 Without further ado, I'm gonna let that introduce himself, but thanks guys for attending. I know it's Sunday morning. Hopefully you're not super hungover All yours really Good morning This is the presentation and jumping the epidermal barrier. My name is Vlad Gostinowski I've been doing penetration testing right team stuff breaking embedded systems of medical devices professionally for about 18 years To do research for this talk I worked with Dr. Stan Nigin Unfortunately, he couldn't be here today because he had issues with his flight something about delays at the airport and somebody taking a flight for a joyride and I Quick disclaimer The opinions are my own not of my employer There are FDA regulations about devices the device we're gonna be talking about does require a prescription You're not supposed to just go on eBay and buy one. You're not supposed to just order one from Europe and have it shipped to your house. So definitely don't do that I'm not picking any one particular vendor the device I'm presenting on about today is actually one of the slightly more secure ones that we found we found devices that were far worse and until somebody actually fixes them we're not going to release the findings publicly because It's only fun to kill people when it's in a fantastic report non real life The vice you're playing with is a If we style eBay device, it's a continuous glucose monitor Now so for those who don't know let's quickly go over what it is and what it does So as I mentioned, it is a control device. You can't just walk into a CVS and pick one up unless you have a prescription The reason people use them is because it doesn't require continuous fingerprint Fingerpricks it's a device that is continuous attached to your skin According to the FDA filings and the FCC filings and the sensors supposed to work for 14 days For some reason the sensors I've been given only work for 7 to 10 days The way that the sensor communicates with the reader is using RFID protocol It's a passive sensor in 13.5 6 megahertz range It's supposed to be readable to 3 meters from what I've been able to see it's actually more like maybe 1 meter It's a fully passive device meaning unless you have The reader near the sensor the sensor will not broadcast information. You essentially have to ping the sensor It's not like your easy pass which is an active a transmitter It's more like the tags they see in the store or the kind of tags that your employer typically gives you to badge into a building Which are more most typically passive sensors This is roughly how the ecosystem supposed to work There's three typical use cases The one that really got me interested in doing this research is the continuous glucose monitor attached to your skin paired with a pump that actually Injects insulin as needed based on the way that you and your doctor configured it The second use case is just using the reader and being able to use the reader To inject insulin to yourself or to take other action based on the numbers And the third one is if you have a cell phone that actually can do RFID reads is you can actually hold up your cell phone up to the reader Get the reading and they can then push the information to your watch or push the apple health or whatever other Management software you use for your readings As I mentioned when we selected this device for doing the presentation It's one of the less horrible ones that we've seen The way the ecosystem works is that this reader actually activates the sensor You're not continuously broadcasting unlike some of the other sensors you've seen in the market If you were to take a sensor and come up to me your reader would not be able to read my sensor because it hasn't been paired That's completely artificial. I use an RFID protocol so you can actually Do a wide band scan and read any kind of RFID device So the logic in the set in this reader is what prevents it from reading somebody else's sensor Once you activate the reader that's attached to you You can actually configure it to be readable by any reader or by the phone But when you first place a sensor in your skin, it is in a non-active state and it cannot be read by By a phone it has to be activated by one reader and by default. That's the reader that's fair to it So after that this reader would only be looking for that particular card ID Some of the things we didn't like about this is that the sensors are officially time-banged As I mentioned I was getting about 10 days worth of readings from my sensor Upon opening up the sensor and examining the battery The battery still had sufficient charge in it to operate quite a bit longer You're speculating that this may have something to do with the sensor calibration or sensor corrosion Since there is a needle that pierces your skin. The needle is actually slightly longer than I was expecting when I go into this research not the other needles The battery life as I mentioned is pretty impressive, but it's our official time-banged either to make you buy a new sensor By the way, each of these sensors that lasts Only 10 days is 100 bucks And it's set up to require authorization I mean keeping minus it authorization not authentication so It's actually quite easy to bypass and spoof So this is what the two major components look like This is the reader and this is what a packaged up sterile sensor is before we apply it I'm hoping not to fly with it with the TSA trying to pull it off because Sometimes they're not too familiar with this hardware So as I mentioned, there's no actual authentication When this reader is placed on your skin, it will accept activation from any reader The reader it looks for a particular Serial range of sensors so if you have an American reader and you buy a sensor from Europe. I actually will not activate They're trying to force you to pay US prices for these for these sensors which is those pretty interesting Looking at this device, you'll notice that there is a USB port This the device does support USB mass storage, but it's not activated by default You actually have to mess with the firmware to activate mass storage And then you can pull off of an entire CSV file of your readings from this device You can also push firmware updates over USB. I have not been able to get my hands on an official firmware I've seen some on the forums, but they were not for us readers So if anybody does have a copy, I would love to get my hands on it The device is also running USB debug interface, so it's easy to follow and make the device crash It's also possible to introduce false readings into the device Which gets us into data integrity If you were to use a radio standard RFID reader you could read a tag modify the data and Change the glucose reading and change the timestamp. You can write it back to the reader There's no integrity check It's also highly susceptible to replay attacks. For example, I can take a reading So since this device doesn't keep a timestamp I can keep playing back the same reading and the device will happily log it Which is pretty bad if you're relying on it for making medical decisions or treatment decisions What we found is a lot of times the patients will actually call their doctor to discuss the readings before taking action If they're out of norm so the doctors also rely on this data don't make somebody come into the hospital the From speaking to doctors some as they'll make a patient actually do a fingerprint finger prick reading As opposed to just relying on a CGM There's an add-on product that works with the sensor It provides a Bluetooth bridge Which means that even if your phone doesn't have an RFID interface You essentially wear a band over your sensor and it'll continuously transmit your CGM data There's some really fun