 Tobias is going to tell us what happened when he did just that Let's welcome him with a heartfelt round of applause Thank you very much for the candidate introduction. So today or tonight. I Want to tell you a little story. I was part of a project in 2016 and Today I wanted to show you some takes on vulnerability disclosure and also how to do security research for medical device products Some of you might have seen this kind of news articles They were out in 2017 You might be thinking why is this guy talking about stuff happened in 2017? There are such things called NDA's And mine was for three years. So it started to 16 now. We have tonight in that's why I'm talking today about this stuff Stories There were some pacemakers out there with a lot of vulnerabilities and it led to a recall of more than half a million pacemakers and Also a new way for vulnerability disclosure was taken. So why do I tell you about the stuff? So let me first introduce Me briefly to you. My name is Tobias I work as security researcher and mainly I do IOT embedded systems Security and one of my main area of interest is reversing wireless communication and back in 2015. I did a talk at blackhead Focusing on sick be security and some guy from some guys from a company called methec. Well, they were watching this talk and said, okay We also have a interesting project Concerning reverse engineering reverse engineering wireless communication. Maybe hire this guy so This company was called methec. Yeah, they are interested in medical device security and they had a project with the goal to find zero-day vulnerabilities and pacemaker communication and They assessed for vendors and I was part of the team doing reverse engineering for the centrude project, yeah, so Quick introduction. Yeah, how does the ecosystem of modern pacemakers look like? So you have a pacemaker that's implanted Medical term is implanted cardiac device an ICD That's connected to either a programmer That's usually at the hospital or at the doctor. So you can do calibrations Reading the health data out of the system and send it back To the cloud the Merlin net in this case because there is always a cloud also in medical nowadays They also have a home monitor That's used for I think some comfort for the customers because usually they had to go to the doctor's office Regularly to just to have the stuff inspected if it works. What are they what are the data? And just to have it double-checked by the by the doctor nowadays the stuff is collected automatically Using wireless communication. So you just have it in your home usually in the bedroom and as soon as you're Within the range of the system your data is collected and sent back to the cloud. That's kind of a predictive maintaining and maintenance for for humans and it's quite a big step for patients but that's also a First attack vector because in the past this was done by near field communications We had to be really really close by to get a connection to the pacemaker, but they switched it up. It's now Yeah, a different frequency band. It's called the mix band for medical devices. It's 401 to 406 megahertz and we chose this as a first attack vector and said, okay would be cool To shock a pacemaker using wireless so that's easy nowadays because the hardware Made a huge progress the last years yesterday. There was a very interesting talk about the limitations of software defend radio Yeah, I can highly recommend to watch this talk because a lot of the stuff I Have experienced by myself Especially the limitation side. So have a look at it Okay, so we used soft to define radio to inspect the mix band To find first attack vector. So how do you do this? Because you don't have any information where to start so first we do wireless reverse engineering and I all wanted just to Give you a short introduction. What's we are my best practice for doing this I'm not for the pacemaker, but in general I would strongly recommend to check something called the FCC ID every product sold in the US Has to be checked by the FCC and you get a label with a number and you can connect this number to Wrong direction to some information because there is online a database where you find Some stuff from the testing procedure and if you're lucky Sometimes you just have one device and you don't want to open it because you maybe you damage it but you want to get to know of the internals and if you're lucky you will find on this website also Stuff like internal what? moment internal photos The block diagram user manual. So that's a very good first Start to investigate a wireless device Also, I can recommend Check patterns Google has a pattern search online You won't find the most detailed information, but sometimes you find Specifices of protocols. So how does this communication work in general also a nice point to check And of course product documentation our F chip specs firmware software, whatever you get have a look at it Take this information. It will speed up your process of reverse engineering drastically If everything doesn't work fall back to visa signal inspection Yeah, but that's a very hard task and you have to be kind of experienced to do it And yeah, I would not recommend to start with this with this Okay, also frequency bands for legal issues Radio spectrum is very wide. So where to start for medical devices, obviously Have a start at the mix band because it's just reserved for this as a start and What we also this did was interviews interviews is always good Ask people they have experience with this tooling. What are the problems? Sometimes they can't tell you how how it works, but they have experience in troubleshooting Maybe they say, okay If we have a lot of Wi-Fi networks, for example, our stuff did not work So you can think maybe there is a problem with some