 Our next two speakers, uh, include a neurology resident and medical consultant with interest in medical device security. Prior to medicine, he was industrial robotics designer and our other speaker is a senior security engineer and security researcher at Speerland federal system. He spends his time working on vehicle systems, UAVs and drones, encryption systems, IOT devices, medical devices, and semi-autonomous systems. So here to talk on their talk of medical device ethics and security, ladies and gentlemen, Dr. Stanislav and Vlad Gostumlesky. Alright, so we're going to be a little dense here. We have a lot of information to go through and uh, if you pay attention, we'll have some questions along the way. Uh, Speerland's very generous to be giving out some t-shirts for any questions you guys answer. Um, so it's my profile, Vlad's profile. So brain imaging, uh, very important. Um, I use it quite a bit and um, it usually determines what I'm going to do with the patient in the acute setting. Um, so can anyone tell me what's going on here? What kind of image this is? What are we looking at on the left compared to the right? Okay, um, what's going on on the left side? Why was this important? Well, actually the bright area is representing a bleed. So this is a patient who came in. This is obviously a picture taken off Google. I didn't put real pictures from my patients in. Um, the guy came in, hemiplegic, and our job is, do we need to open him and drain the blood or do you actually do something to break a clot, which is what a stroke is? So this gentleman gets a t-shirt here. So this is very, very important and a stroke, time is brain. So we need to make a decision quickly and we can't have any delays. Unfortunately, this happens. So ransomware creates a lot of problems. Hollywood Presbyterian paid 17 grand, um, affected their emergency room for a week, and they had to divert anything neurologically related to nearby hospitals because they couldn't get CT scans in time. Then the same thing happened in May of this year in the UK. I want to cry, got them, and they were diverting strokes all over the place as a result. And now imaging is being used as defense for murder. So, uh, as a scan of a patient, or actually someone tried for murder in 92, a gentleman, uh, choked his wife, threw her out of a window in Manhattan to try to claim she committed suicide. He was indicted for murder, second degree, and lucky enough, he, uh, he had a headache. He went to the E.E. from jail and they found this type of picture. This isn't his actual picture, but this is what they found. Basically, he had a cyst in his brain. It's been there his entire life, but this is very convenient for his defense. Now, his defense is saying, well, he's missing part of his brain. When you show this to a jury, I mean, that, that's a great defense. So then they further qualified it. They did something called a PET scan to show that that, that cystic area doesn't function. They managed to get him a minimum sentence. And this has been the case that now almost 5% of all murder charges and cases are trying to use neuroscience as the defense. Well, from a security side, what if images are spoofed? And, um, so I have an example. This happened to me. I was a doctor for maybe a week at the time. Patient comes in. He's a 34 year old. I'm asked to see him because he's having trouble breathing. All right. You know, I got this. I read about this. Um, maybe I'll do an x-ray. I'll listen to him. And there's just crackles. And this is the image they give back to me. Um, so I'm thinking, all right, what's going on? Anyone give me an idea of what they think is happening here? Sorry, go ahead. Yeah, that's exactly what it is. Um, so I'm thinking, okay, well, he's getting worse and worse. Do I put a needle in him and try to drain the fluid? I'm looking at the image some more. I think that's the face I probably had. Um, because then I start looking at this down the middle. So, I mean, you see a spinal cord. You see the lung fields. Uh, I mean, you see the liver. And then you're looking at this fluid. And then I go back to the midline. Did I miss this? It looks like there's old scars from a, uh, cardiac surgery. So this guy had his chest opened and then sewed back together with metal. How did I miss this on my exam when I'm examining someone for, uh, shortness of breath? And I realized they switched images on me. So someone else's first week too. And they mislabeled it. Uh, I mean, if this can happen by mistake, I think it can easily be, uh, switched up in another way as well. Um, by someone like him. Uh, so, also computers are now being used a lot in the courtroom. Um, just, just a side note. Uh, there was a case in 2016, gentlemen, uh, was being tried. It was probably selling drugs and then he evaded police. He should have had a fairly small, um, sentence from what people were thinking. However, Compass was developed at that time and they started using that in Wisconsin to determine what the trial length is, or sorry, the sentence length should be on these people. Uh, and the formula is proprietary. They won't