 Hey everyone, so I'm V and Poison Pixie and I'm here to talk to you guys about that little device up there that's implanted in my chest. So one big, I think it's 2012, I read an article about Barnaby Jack and by then I've had my pacemaker for a good couple of years and realizing oh my god this is a fucking disaster. But being who I am, I find this my motto in life. My aim is to raise awareness of these potential malicious attacks and encourage manufacturers to act to review the security of their code and not just the traditional safety mechanisms of these devices. This is something that I take with me every day. You'll see at the end there is a little puzzle for you guys to solve that I have a saying beautifully broken wonderfully flawed because that's who I am. My heart is effectively broken in so many ways and my device is flawed but I still find the beauty and the science that keeps me here every day something worthwhile. For me we're moving into an age where human beings in the traditional sense of being flesh and blood will no longer exist. I in the traditional sense am no longer human. The most major part that keeps me alive is bionic, mechanical and technology and that is the science of heartbreak. That is the science of me and who I am. I refer to myself as a genuine cyborg, a non-human hacker, half technology, half flesh and blood. I passionately live through every beat that my pacemaker gives me even though it traditionally sometimes does fuck it up. We all know how technology is, it's built by humans, it's not built by machines yet and it does break. I believe that we as a community need to break things to make them better because how do we know that a pyramid can be breached? We first have to break in. We cannot anticipate what needs to be fixed unless we know how to break them. This is a brief history, in 1958 the first pacemaker was implanted. That is very long ago, I was not born yet. So this technology has been around for years. Basically what everyone should know what a pacemaker is. It is a little device that listens to your heart beats and acts as a way, a mechanism to keep your heart beating when your natural pacemaker fails and last one was the first one to receive this device. At that stage there was no network connectivity. Today we find pacemakers that have wireless connectivity that connects to a program and next to a patient's bed across wireless, that a doctor can interrogate and make changes on a regular basis sitting across the world because apparently according to the manufacturers that was an excellent idea. We've seen recently, I did some research because I thought to myself I believe we can do better. But how do we know we can do better unless we know what has gone wrong? 1985 to 1987 six patients received harmful radiation from their pacemaker. Such thoughts were very slow. 2002 a network was flooded and cardiac patients could not receive critical changes to their devices because the hospital was unable to facilitate these changes. In the 2000s we started seeing recalls on ICD defibrillators. Now here's the scary thing with an ICD. Your heart muscle is in my opinion your most sensitive organ. If it is over shocked or overstimulated it simply dies. There's no way to regenerate it at all. So I have an ICD implanted that acts as a pacemaker. So I'll get to a little later where I did some research on the FDA and how they passed my device and the flaws that they passed within my device. 2006 we saw software updates released for pacemakers especially when attacks started being facilitated on these devices. And that carries on to 2008 where we started seeing the vulnerabilities being exposed by the likes of Barnaby Jack and other researchers. 2008 one of the biggest medical manufacturers metronach was taken to the Supreme Court for flaws within their devices. 2011 I think it was a defcon wing J Radcliffe displayed how you can hack an incident bump and it just carries on. And this is where my journey started in 2012 where I decided that I no longer want to trust what the medical practitioners told me. I want to know how my device works. Now someone like me that has a device I have been told that the device is not my own it belongs to the medical manufacturer. We use the kicker they might have that user agreement with my doctor they don't have that legally with me. I feel that my device if it is there to keep me alive I should have the right to test it. I should have the right to know how it works. I should not have security through obscurity. I think they should be more open and let security practitioners know how their devices work. And if anyone has ever dealt with medical companies they will realize that some of them are pure bullies they are souls. As much as they are awesome in designing innovation, innovation is what they focus on. They don't focus on security we just want the next new big thing. But I say if we want to be innovative we should be secure. I'm not saying lock the device down there is a very fine balance towards having a device that is accessible and secure having information available to medical practitioners at the touch of a dial but we don't have to open it for bad people and it's not necessarily to say that it will be a hacker that will attack a device. If I ask anyone in the audience who kills who's a murderer anyone that can stab someone has now got the ability to access these devices wirelessly and facilitate the attack. We can now have murder from a distance and no longer just from far away. For me what is important is ensuring the security of these devices for the future because if I ask you for example what do you think would happen if the first place maker gets hacked? Do you think someone else would get another device? No. So we go