. So you can imagine she goes to see her doctor and the doctor's like, hey Marie, last weekend, did you run a half marathon or something? And she hasn't told him, right? Like he just can look at the data and see that her heart rate was up for a couple hours. That's true though, right? You did actually run a half marathon. Yeah, I did run the half marathon. So the telemetry store is one part but there's also the doctor's workstation which contains a lot of this medical data. So from a privacy perspective that's part of the attack surface. But there's also the programmers, right? There's the device programmers. So that's an interesting point that I hope a lot of you are interested in already that there is a programmer for these devices. Yeah, so we actually went shopping on eBay and we found some of these devices. You can buy them on eBay? Yeah. So I found a programmer that can program my device on eBay and I bought it. And also I found a couple of these access points. So that's what we're starting to look at. We just wanted to give you an overview of this system and it's fairly similar across the different device vendors and we're not going to talk about individual vendors. But if you were going to go and do this kind of research, you can see that some of the research you've already done in the past applies to different parts of this process, right? And talking about patient privacy. When we got the programmer from eBay, it actually contained patient information. So that's the really bad thing. So I found this very odd. I had this similar reaction to yourselves because I usually do industrial system stuff. One of my friends picked up some PLCs recently and they had data from the nuclear plant that the PLCs had been used in. So decommissioning is a problem in industrial systems, but it turns out also in medical devices, right? I guess that's a useful point to make as well about the cost of doing this kind of research. It is possible to get some devices, some implants from people who have sadly passed on, but that comes with a very high cost of biomedical decontamination. So that raises the cost of doing this research on the implants themselves, not necessarily on the rest of the devices. Yeah. So I also want to say that in this research, I have not tinkered with my own device. So that would not be a good thing. You're not going to let me SSH into your heart and just delete some stuff, no? No. I wouldn't do it anyway, but it's an interesting point, right? So there are a lot of safety precautions that we and the rest of the team have to take when we're doing this research. And one of them is not pairing Maria's pacemaker with any of the devices that are under test. Do you want to say a bit more about connectivity and vulnerability? Yeah. So I was worried when I discovered that I had this possible connectivity to the medical internet of things. In my case, this is switched off in the configurations, but it's there. It's possible to turn it on. It's possible for me to be hooked up to this internet of medical things. And for some patients, this is really benefit. So you always have to make a risk-based decision on whether or not to make use of this connectivity. But I think it's really important that you make an informed decision about that and that the patient is informed and has given his or her consent to have this feature. The battery lifetime of my pacemaker is around 10 years. So in six years time, I will have to have a replacement surgery and I'm going to be a really difficult patient. So I really want to know how the devices work by then and I want to make an informed decision on whether or not to have this connectivity. But of course, for a lot of patients, the benefit of having this always the risk because people that have other heart problems than me, they have to go for more frequent checkups. I only have to go once a year. So for patients that need to go frequently for checkups, it's really good for them to have the possibility of having telemetry and having connectivity to have remote patient monitoring. Yeah, I imagine you have mobility problems or you even just live far from a major city and making the journey to the hospital is quite arduous. Then this kind of remote telemetry allows your doctor to keep track of what's going on. And that's very important. We don't want to like have a big scary testosterone field talk where we like hack some pacemakers. We want to talk about how there's a dual use thing going on here and that there is a lot of value in having these devices. But we also want them to be safe and secure and preserve our privacy and a lot of other things. So these are some of the issues. Of course, the last one, the remote assassination scenario, that's everyone's favorite one to fantasize about or talk about or make movies about. But we think there's a lot of other issues in here that are more interesting, some quality issues even, that we'll talk about in a little bit. Battery exhaustion, again, something many people don't think about. But I'm very interested in cyber-physical exploitation. And so some of those elements were interesting to me that you might use the device in a way that wasn't expected, right? So personally, I'm not afraid of being remotely assassinated. I've actually never known you to be afraid of anything. I'm more worried about software bugs in my device, of things that can malfunction. Is that just theoretical? No, actually software bugs have killed people. So think about that. People that are not here, they don't have their voice and they can't really give their story. But there are stories about persons, depending on medical devices, dying because their device malfunctioned. There's even some great research from academics about how the user interface design of medical devices can have an impact on patient safety and how designing UX much more clearly and concisely, specifically for the medical profession, might improve the care of patients. Do you want to say more about this slide or should we go on to the previous work? Yeah, I think it's really important also to the issue