share the algorithm. And the guy received actually a pretty severe sentence because the computer told the judge he's got a high risk of violence, high risk of recidivism and a pretrial risk was very high. Uh, he tried to argue this, uh, multiple times in court and this has been ruled as completely constitutional and they're going to continue doing this. So essentially Compass is a threat assessment system, uh, for humans. Uh, just like a vulnerability assessment report for a network, uh, it takes known data points about your criminal background history, uh, about your current living situation, uh, and, uh, creates a risk score. So instead of failing a PCI assessment, you essentially, uh, uh, fail at getting a lighter sentence. Uh, so back to medicine. Implantable cardiac devices. Uh, very important. There's a lot of them. 10,000 are implanted every month. They save and extend lives. However, it can also be used, uh, as evidence. So, uh, there's a recent case, a guy who's charged with arson and insurance fraud. Uh, basically he called 911 and said, I grabbed a bunch of stuff, I threw it out the window and his house is on fire. So the police thought this was very suspicious. Too many things didn't make sense. There were multiple points where the fire started. Um, but luckily he had, uh, he had a implanted device and, uh, these suspicious circumstances were enough to, uh, to get everything, uh, into court and they brought a cardiologist in and, um, he said, these actions are highly improbable because of his medical condition. So that got them the warrant to get the data. And it, they looked at his heart rate, his demand and how long he'd been gathering his things prior to calling 911. And that was enough to charge him with, uh, with arson. And the charges were just filed in January. Uh, fitness trackers. They're awesome, right? We all use them. Uh, but now they're being also used as evidence in court. So, uh, they, um, there's a few good cases. Um, I mean, they're, they're piling up really. So this first one, uh, they basically managed to try this guy for murder, uh, because he was giving the police a timeline, which didn't make sense to them. They used his, uh, email records and his wife's, uh, Fitbit data where, uh, to basically show that she'd been moving around during a certain time. Uh, when he claimed actually she was already dead. Um, so there's a few more cases that recently came out, uh, basically being, uh, women was charged with a fraud after, after making up a rape case. Um, and it's just really cool right now. Uh, that's what people are trying to gather the data for and, um, they're using as evidence. So I keep hearing about medical devices and the internet of things, uh, coming closer together, how people can take charge of their own lives and of their medical care, uh, at home, uh, with all these really cool new devices. Uh, so I decided to start taking a look at some of those devices and actually see how secure the data is that they're gathering since they are not being used in court, uh, and how accurate they are and whether or not you can spoof the data. Can they actually frame somebody for murder? Or can they fabricate some evidence to exonerate somebody for murder of arson? Uh, one of the most common devices I decided to get my hands on some blood pressure devices, uh, because that's apparently one of the, the second most common device that people are buying for, uh, home monitoring. Uh, the first, uh, one being, uh, one of these, uh, cool little wearables that track you and broadcast the Bluetooth beacon. Uh, I got my hands on the Omron one because that was actually the one recommended by many nursing homes and actually is the model that's purchased by many nursing homes. Uh, it's really cool. It supports, uh, uh, logins, supports of large number of users so somebody can actually log in as a caregiver, uh, as a nurse or somebody can log in as a patient. Uh, they can go in and, uh, start taking their own samples. I also bought some Chineseium, one of those cool little iHealth months, uh, just because there was an Amazon. And I started, uh, gathering some data points. Uh, the Omron one was giving me fairly consistent data, uh, meaning the samples were close to each other, uh, in numbers. However, the data was wildly inaccurate. Uh, just how inaccurate. Uh, the device actually told me to seek immediate medical assistance. Uh, I actually ended up, uh, calling my brother three and going, hey, these are the readings I'm getting. Should I go to the emergency room? Uh, so I had my, um, my blood pressure verified manually and it was nowhere near, near close. I mean, my blood pressure was not perfect, but it was, uh, uh, significantly better than what the device was telling me. So next step is, I called Omron and said, hey, this device is inaccurate. How can I calibrate it? And they said, well, it doesn't support calibration, but you'll send you on a new one. So I was thinking, it's got this Bluetooth interface. Let's keep playing with it. Uh, turns out that you actually can calibrate it and you can calibrate it remotely. And it doesn't actually