back 10 years that is not the aim. The aim is to fix this going forward that we're in a position to keep innovation going. Now I'm going to share something very personal and it's something that I've never shared in public is how I was diagnosed and what led me on this path of getting my pacemaker. At 19 I was admitted with heart failure. My conductive system simply does not work and I had to get a pacemaker. Now inside Africa you have medical aid. Our medical aid declined to pay for my pacemaker meaning that effectively according to medical personnel I had two weeks left to live at the age of 19. I prepared myself to go home because I refused to die in a medical environment. I wanted to be surrounded by my mom, my dad, my brother, my family, my people and on the way out my doctor stopped me and said you know what you're going in for surgery I've paid for your pacemaker. So I'm here today doing what I'm doing because I got a second chance. I got a device that has saved my life from the age of 19 has given me two amazing little girls that I would never have had but I have concerns about my device. In January I was admitted again because I got a new pacemaker two years ago and my pacemaker failed. It did not resuscitate me and I spent eight minutes clinically dead. After, here's the kicker, after the device was tested by three technologists from the medical company stating that there's no errors on the device. It still failed and no one can tell you why. This is a little poem that the medical practitioners use to explain what a third degree hard block is. If the R is far from P then you have a first degree, longer, longer dropped then you have a vacant book. If some P's don't get through then you have mobs too. If P's and Q's don't agree then you have third degree. Basically means my heart cannot pump on its own. It is unable to relay communication for it to contract together. So it flatlines. Now my device that I have has been passed by the FDA. Now who here knows what a pre-market assessment is? What that means is that one clinical trial with a small amount of people are done to test whether this device works. In the United States we have more stringent and strict tests for drug FDA posts than we do for medical devices. Which for me is a bit of a problem because if you take the wrong medication that can be reversed. If you receive a shock from an ICD which is higher than what it should be, you die. We have a whole idea of how these devices are passed. Absolutely confused. And I think that the FDA should start stepping up, start fixing legacy shit and just do what's right. Here is something that I did with my cardiologist before I came to DEF CON. He's got one of the biggest brands in South Africa that he supports. I cannot name their name. I have been told not to say any manufacturer's names. While I was undressing, how it works is I go in every six months. I lie down and my heart gets stopped and started in a very degree to test my device. I took a rubber ducky and I placed behind the programmer with permission from my cardiologist. And I managed to capture everything that he changed along with all my PII information. What was wrong? What events were noted for the last six months? Now it wasn't just for mine. It was everything that has been stored on that device. And that's where the problem comes in. We've got these phenomenal programmers running XP, having USBs activated, hard-coded credentials, no encryption, no command whitelisting. It's just badly built. It's not that it's just unsecure. It's that the fundamentals in basics of secure development has not been a dear thing. I fight a battle at the moment where I don't have a cardiologist no more. The medical company that owns my device or manufactured my device has effectively put so much pressure on my medical staff that support me that they can no longer help me with any of my research. So I am without a doctor. I'm without support, fighting a battle that is pretty much on my own until I found a small group of people that let me in today. I don't know, does everyone know who I am, the cavalry is? They're pretty awesome, important. We need to be able to verify the software that we use with end devices because most of my problems that I had in January was due to machine learning failing and software bugs. And would you believe that when asking the medical manufacturer to see the code to review what is keeping my heart rate going, I was declined access to this code because it's proprietary. So they are practicing security through obscurity. So I have to trust a bit corporate that what they are saying is good, effectively is what is going to keep me alive. This is what the FDA has passed on my specific device and they have said that these are acceptable risks. My electrical component has failed in January, causing me to flat line. It does not connect with the programmer who will not always retain its settings. It will reset to default. And I've actually experienced this. I took the chance to reach into the wireless village because I like living dangerously. And needless to say, within about half an hour I started feeling ill. And just because we need to be scientifically correct, we replicated it for a second time. So if anyone's got a pacemaker, say clear of the wireless village, there's way too much signal going about. But these are devices that should not be that sensitive to signals going on outside the body because technology is signal driven. It is simply not there to be that sensitive. I am convinced these medical companies are building snowflake devices because I think my device has got more emotion than I do. This is what my device costs and this is excluding the leads. So I have a little battery running my programs, running my