of trusting the vendors. So as a patient, I'm expected to just trust that my device is working correctly. Every security vulnerability has been corrected by the vendor and it's safe. But I want to have more third-party testing. I want to have more security research on medical implants. And as a lot of things like history has shown, we can't always trust that the vendors do the right thing. I think this is a good opportunity for us to ask a very fun question, which is, any fans of DMCA in the room? No? No fans? All right, well then you'll really enjoy this. Marie has some very exciting news about DMCA exceptions. Yeah, so October this year, there was a ruling of an DMCA exemption for security research on medical devices, also for automotive security research. So this means that as researchers you can actually do reverse engineering of medical implants without infringing copyright laws. It will take effect I think October next year, but it's really a big step forward in my opinion and I hope that this will encourage more research. And also I want to mention that there are fellow activist patients like myself that was behind this proposal of having these exemptions. So Jay Redcliffe, who hacked his own insulin pump, Karen Sandler, who is a free and open software advocate, and Hugo Campos, who has an ICD implant, he wants to have access to his own data for quantified self-reasons. So these patients, they actually made this happen, that you're allowed to do security research on medical devices and I think that's really great. Do you want to say something about Scott Irvin's presentation that you saw at DEF CON? Yeah, that was a really interesting presentation about how medical devices have really poor security and they have like hard-coded credentials and you can find them using Shodan on the internet. These were not pacemakers but other types of different medical devices, but there are like hospital networks that are completely open and you can access the medical equipment using default passwords that you can find in their manuals. And the vendors claim that no, these are not hard-coded, these are default, but then the manuals say, do not change this password. Because they won't integrate with other stuff, right? I've heard that excuse from Skada so I wasn't having it. They also put up some medical device honeypots to see if they would get any targeted hacking attempts, but they only picked up like regular malware on them, which is also of course of a concern. Anything else prior Kevin? Yeah, I guess you should mention that the academic research on hacking pacemakers, which was started by a group led by Kevin Fu, and they had this first paper in 2008 that they also follow up with more academic research and they show that it's possible to hack a pacemaker. They show that this was possible on like a couple of centimeters distance only. So like the attack scenario would be if you have a device similar to the programmer device and you attack me with it, you can turn off my pacemaker. That's not really scary, but then we have the research by Barnby Jack where this range of the attack is extended to several meters. So you can have someone with an antenna in a room scanning for pacemakers and starting to program them. We have a saying at Cambridge about that. Some of the other people in the university have been doing attacks a lot longer than I have and one of the things they say is attacks only get worse, they never get better. So the range might be short one year and then a couple of years later it's worse. So the worst case scenario I think would be remotely via the internet being able to hack pacemakers, but there's no research so far indicating that that's possible. And we don't want to hype that up, we don't want to get that kind of an angle on this talk. We want to make the point that hacking can save lives, that hackers are a global citizens resource to save lives. So this is the result of hacking of the drug infusion pumps earlier this year. The FDA actually issued the first ever recall of a medical device based on cybersecurity concerns. I think that's amazing. They've recalled products because of cybersecurity concerns. They used to have to wait until someone died. In fact, you had to show something like 500 deaths before you could recall a product. So now the FDA at least in the US can recall products just based on security considerations. So this is also I guess the first example of that type of proactive security research where you can make a proof of concept without killing any patients and then that causes the security holes and that potentially saves lives and no one has been hurt in the research. I think that's great. I'm also really excited because we give a lot of presentations about security that are filled with doom and gloom and depression. So it's nice to have two major victories in medical device research in the last few years, one being the DMCA exceptions and the other being actual product recalls. Yeah and the FDA are starting to take these issues seriously and they are really focusing on cybersecurity of medical implants now. I'm going to go to a workshop arranged by the FDA in January and participate on a panel discussing cybersecurity of medical implants. And it's great to have this type of interaction between the security community, medical device vendors and the regulators. So things are happening. Yeah how do you feel as an audience? Are you glad that she is going to be your representative in Washington for some of these issues? And we want you to get involved as well right? This is not just about Marie and myself and the other people who worked on this project. It's meant to say you too can do this research and you should be. You have to be a little sensitive and a little bit precise and articulate about some of the concerns. We take some inspiration from the former research around hygiene. Imagine the first time some scientists went to some other scientists and said there's this invisible stuff and it's on your hands and if you don't wash your hands people get infections and everyone thought