need the Bluetooth association pin to be recalibrated. Uh, I was able to recalibrate it from outside of my house. Uh, it's still not giving me correct data, but I can give it more inaccurate values, which I guess is good. Next, uh, X-ray machines. Dentists absolutely love these things. Uh, if you're in the dentist's office, uh, they could take a look at your mouth, they could identify cavities. Uh, and X-ray machines are now actually digital. Uh, the day they actually get pushed to the central imaging server within an office and a lot of times a copy is made to the insurance company. Uh, I was, uh, trying to figure out how these things work. And actually it turns out that they're using, uh, an X-11 server, uh, with no authentication, no encryption turn on. Uh, they are also using an FTP server with default credentials, Aship from Manufacturer. And they don't let you change the authentication. Uh, so all you have to do is spoof the FTP, uh, sorry. All you have to do is intercept the FTP login since it's clear text. You got your credentials. Now you can go in and now you can change the images around the vacation of yourself. Uh, mess with insurance data. Uh, create the necessary medical procedures possibly. Uh, if you're wondering how I got my hands on one of these, uh, it was definitely not eBay because medical devices are illegal to buy and sell without appropriate licenses and FDA licensing. So we definitely wouldn't do that. Uh, of course the very first thing I did when I got my hands on one of these is try to image the weirdest thing I had, which turns out to be a 4000, uh, lumen light. For those of you haven't seen, that's one of the largest, uh, surefire lights that they make. And I thought it was kind of cool to take a picture of it. So, what's your favorite search engine? My favorite search engine is showdan. Uh, what it does is, uh, it goes out and it grabs information from different ports on different machines that are accessible to the internet and it continuously scans all of the internet, all of the ports. Uh, uh, my buddy Dan Tentler likes looking open, uh, open X servers and, uh, one time he shot me a link and I opened it and I thought that's kind of cool. Uh, so this is actually an FMI, FMRI machine, uh, that's connected to an open X server in Iran at a research institute. Uh, so if you didn't violate any U.S. laws, this is a machine in, uh, uh, foreign hostile country. Uh, I don't even know if the patient was alive or dead or, uh, what the subject of the FMRI was, but, uh, we were able to find a large number of FMRI machines connected to internet, uh, with open X and, uh, no authentication. Uh, we did not poke around any of the ones in the United States, but there was a significant number of them in United States that were open, according to show Dan. I decided to start looking at some of the medical devices I used within the hospital, uh, because I was seeing the same news stories you were seeing about WannaCry and ransomware. So, uh, I was curious just how vulnerable things like, uh, blood and fusion pumps were, heart rate monitors that were used in hospitals. Uh, it turns out quite a few of them are running Windows. Uh, it's a somewhat slightly locked down version of Windows XP. Uh, they're still running XP because of, uh, licensing issues for the medical devices and because of the drivers, uh, that exist for the medical devices. Uh, so, again, when, uh, start getting some devices, start playing with them and, uh, if you're seeing the wireless signal, you're not missing things. It actually is all wireless. Uh, if you're not going to embarrass the company, uh, whose, uh, you were able to get our hands on. So we covered up with our logo. Uh, if you're looking at this picture, you see the FCCID. So it's as simple as going to the FCC website, uh, looking at the FCC filings. Uh, and you couldn't pull up all the data about it's, uh, quote unquote an encryption scheme, radio transmission scheme in, uh, Manchester encoding, uh, all that good stuff. Uh, it used this technology called smart hopping. Uh, it tells power, power metering, which means that, uh, what it's actually trying to do is, uh, maintain an electronic medical record. So if it doesn't get a confirmation from the base station data was received, it keeps ramping up the transmit power. And since these are wired devices, uh, it actually went to just a bit over one watt, which is kind of cool for a device that you're wiring that's touching your body. It's automatic retry, so it'll keep broadcasting over and over again until it gets, uh, confirmation and transmission. It does some error correction. Uh, and as I mentioned, it's supposed to be electronic medical records, so it's not supposed to be spoofable. It's supposed to be, uh, accurate record. Uh, does anybody know what the, um, what the security protocol that's built into this? Uh, it's actually the fact it's on 1.4 gigahertz and it's not the same devices in your laptop, so it's secure. That's essentially what the specs told me. So that was cool. Uh, you definitely can't buy 50 of those on eBay. Uh, apparently I'm not the only