software with two leads. And when they need to be replaced, it's not simply like popping out, open my skin with a little tag. They cut me open. They take out the whole device hoping not to rip out the leads connected to my heart. So you can see that when a device is recalled, it's a bit of a fuck up. You have to go into a hospital and have surgery. For example, since Jude fixed their problem, however the legacy devices are unable to be firmly updated, those patients will need to have new devices implanted. They will need to have surgery because the manufacturer fucked up. This is just to explain exactly how the FDA passes their information. So one day I decided to sit outside the doctor's offices with a backpack and a hoodie because that's what we wear. That's what I wear every day. And I black boxed. I just listened and I learned. What do you guys think I picked up? Anyone? I managed to capture communication between the programmer and the pacemaker, meaning I could potentially replicate a man in the middle attack. Sitting outside my doctor's offices, just listening, looking like any normal patient. Again, this was all done with permission from my cardiologist who at that time was very supportive. This is one of the attacks that we theoretically formulated because if you ask any heart association, they will say no patient has been hacked that we know of. It's the that we know of situation that worries me is because we don't check because we think it's theoretical. And why is it not showing? I'm going to have to read there's a bit of a technical difficulty over the slides. If you take a pacemaker and you start adjusting the way that it paces, you can take a heart rate up from 60 to 160, meaning that your heart will be exhausted and your battery will be depleted. The standard pacemaker battery will last 10 to 12 years. You will be able with a crash attack theoretically to take that down to about three years, which the patient will be unaware of because effectively he would think it would take 12 years. A denial of life attack is one that has been done successfully, where if you send RF signals to a pacemaker at a sequential rate it will count one, two up until nine. And who can guess what happens then? What would be good security? That it cuts it off? It just starts counting at one again. That is not how it should be because how do we drain battery life on RF devices? We keep on attacking it. RF signals that I am aware of the distance from is 50 feet is the furthest that I am aware of. That is pretty far. That means I don't have to stand next to you. I wonder what went wrong with the slides. Anyway, the replay attack basically means that I'm going to replicate wherever your doctor has changed. I've listened, I have reverse engineered these packets and I'm going to replicate what he's done to authenticate to your device. Once you've authenticated to that device it's got no whitelisted commands. It'll effectively open up like a fresh fruit and accept any code that you give it. One of the things that I discussed with friends of mine at university that I was at was you could potentially authenticate to a device which is universal across the world. Upload new firmware. This firmware can update and authenticate to other devices effectively creating a worm that self replicates. Those are things that we should be looking at and being aware of. These are some changes that have been found by researchers that you can do within a pacemaker. Identification of a device. As with anything you don't want too much information to be thickened up. From studies and work that we've done these devices will give you their serial number, patient information. It will disclose your cardiac data which is something I don't want out there because it's the most personal thing of mine. You will be able to change the clock on your ICD which is fundamentally an important element in ensuring when that device was implanted to estimate when the device will run out. You can change the therapies. Again this is what happened to me in January when my device decided that it would be able to learn on its own. I had a software issue. My device thought that when my heart rate fell to 30 it was acceptable and that ended up in it missing my hot flat lining. That is just like the tip of the iceberg. In years the interesting thing I was preparing for my slides and every medical manufacturer said malware is not a problem. At Black Hat they actually managed to put malware on an ICD programmer so meaning if I go into the offices with a device that has been compromised potentially without knowing I can have malware on my ICD and that would mean that it could infect other ICDs. It could mean that it could kill me because I think the one thing that we forget about these medical devices is they are connected to human beings. They might be security devices electronic of nature ones and zeros but there's a human life that is at stake. Now this might seem a little bit dark but what would you rather pay for if your pacemaker is ransomed your information or your life your organs obviously it's a good business plan ransoming medical devices not that I say you should do it but I mean people are gonna pay for their organs. This is real organized crime situations where we're seeing that it's a monetary situation. If you infect a programmer with ransomware for example that reinfects other devices you have the potential to constantly have revenue. This is not something that should be possible this is something that should be addressed with reserved memory space within these devices. My device is AES enabled. How many of you think that that is exactly what they use? Anyone? They don't. It's available but it's not being used. I got a statement from a medical company