they were crazy. Well it's kind of the same with us talking about industrial systems or talking about medical devices or talking about hacking in general. People just didn't sort of believe it was possible at first and so we have to articulate ourselves very very carefully. So we draw inspiration from that early hygiene movement where they had a couple simple rules that started to save people's lives while they explained germ theory to the masses. Yeah so this type of research is kind of low hanging fruits where you just so what we show here is an example where there's a lot of medical device networks and hospitals that are open to the internet and that can get infected by normal type of malware like backing trojans or whatever and this is potentially a safety issue. So if your MR scanner or some other more life critical device is being unavailable because of virus on it that's a real concern for patient security and safety. So we need to think more about the hygiene also in terms of computer viruses not only just normal viruses. So you know sometimes people will treat you like this is an entirely theoretical concern but I think this is one of the best illustrations that we've found of how that should be a concern and I think all of you will get it but I'm going to give you a moment to kind of read what's about to come up on the slides right. So I'll just let you enjoy that for a moment. So if it's not clear or it's not your first language or something this guy basically sharded patient data across a bunch of Amazon clusters and then it was unavailable and they were very concerned about the unavailability of their customer patient data sharded across Amazon instances. He was complaining to support like can I get support to fix this. So all the data of the monitoring data of the cardiac patients is unavailable to them because of the service being down and well do you want to outsource your patient safety to the cloud really. I don't want that. I want to yeah I want to get into some other details we have sort of 10 minutes left if we can so we can have a lot of questions and I'm sure there will be some. But I want you to talk to them about this very personal story. This is remember before when we said is this stuff theoretical. I want you to pay a lot of attention to the story. It really moved me when she first told me so. Yeah so I know how it feels to have my body controlled by a device that is not working correctly. So I think it was around two or three weeks after I had the surgery. I felt fine but I hadn't really done an exercise yet. The surgery was pretty easy. I only had two weeks sick leave and then I came back to work and I went to London to participate in a course in ethical hacking and I did take the London underground together with some of my colleagues and we went off at this station at Covent Garden. I don't know if anyone of you have been there but that particular station is really low underground. They have elevators that you can use to get up but usually there are like long queues with elevators. You always have to do things the hard way. You have to take the stairs or they were just heading for the stairs and I was following them and we were starting to climb the stairs and I didn't read this warning sign which says those with luggage for shares and hard conditions please use the lift because I was feeling fine and this was the first time that I figured out it's something wrong with my pacemaker or with my heart because I came like halfway up these stairs and I felt like I was going to die. It was a really horrible feeling. I didn't have any more breath left. I felt like I wasn't able to complete the stairs. I didn't know what was happening to me but somehow I managed to drag myself up the stairs and my heart was really didn't feel right. So first thing when I came back from this course I went to my doctor and we started to try to debug me, try to find out what was wrong with my pacemaker and this is how that looks like. So there's a stack of different programmers. This is not me by the way but it's very similar situation. We'll come back to those programmers in a moment but the bit I want you to focus on is like they're debugging your pacemaker. Yeah I didn't know what was inside you. I didn't know what was happening at the time. We were just trying to get the settings right and it took like two or three months before we figured out what was wrong and what happened was that my upper rate limit was set too low for me for my age. So the normal pacemaker patient is maybe around 80 years old and the default upper rate limit was 160 beats per minute and that's pretty low for a young person. So imagine like you're younger and you're really fit and you know how to do something really well like swimming or skiing or skateboarding or whatever. You're fantastic at it and then a couple years go past and you know you gain some weight and you're not as good at it right but now imagine that happens in three seconds while you're walking up a set of stairs. Yeah so what happens is that the pacemaker detects oh you have a really high pulse and there's a safety mechanism that will cut your pulse in half so it would go from like so in my case it went from 160 beats per minute to 80 beats per minute in a second or less than a second and that felt really really horrible and it took a long time to figure out what was wrong. It wasn't until they put me on an exercise bike and had me on monitoring that they figure out what was wrong because the thing was that what was displayed on the on the pacemaker technicians view was not the same settings as my pacemaker actually had. There was a software bug in the programmer that caused this problem. So they thought they had updated her settings to be that of a young person. They're like oh we've already changed it but they'd lost the view they couldn't see the actual state of the pacemaker and the only way to figure that out was to put her on a bike and let her cycle until her heart rate was high enough you know literally physically debugging her to figure out what was wrong. Now