one that came to the same conclusion. Uh, there actually were recalls on several of these devices. Uh, not all of them, just some of the earlier ones. Uh, so essentially the manufacturers playing games and they're acknowledging issues in some of the older devices and push some firmware updates and actually, um, force a lot of hospitals to buy the newer version of the same device, which is also still, does not use any encryption protocols and still uses 1.4 gigahertz. Uh, some of the references if you want to go back and, uh, follow up on some of the cases that you mentioned, uh, uh, in this presentation. Uh, any questions? So what would be the highest risk piece of equipment in a hospital if it was hit by ransomware? What would cause the most disruption for a hospital? What needs to be protected? What needs to be protected the most? Well, I mean, from my end, it's, uh, because I take stroke calls all the time. So for me, the CAT scan is everything, uh, because I, I, that's the only thing that can make me come to the conclusion, am I pushing this medication is going to destroy every clot in the body? Or do I need to worry about taking the blood that the person's bleeding in their brain out? So if I push this medication at someone who's bleeding, they're just going to die right away and it's going to be my fault. Um, so that, that's the, that's the one I focus on and to me is very sensitive. Uh, but I mean, any focal point, uh, depending on every specialty, I think, uh, matters for nephrologists. I mean, the dialysis machines if they're hit and they're all digitally controlled, um, that's going to be a huge problem. Uh, but you have more time at least with that to transport a patient somewhere. Uh, my answer would be to follow the money. Uh, if the financial systems, the transaction systems, uh, the billing systems go down, the hospital will certainly, uh, simply not be able to operate. Uh, doctors will be sent home, they're not going to be paid. Uh, patients not going to be able to be billed. So even if all the medical devices are functioning, you essentially can bring the hospital down to its knees and make it, uh, inoperable. I took a scenario to the head of a hospital. I said, what if you got a ransomware thing and said, we're not going to encrypt your patient files or something like that. We're just going to, we know you have a Picker X-ray and a Siemens MRI and we know the vulnerabilities on those. We'll just kill a patient every other day. And the guy just put his head down in his hands, right? Uh, is that a plausible scenario and are those vulnerabilities out there somewhere on the dark web? So I'm not going to comment about a particular manufacturer that has been really terrible about, uh, patching known zero days that have been reported them for over five years. However, I will say it is very feasible. Uh, if you go and show them and you search for particularly medical devices by model number, uh, and by manufacturer, they are out there, they are connected. Uh, typically the most connected devices I find, uh, wide open on the network, uh, are actually in research institutions. Uh, but the hospital networks are not bulletproof. Uh, we know there are a number of vulnerabilities that let an attacker, uh, from the internet actually pivot to the internal hospital network. Uh, so if you're talking about a determined skill attacker, yes, that's certainly a feasible scenario. And would you also agree that they can't afford to replace those machines? We're never going to have a perfect, perfect machine to always be vulnerabilities, right? And if they're five million dollars, they can't replace them. So we think we see a larger hospitals is there's actually multiple machines, not just one machine. Uh, so they could, for example, take one offline, which often happens for service. A lot of times they'll have a newer machine that's a higher resolution and has a longer wait time, but they can use an older machine, uh, for diagnostic purposes. Hey, one more little one. I took it to IBM security and said, oh, of course there's an answer, just air gap it, which is ridiculous, right? Tell me it's ridiculous. So air gapping is excellent. However, what typically happens is, uh, uh, somebody may want to look at the data, uh, uh, for example, the fMRI data, uh, from their home or a, a doctor may, for example, be emailed, uh, even the imaging scan, uh, instead of having to drive into the hospital, so that typically doesn't happen. Uh, years ago, fMRI data was transferred on CDs, uh, just because of the size of the data, they would write the CD or DVD with a PDF file, uh, but now it's typically emailed across and, I mean, MRI is actually interesting because all it takes is a small hit. So this happened in my hospital a couple months ago, uh, they were cleaning the MRI area and cleaning service accidentally hit the emergency button on it. Well, the MRI is always on, it never turns off, and it takes you a few days to spin up for it to work again. So by that one action, we were out for a week. We couldn't do any scans. So, uh, an attack at that point, I mean, no matter