saying you are coming to DEF CON and you have a pacemaker you are gonna die. I'm like well I think I've got a bigger chance sitting across from you being killed than I do being with the community because it's the community that's going to help me fix the problems that you've created. I think that if we start interrogating these devices and being less worried about oh my god we're talking about killing people well yes we need to start talking about saving people rather than killing people. I want to explain this to you because this is something it's almost a soapbox moment when I started talking to the FDA they said but we've got pre-market assessment what that means is they go through documentation of a device saying okay this is what the device claims it does and it's a checkbox exercise and that is all it is. They try and design these innovative new phenomenal devices that don't even get the fundamental basics right and you have a patient that could potentially die because the device is bald poorly. I was able to go on to all of the manufacturer's websites and download in excess of about a thousand technical user manuals meant for medical practitioners. I could fool them and state that I'm in the United States when I was sitting in South Africa. None of these websites had user authentication. They don't know if I was a doctor or not but I had access to how these devices were bought. I know exactly what controller it's got, what board it's got implanted and what memory it has. What do you think I can do with that information when I start reverse engineering it? Because then I can start knowing how these devices work and that is exactly what I did with my own device and we were shocked to find that this device has actually got a wireless controller in. Even after I stated when they put this in two years ago I did not want it but that is what was available because having a program next to your bed that communicates with your device with no username and password seems like an excellent idea. This is something that's very close to my heart. These people are really working their asses off with the companies and as I've said these companies are not nice people. The legal teams they scare me. Not a lot scare me. Those legal guys scare me but I am the cavalry needs more researchers. They need people in the device labs interrogating the infusion pumps, the pacemakers, the programmers and hacking the shit out of these devices. Then we can start shaking up the room and saying these devices are surely fucking unsecure. I want a future where we can say that we not only have innovation we have security, availability and accessibility to devices that are working. This lady has been instrumental in supporting me in doing the work that I like to do. Getting me in connection with the right people and this is the reality. I am like her one of two people having our condition in security being connected to the wonderful DEF CON internet and IoT and being fucking unprotected. I have never felt vulnerable the way I did two days before DEF CON realizing that my device was passed by someone that I trust and stating that the vulnerabilities that they have associated with it is acceptable. It is not acceptable to flat line and have to be resuscitated for eight minutes when I have a device I paid for a fuckload of money and doesn't work. That doesn't mean I am going to get hacked but surely enough we just need one skiddie to decide it is a fucking good idea to go toy with these things, writes a program, accesses the devices and not realize what they have done. We have situations where researchers at the point of being bullied. Big farmer does not want to play nice and there is one way to solve that. For the community to basically step up and say enough is enough. Whoever solves that I will buy a beer form. You guys can run it if it doesn't work I was drunk when I wrote it but I really want to motivate you guys to get involved with I am the cavalry. It doesn't even have to be hacking it's just looking at better ways to get protocols in place for companies to start fixing the stuff. Having support from the community is important because I can tell you I can access my device through multiple ways and means and I was very shocked to find that no encryption was used. Now I understand now look I'm going to say I understand physically I cannot be dying on the floor having a heart attack or having an issue and go to the doctor and say oh let me give you my username and password it's not going to work but there has to be some balance. At the moment there is none. So who's going to go to the device lab or who's going to go to I am the cavalry I want to see everyone there because we need the community to start taking up the research again and start getting shit done because the future is coming we're going to have our first malware or we could have had it already because if you thought asking medical companies what's your incident response plan do you check someone that's passed away from a pacemaker do you know why they died no it's natural causes they've had a heart problem well how do you know the pacemaker did not fail they don't do checks and balances for me that is a fundamental problem and I am tired of dealing with the shit alone I am tired of being bullied and I want the community to start stepping up and I want the youngsters the new the future because I'm not the future I'm old to start stepping up and doing things so thank you for your time yeah you know somebody who you try actually put together a new company and what kind of entry barriers they would have to face to actually not put like a market solution that actually has security measures that is more in that way I can tell you can you read the question okay I