stop and think about whether or not you would trust your doctor to debug software. So say a little bit more about those programmers and then we'll move on towards the future. Yeah so so we got all of one of these programmers as mentioned and looked inside it and well we named this talk unpatchable because originally my hypothesis was that if you find a bug in pacemaker it will be hard to patch it. Maybe it would require surgery but then when we looked inside the programmer and we saw that it contained firmware for pacemakers we realized that it's possible to actually patch to pacemaker via this programmer. One of the other researchers finds these firmware blobs inside the programmer code and like my heart stopped at that point right I was just going really you can just you can just update the code on someone's pacemaker. We also want to say something about standardization look at all those different programmers. Someone goes into the hospital with one of these devices they have many different programmers and they have to make an estimation of which you know which programmer for which device like which one are you running and so some standardization would be an option perhaps in this case. Yeah all right so we're going to need to move quickly through the next few slides to talk to you about the future but I hope that drives home that this is a very real issue for real people. So pacemakers are evolving and they're getting smaller and this is the type of pacemaker that you can actually implant inside the heart. So the pacemaker I have today is outside the heart and then I have the leads that are leads that are wired to my heart but in the future they're getting smaller and more sophisticated and I think this is exciting. I think that a lot of you also in the audience will benefit from having this type of technology when you grow older and we can have longer lives and we can lead more healthier lives. And keep in mind right you know some of you may already have devices and already have these issues but others of you will think ah that won't happen to me for quite a long time but it can be a sudden thing that you know you don't necessarily have a choice to run code inside your body. You know which OS do you want to implant? Do you want to tell them about the cardiac sock? This is also quite exciting maybe future type of implants that you can have. So this is actually a cardiac sock. It's really printed and it's making a rabbit's heart beat outside the body of the rabbit. So there's a lot of technology and sensors and things that are going to be implanted in the bodies and I think more of you will become cyborgs like me in the future. And there's a lot of work that you could be doing you know 3D printing these devices and open sourcing as much of this as possible. There's a lot to say here right I think it's time to address the really scary issue the consent the informed consent issue around patching right. Remember earlier we were talking about the programmers and we pointed out that there were firmware blobs in there and that these people you know your doctor or a nurse could upgrade the code running on your medical implant. Now is there a legal requirement for them to inform you before they alter the code that's running inside your body? As far as we can tell and we need to look at a lot of different countries at the same time so we're going to ask you to help us. As far as we can tell there are not laws requiring your doctor to tell you that they are upgrading the firmware in your device. Think about that. So quite scary thing. I want to know what's happening to my implant the codes if someone wants to alter the code inside my body I would like to know and I would like to make an informed decision on that and give my consent before it happens. You might even choose a device where that's possible or not possible because you're making a risk-based decision and you're an informed consumer but how do we help people who don't want to understand software and firmware and upgrades make those decisions in the future as well right. All right. So now if we're going to go through all of this but there are a lot of reasons why we are in the situation of having insecure medical devices. There's a lot of legacy technology because there's a long lifetime of these devices and it takes a long time to get them on the market and they can be patched but in some cases they are not patched or there are no software updates applied to them. We don't have any security third-party security testing of the devices and that's really needed. Right an underwriter's laboratory or consumer laboratory that's there to check some of these details and I don't think that's unreasonable right that sort of approach. And there's a lack of regulations also so there's also things that should be worked on. So there's a lot of ways to solve this and we're not going to give you the answer because we're not geniuses so we're going to say that these are some different approaches that we see all playing into a solution space. So vendor awareness is obviously important but that's not the only thing and a lot of the vendors have been very supportive and very open to discussion but there's a lot of transparency that needs to happen more in the future right. Security risk monitoring I've been working in the field of cyber insurance which I'm sure sounds like insanity to the rest of you and it is there are bad days but that could play a part in this risk equation in the future. What about medical incident response right or medical device forensics? Yeah if I suddenly drop dead I really would like to have a forensic analysis of my pacemaker. Please remember that all of you like if anything is going to happen to Maria everyone to ask that right like aren't you afraid of giving this talk and we thought about it we talked about it a lot and she's got a lot of support from her husband and her son and her family and a bunch of us. If anything happens to this woman I hope that we will all be doing forensic analysis of everything. So we'll say a little bit about I am the cavalry and