Bluetooth attacks Which means you can actually force a legitimate cell phone to unpair from the Bluetooth bridge and you can then pair with that sensor Since it's not made by the same manufacturer as this glucose monitor. We didn't focus on it too much But you can read up on it and so the Bluetooth bridge is actually not a prescription device You could buy it and play with it Because the FDA regulate device is the sensor in the reader and not the Bluetooth bridge There's also a long-range RF bridge This is most designed for institutional situations where somebody may be in the hospital And they're trying to collect large amounts of data all at the same time We were able to find one in eBay that was decommissioned by hospital And if you were playing with it using a hack or F we end up writing a small little program for the port-a-pack So you could actually just walk around with the hack or f in the add-on And continuously pull the data from people around you wearing the CGMs So this is what the device actually looks like cracked open This is the part that goes up against the skin and the needle module is right there It's been removed, but there's a very long needle that would come out here and And a little metallic seal. There's the battery pack and the sensor The wire trace they see going around the perimeter is the actual RFID antenna This is what it looks like as I mentioned the needles a little longer than I was expecting before opening up for the first time this is the clear The clear cover and this is the part that we'll be facing outside when the sensor is deployed Quickly before we go any further You'll notice the tamper detection tamper protection on this device Namely there is none Essentially if you get your hands in the center you could open it up you could modify it you could reseal it There's no way to know the center has been tampered with The packaging in itself is simply a sterile packaging doesn't really have any tamper detection tamper protection systems Fairly trivial to get this open modified and reseal it so you have no idea that was opened This is a shot of the actual reader opened up Again, no protective seals on the outside Sorry, no tamper evidence use the outside no tamper detection no tamper protection inside after devices cracked open You can easily modify it Reclose it and it'll continue to operate without any issues so after realizing that has absolutely No protection for reads. That's a completely passive device. I had a really cool idea What how much data could I harvest about people around me who actually do our cgms Since it's using a simple RFID 13.56 megahertz So it's thinking how cool would be to actually build some kind of a doorway sensor something that you could place it kill zone So as people walk through you could force a reading from their sensors Obviously, there's number of solutions for them. This particular solution is actually at a school for attendance So somebody could read student IDs. I was hoping to get something a little bit less intrusive looking something that would We've been essentially almost invisible and not make people ask questions You'll notice there's two readers in the doorway. That's kind of my level is going for The mock-up was a little rough, but I think I still nailed it so cheap Chinese RFID car reader a nice large antenna raspberry pi battery pack And the seven inch LCD for the Raspberry Pi Privacy risks as I mentioned it's a passive sensor and no authentication simple authorization is essentially based on good faith so you could read it with any commercial reader So if you weren't essentially getting into medical privacy risks Somebody could walk around and continuously pull the reader and gather the same medical data that is only really meant for you and your doctor So you're getting into hippo violation issues data integrity Fairly trivial to read the data and if you have a device that's transmitting it more power then you're now broadcasting the new The new glucose readings Fairly trivial to get more power so This sensor when activated By this device I uses point three watts Which is pretty much nothing. It's very feasible to get your hands on the transmitters They will push out one or two watts and thirteen point five six megahertz The best reader that found to actually emulated is this one you have an entry price of under fifty dollars to play with this There are cheaper readers this is in the twelve dollar range, but the range is very limited You're getting three to six centimeters range, which basically means you're essentially at contact distance We did disclose some of the findings if you're working with a meat actress who actually fared worse than this device first Simply because of how easy was to mess with our data any questions. Yes So the question was if I had any trouble working with the equipment or debugging It was actually fairly straightforward because it's a consumer medical device. It's meant to be used by kids It's meant to be used by people with no IT experience or medical experience The hardest part was actually getting the sensor on to you and getting it to stick The actual RF part that was very straightforward Because I mentioned it's just RF for RF ID protocol thirteen point five six megahertz. There's already tons of tools To work with it to parse up the data and to transmit Yes So my thoughts on is I'm not using the RF ID protocol They use the primarily for power consumption is because they're using a passive protocol the reader pulls it And provides the actual power There are ways to do it more securely but it would make The center a lot bulkier than it currently is and heavier So they could license a different frequency for example And not use thirteen point five six megahertz that would force an attacker to a retool use different antennas Perhaps change the code a little bit, but it wouldn't Wouldn't be possible to use the tools already out there essentially prepackage for an attacker. Yes I do We have not spoken with this particular render we don't have them have a really good point of contact for them We've contacted the other manufacturers that we've done used for initial research that you've done So the vulnerabilities with thirteen point five six megahertz an RF idea widely documented As far as the vulnerabilities we found with the replay attack and usb That we feel that's really up to their R&D department and their own internal security department It feels like they haven't really done basic security security testing on their own There's a new law in Europe the general data protection regulation these things are sold in Europe, right? They're sold in Europe and Eastern Europe. Yes, so as well as United States What do you think of the possibility that if there was an actual privacy breach? Someone could file a GDPR complaint and the company could be fined four percent of their annual income That's pretty interesting You could essentially do that by forcing an event as I mentioned if you were to place a reader on there and do Something similar to wall of sheep and just transmit people cgm data on the wall You've essentially forced the event. Yeah, you need to have it happen kind of more in the wild You know if somebody else did it like you wouldn't want to be if you were going to file a complaint you wouldn't want to be part of the cause Essentially needs somebody to set up a sensor and the projector right there in an airport and broadcast on the wall and there you go Okay, well, well, I predict someone will do this within the next month or so. Maybe not on this device, right? It might happen in the next 24 hours as everyone's flying home Any other questions elbow offline if you don't want to ask any other questions publicly Thank you very much for coming