wanted to ask what you think about market solutions that would involve security measures that are marketed this way so that the consumer knows they're getting a device and what kind of entry barriers like a new company would have to face to be able to get this on the market and actually be able to kind of solve these problems without having to deal with the current manufacturers of these devices thank you I think if we had a new kid on the block that is able to offer a secure and transparent solution to patients I wouldn't mind an open source device not that I'm saying I would like to program it myself because god I'm an awful programmer but I would like to know what what the code is doing I would like to be able to read and understand it because for example machine learning is an excellent idea in many applications but not in a situation where your heartbeat does certain specific things the doctor knows what it's supposed to do so I think if a new company can come on board and start doing secure devices and they focus a little bit more on security I would go get that device every five years I would have the surgery because I would sleep better and then just on a and another note I want to say thank you to the sock poons that made time to come visit thank you guys they've been working hard so by them will be a later today hey but seriously we need to build secure medical devices these aren't little devices that just do something they keep someone alive and it's not just about me it's about I think there's about 2.2 million people with pacemakers or icds or brain implants or any medical device that could be genocide when we have a Stuxnet situation on our hands I hope this question isn't too much of a sidetrack but you've mentioned Barnaby Jack a couple of times who died under somewhat mysterious circumstances shortly before giving a talk about hacking these implanted devices at black hat do you know of any information sources about any investigations around this death or anything or is there anything you would comment on about what you've heard about it I don't have any any information I would love to have more information I didn't know I was not lucky enough to have known him heaven alone knows I if I could reanimate someone that would be probably the one person I would reanimate to have a conversation with because that man had a big set of walls he took on a big manufacturer that's not a small task I have had this much in the couple of years that I've done and the friends that know me very well have heard me cry and I don't cry often because I don't have feelings I don't have a heart that works I've got a metal heart but frustration has been there I wish I could tell you what's happened I don't know and I don't think there's enough evidence for me to hypothesize about it and I think it would be disrespectful for me because the man was a legend it was it was a very sad thing to happen to the community and I think it was this research would have gone much further if that did not happen so just a quick side note on that the weeky pedia page says that he died of a mixed chemical overdose in the week before giving this discussion which seems a bit of an uncertain stance for a respected speaker to I don't know I don't have the answer to you I think you guys should all have a beer afterwards and discuss it because we're getting sidetracked and this is not a conversation I think okay yeah I have to respect you so you can have the stage yeah but that's exactly what Barnaby said actual it is fundamentally small things that if you start thinking the way that malicious attackers will think it's easy so where's the list of those I can I will do that for you guys find me on Twitter poison pixie if you want to know the story behind my nickname you can come and ask me but I don't have any information for you guys unfortunately so it's kind of related at that point one of the talks the other day was from the FDA or had a representative of the FDA who I think was here personally but still knew what was going on and she stated that you know there are cybersecurity regulations in FDA so I was just kind of curious of what's going on like if those exist are they just not sufficient are they being followed what they do exist I actually have met with the FDA representative we will be having more conversations about that I have a bit of a different difference of opinion because a lot of the things are acceptable and acceptable risks and I'm saying fuck that it's not I cannot explain to you guys lying in bed and ICU well ICU is fine because I'm used to it I get to scan all some devices lying in bed you know they are very used to me where I'm from having multiple computers going while being hooked up to monitors but feeling the sense of dread I've never felt that sad and I'm not supposed to have that feeling when your heart rate heats about 30 and your blood pressure is 40 over 30 and your doctor taps you on the head obviously I've got you and you're thinking what the fuck is about to happen because my icd is supposed to now start doing its thing and it just switched itself off it went to default and at the side of all I'm not going to do anything the FDA is trying to fix things but it's legacy devices anyone in IT in the hacking and security knows legacy devices fucks us over okay they difficult to fix and this is not something that I can go pull off a shelf this is physically something that's implanted into someone when you implant cardiac the leads they grow into the hard if you pull those out not carefully you can kill someone that a auto can burst so it is very difficult for the companies to fix these legacy devices I don't want to come see me after because I'm not quite willing to make the statement publicly it