social contract and then we'll wrap it up okay. So I am the cavalry does a lot of grassroots research and support and lobbying and tries to articulate these messages they have a medical implant arm that has a bunch of different researchers doing this kind of stuff. Do you want to say more about them? Yeah so we're both part of the cavalry because no one is coming to save us from the future of being more dependent on and trusting our lives on machines so that's why we need to do step up and do the research and encourage and inspire the research so that's why I joined I'm the cavalry and I think it's a good thing to have a collaboration effort between researchers between the vendors and the regulators as they are or we are working with. We also think that even if you don't do reverse engineering or you're not interested in the security details or the op codes that are inside the firmwares or whatever this question is a question any of you here can talk about for the rest of the congress and going forward into the future right. This is Marie so go ahead. Yeah so I really want to know what code is running inside my body and I want to know or I want to have a social contract with my medical doctors and my physician that is giving me this implant. It needs to be based on patient doctor trust relationship and also between me and the vendors so I really want to know that I can trust this machine inside of me. And we think many of you will be facing similar questions to these in the future. I have questions some of my questions are serious some of my questions are not serious like this one. Is the code on your dress from your pacemaker? No actually it's from the computer game doom but once I have the code of my pacemaker I'm going to make a customer address and get it which is pretty cool right with my own code so let's wrap up with what we want to have a future research so we encourage more research and these are some things that could be looked into like open source medical devices that doesn't really exist today at least not for pacemakers but I think that's one way of going forward. I think it's also an opportunity for us to mention a really scary idea which is you know should anyone have a golden key to Marie's heart? Should there be backdoor encryption inside of her heart? We think no. I understand the reason why the NSA should be able to have a backdoor to my heart. You would be an extremist that's why you don't want them to have a backdoor to your heart but this is a serious question right if you start backdooring any kind of crypto anywhere how do you know where it's going to end up it might end up in medical devices and we think that's unacceptable and we should also mention that we're not doing this alone we have we have other researchers helping us forward doing this. So thank you very much for this thrilling talk we're now doing a little Q&A for 10 minutes and for the Q&A please keep in mind to respect Marie's privacy so don't ask for details about this the implant or something like that. Yeah the brands and stuff. We're going to tell you what OS she's running. People who are now leaving the room they are not will not be able to come to come back in because of measures. So let's start with the Q&A let's start with this microphone there. Hi first of all thank you very much for a very fascinating talk I'm not going to ask you about specific vendors however I thought it was very interesting what you said that most vendors were really supportive I would like to know whether there have been exceptions to that rule not who it was or anything like that but what kind of arguments you may have heard from vendors for example have they referred to anything such as trade secrets or copyright or any other legal reasons why not to give you or not to give public access to information about devices thank you. So we haven't had any legal issues so far in this research and in general they haven't been concerned about copyright I think they're more concerned about press bad press and and the hype you know what they would see as hype they don't want to see us scaring people away from these things with you know these stories right. Yeah that's also something I'm concerned of of course as a patient I don't want to scare my fellow patients from having life critical implants in their body because a lot of people need them like me to survive so the benefits clearly outweighs the risks in my case. But that seems to be their main concern like you know don't give us too much bad press. Okay next question from over there. Hello I wanted to ask you if you know about any existing initiatives on open sourcing the medical devices on on mandating the open sourcing of the software and firmware through the legal system be it in European Union in United States because I think I've read about certain initiatives about a year ago or so but it was just a glimpse. So there are some patients that have reverse engineered their development pumps I know that there are groups of patients that like the parents of children with insulin pumps they have created software to be able to have an app on their mobile phone to be able to to monitor their their child's blood sugar levels so that's one way of doing this open source and I think that's great. But nothing in the legal systems now no initiatives to mandate this for example on European level. Not so far that we've seen but that's something that can be discussed now I think it's really interesting to look into the legal aspects and the regulations around this. Thank you. Okay can we have a question from the internet? Yes from the IRC someone asks does your peacemaker have a bio feedback so in case something bad happens it starts to defibrillate? No I don't have an ICD so in my case I'm not getting a shock in case my heart stops because I have a different condition I only need to to have my rhythm corrected but there are other types of conditions that require pacemakers that can deliver shocks. Okay one question from that microphone there. Thank you very much at one point you mentioned that the connectivity in