how small or how non- disruptive it is, it's gonna still delay you by a week. Um, so like earlier, you mentioned, like, a lot of legal cases are using neuroscience as, like, perhaps a defense. Um, I was actually wondering, like, to what extent would perhaps a blood clot in the front of the brain, like, uh, get someone off? Like, would it, would it really make them be able to be tried as, like, a different person than, like, when they actually committed the crime? Or could you just maybe talk about to what extent, like, that actual blood clot would affect the legal defense? So in this case, it was a cyst that the gentleman probably had his entire life. And what they used that, they used that to get him off in the fact that he was not sane enough to be there or healthy enough to be on trial. And they were saying this medical disability is what made him not be able to function at a normal level like anyone else. So his actions, he wasn't responsible for. Um, if it was something transient like you're describing, I don't know of any cases that's happened yet. Uh, that'd certainly be, uh, a plausible scenario for someone to have this transient state commit an action and then say that was the reason why, why it happened. You just have to prove that that happened during the time, whether there was a clot or something of that nature. Uh, so what we've seen in cases where somebody, uh, had a tumor, uh, they were able to successfully argue diminished capacity. Uh, so even though the tumor was removed, uh, they were still, um, confined to a psychiatric institution until such time as the state of New York was able to, uh, be comfortable that they were no longer in danger to themselves or others. Uh, so people aren't completely let, uh, let go. Uh, they're still typically institutionalized. Uh, but, uh, they're either tried for, um, tried to diminish capacity or held in psychiatric institutions. There have been cases where, uh, intoxication, people use that as a defense. And the way I understand the law right now is if you chose to take the substance, you're liable for any actions you take on the substance. If this is slipped to you, then it's a different story. Um, yeah, that's, uh, there was also a case a few years ago. The gentleman, uh, there's a gentleman who was, uh, had a sleep behavior disorder. He was sleepwalking and he murdered his wife, got in his car, drove to his ex-wife's house and killed her. And they, and I think he actually used that as a successful defense, if I remember right. Uh, so in that case, he actually had a documented history of sleeping disorder. He had history of sleepwalking that was documented. He had sleep studies. So this wasn't something that they sprang up as a defense last second. He actually had the medical history to back up those claims, uh, in advance of the act. Yeah. So in hospitals, by, uh, medical devices, do they have like choices, many choices like which vendor to use and is security ever like a factor in those choices? So in the past, it hasn't. What you're seeing hospitals doing, uh, increasingly, uh, is actually, uh, performing penetration tests and performing assessments, even though vendors, uh, for expressly forbid them and they're using the results of those penetration tests, uh, for, uh, for their buying choices and then contract negotiations. Uh, so if you're seeing that, uh, increasingly, and I hope that the trend does continue, uh, because, uh, as we find, uh, in some cases when we do penetration tests, uh, when hospitals look at their agreements, it's expressly forbidden for them to perform any dependent penetration tests on the hardware. They don't own it, they simply license it, even though they, they paid for it. Those medical devices that are not on the internet, uh, just on the internet web, right? Do you often find them that they're segregated from the main corporate network, like user land or they, are they just there for everyone to access? Uh, so a few good points. Uh, even cases where they are separated, it's not actually a separate physical network, it's simply VLAN, and we know VLAN hopping, uh, uh, can easily be accomplished. Uh, also, uh, internal network, uh, can often be, uh, connected to from the outside. Uh, whether it's by wireless vulnerabilities, uh, or by improper configuration of their AD servers and improper configuration of their VPN servers, uh, some of their financial systems that have to be dual honed, uh, they're actually connected to the internet. And, uh, so, for example, if you can remotely connect to them, do you, do you find that you can completely compromise that device and perform all the operations or is that usually a manual set, manual part to it? Uh, from what you've seen, I couldn't even really call it a compromise, uh, because what you're doing is downloading configuration software for the machine's downloading firmware and simply pushing it. Uh, those devices implicitly trust the configuration software, they don't require any server authentication. So as long as they're getting the configuration packets coming in over TFTP, they're happy to comply. Okay. Thank you.