but I'll tell you what they told me thank you hello and thank you very much for the personal sharing of your story you were in a situation where it was very short time between the decision of having a pacemaker and actually having an implement what are your concerns about how the general public people who wear the decision about taking a pacemaker may be influenced on the way that we as a community of IT specialists is actually influencing the general public into taking another pacemaker because they are afraid that is what scares me about the future because I'm seeing more and more patients become aware after the recall for St. Jude's which got a lot of press and that's sad to me because I have the opportunity to be here today because I got a pacemaker so that is where my saying beautifully broken wonderfully flawed comes from because yes the devices are flawed but we also can't expect miracles they are built by humans humans are flawed by nature all that we can do is learn to go forward and learn together there has to be a bridging done and that is what I think I am the cavalry is doing so successfully they are bridging manufacturers with researchers they have included the EFF in that as well they are bringing everything full circle but it scares me for the future knowing that people might decide not to get devices and pass away which would be fuck being a sidewalks awesome I mean you know it would be sad if some I got my second implant so I'm taking it further now but I mean biohacking is a real thing we as humans will evolve but I mean why not use technology that's there to keep us a lot longer and it seems stupid but I can understand someone being concerned about the security of the device I am as well luckily I'm not a high level target so you know I'm not Dick Cheney you guys know do you guys know Slash has got a pacemaker I'm part of the cool kids eh he's actually got a pacemaker there's lots of influential people that have these devices and they're awesome if you think about it what it does is it's amazing it can take over the beats of the human heart it keeps me yet it enables me to wake up tomorrow morning and survive another day I mean time for me is precious because at 19 I got given two weeks I cannot describe that to you guys it is the worst feeling in your world thinking god I should have had that for breakfast rather or I should have seen guns and roses live you should have seen metallic love luckily for me after my pacemaker I got to see Metallica twice you see I'm making up for lost time but there are people that will not get these devices I know one person that's refusing to get it because they are afraid of being hacked and that's sad because I would like to say to them your device is not as flawed as you think but that would be lying and untruthful I am carrying the flaws with me I'd rather have a flawed device than no device because I can still make a difference but if I'm dead I cannot do the same so that's what I'm saying is we need everyone to step up and do this together this is not a me thing it's it's an us thing it's a tribe thing it's a coming together of great minds because I think forensically you might think some some different way or someone might think offensive defensive we need to bring that full circle and I think that's what we lacking in the security will be segregating from each other we actually one family doing the same thing with different skills but I think that coming together is at events like this facilitating it with the different villagers so yeah that's all from my side yeah please do they recording I got maybe in the very strange question and to program the pacemaker that can be in 10 meters path or it can be 30 centimeters that depends what kind of system that I'm more afraid for each IPMG attacks than a malware that somebody use an electronic pulse and everything stopping in the 10 meters I'm more afraid for those things that malware personally that is one of the fears because I actually read my device's technical manual and went holy fuck this was a bad decision because it's cold it's electromagnetic fields it's all those kind of things so when I go to this is a funny story so I'm a very nice person right you guys you guys think I'm friendly and I the sock wins on a lot to answer because I've been hassling them I'm a nice person apparently coming to death come presenting the talk that I do I get a freedom fondle at every point I generally do though because I can't go through the magnetic the metal detectors because effectively that magnetic field switches my pacemaker off so these are still divide these are little things that they haven't fixed yet and that I have experienced it's not fun if you have a pacemaker don't do it because I did I said let's see what happens you know because I like to live dangerously I need to know what happens when I go through a metal detector don't do it trust me that sucks so the thing is if you read these technical manuals and go on to any of the website we had a great chuckle about it we actually checked the is it also certificates what else everything the security sucks so they can't get that right I'm a little bit worried about them doing my device to be quite blunt about it but you can get the technical manuals and then the precautions in there I can trust tell you my doctor didn't tell me about them he just said don't go through a metal detector well how do you do when I fly this cosmic radiation internationally that has an effect on how my device is programmed as well so effectively after every international travel I have to go to my doctor pay a lot of money and have my device reprogrammed small things we can fix but it's labor intensive and time intensive yeah that's all anyone else was it that bad