your pacemaker is off for now and is that something that patients are asked during the process or is that something patients have to require and generally what role do you see for the choice not to have any connectivity or any security for that matter that technology would make available to you so how do you see the possibility to choose a more risky life in terms of trading in for privacy whatever. Yeah I think that's really a relevant question as we mentioned in the social contract I really would like that the doctors inform patients about their different wireless interfaces and that there's a form decision whether or not to switch it on so in my case I don't have it switched on and I don't need it so there's no reason why I need to have it switched on but then again why did I get the implant that has this capability I should have had the option of opting out of it but I didn't get that they didn't ask me or they didn't inform me about that before I got the implants it was chosen for me and at that time I hadn't looked into the security of medical devices and I needed to have the implants so I couldn't really make an informed decision and a lot of patients that are like older and not so that don't really understand the technology they can't make that informed decision like I can so it's really a complex issue and something that we need to discuss more. Okay another question from there. Yeah thanks as a hacker connected personally and professionally to the medical world how can I educate doctors nurses medical people about the security risks presented by connected medical devices what can I tell them do you have something from your own experience I could somehow yeah so the issue with with software bugs in the devices I think is a real scenario that can happen yeah if you can repeat that story of debugging her like I think that makes the point and then try and adopt that hygiene metaphor that we had before where you know people didn't believe in germs and these problems before we're in that sort of era and we're still figuring out what the scope of potential security and privacy problems are for medical devices in the meantime please be open to new research on this subject right and that story is a fantastic illustration that we don't need evil hacker type or you know bond villain we just need failure to debug programming station properly right thank you very much okay another question from the internet yes from the IRC 20 years ago it was a common it was common that a magnet had to be placed on the patient's chest to activate the peacemaker's remote configuration interface is that no longer the case today it's still the case with some devices but not with all of them I think yeah it varies between devices how they are programmed and how long distance you can be from the the device thank you for your talk I have some many cool devices in myself too for insulin pump and sensors to measure the blood sugar levels um I'm busy with hacking that and do better software for myself because the pump have doesn't have the software have you ever think about it to write your own uh software for your peacemaker no I haven't thought about that until now fantastic I think that deserves a round of applause those because that's exactly what we're talking about another question from there well uh first off I want to say thank you that you gave this talk because once it's quite interesting but it's not that talk anyone of that is affected could hold so uh yeah it takes quite some courage and I want to say thank you so secondly thank you for giving me the update I studied medical technology but I finished 10 years ago and didn't work in the area and it's quite interesting to see what happened in the meantime but now for my actual question you said you got devices on ebay is it possible to get the whole communication chain so you can make a sandbox test of a yeah it's possible to get the device it's not so easy to get the the pacemaker itself it's quite expensive and even when we get one we have some pairing issues and like Marie can't be in the same room when we're doing certain types of testing and right so that last uh piece is difficult but the rest of the chain is pretty available for research okay thank you okay sadly time is running out so only we have only time left for one question and from there please thank you uh I'm also involved in software quality checks and then software qsc in Germany also with with medical developments and as far as I know it's the most restricted yeah area of developing products I think in the world it's it's just easier to manipulate software in a car exhaust system or breaking guard or something like this where you don't have to show any testing certificates or something like this the FDA is very high regulation part there do you have the feeling that it's a general issue that patients do not have access to these FDA compliant tests and and software qa systems yeah I think that the we should have more openness and more transparency uh about around this issues really it's I mean it's fantastic you do quality assurance I used to be in quality assurance um at a large corporation and I got tired and went and started doing pen testing and then I just thought of myself as paramilitary quality assurance right like now I just do it on whatever I want to test right so thank you for doing qa and keep doing it um and hopefully you don't have too many regulations but companies sharing more of this information is really the transparency and the discussion the open dialogue with a patient and a doctor and a vendor is really uh what we want to focus on and and make our final note we see some progress already the last year so the I am the cavalry group has had some great progress on having good discussions with the FDA and also involving the medical device vendors in the discussions about cyber security of medical devices and implants so that's great and I hope that this will be even better next year and I think you wanted to say one more thing to congress before we leave which is hack to save lives thank you very much