interference from Wi-Fi and it doesn't work We also used an additional service the company bought the service that hooks you up with former employees of Companies so we got access to former developers. They worked there. We talked with them Yeah, what they think the problems are on a security perspective Where to start Sometimes they gave us good hints where to have a look at but I will touch it later on Okay Google patent as I told that's an example from sick be but you see there is a description how the basic networking Works also our F chip documentation. What would I check by the way? That's not The transceiver chip from the pacemaker, but that's a good example For example, it's listed what kind of modulations are supported and what frequency Ranges are supported and also what data rates Legally issues so the the radio spectrum is highly regulated if you have a look for Something that this thing is not at the ISM bands have a look here Maybe it has also dedicated Some some dedicated space We did the stuff gathered some information did some basic testing We started with a simple replay attacks So we just recorded communication and played it back to the ICD And what happened was We nearly instantly Found first vulnerabilities What kind of vulnerabilities first we call it crash attack Yeah, it was no attack that just crashed if you replayed a communication for some time The pacemaker's they just crashed and they did they didn't recover so where you were not able to use them again There was no fail safe. No no safety. No security mode. They were just broken Yeah, so we break devices just by simply replaying stuff. It was at Now is still my most the major concern I have because that's no real Yeah, advanced attack. It's just this might happen by accident And we also found a way to Deplete the energy very very fast. That's a problem because you have limited energy so you can't Reload the battery so if your batteries out you need to have a surgery and you had to have it replaced so this means Yeah, also very very bad We released some videos or we The company called medsec released videos online about this. They are still on there I put some the references on there if you wanted to see it the proofs how this works Funny side story. There is one comment on there Because the videos are not have a very great production quality and I like the comment I think it's kind of funny and yeah so replay attacks first and Vulnerabilities identified but then we did a little bit deeper and did some real reverse engineering So we got our hands on the basic packet structure. We found out okay. Where does it start? Where's the synchronization? Which CSE they're using what do they do for error correction, but we still struggled with the data blocks In RF there are a lot of ways to cover up your stuff. Yeah, you can do data whitening you can do encryption It was not possible for us to find it easily. So We kind of got stuck because reverse engineering is often a very time-consuming task and since they had Nearly every only external researchers. It's also a very expensive task if you buy like 10 guys looking at pacemakers We are not the cheapest. I think it costs you a lot of money and also Even if it's weak crypto Cryptography you won't be able to break it with your eyes. Yeah, just looking at it Won't solve the problem. So we had a decision decision to make yeah get somebody Who is good at crypto analysis or look at a different attack vector? We go got got for the second because There is a lot Other of other things to attack there is also a complex IOT ecosystem and you don't need to attack the the hardest target because every One is speaking the same protocol. This means we switched it up and said okay the pacemaker and the wireless communication directly might Yeah, be too hard for us to to break it in time and let's have a look at the home monitor Why at the home monitor? because it also communicates wirelessly with the pacemaker and it's a very cheap device so you can just buy it on the ebay for 18 dollars you can Get it at home. I brought one today with me just to show you How good they are made and We said okay, maybe there is some stuff on there that helps us understand the protocol so we took it apart and Checked yeah, what our f-chips are are in there how they're working and just took us Yeah, a little further down further down the road, but a Big big breakthrough was we found some debug ports They are not protected. So it's you art just hook up and you're connected to the system and The boot loader is not very good protected. Yeah, you see maybe on the screenshot If you are capable of Some basic stuff, it's easy to get the root access there. Let me show you. Yeah Pray to the demo gods that everything works. So I hooked up A bus pirate that's connected to my system and it's also connected to the pacemaker monitor I have you see now I'm stuck at the login. So there was the traditional boot sequence What I now do is I just press the reset button let me and See Some stuff is happening and I just need to press one button to escape to the bootloader During the screen you just see it's a blob Is used and yeah, we just have to wait for the reboot. I I press the button so now we jump directly into the bootloader And you will see there is written out of boot in progress. Press any key to stop. So That's easy help What should we do? Just type in help you see what commands you have There is one called boot boot is very promising Boot Linux in RAM with optional kernel options. Yeah, sounds promising because maybe our goal is to directly boot into the Into the shell, but how how to do this? Just type in status. You see your kernel command line arguments there. You just copy them Let me do this. That's very hard task boot just insert it again and add just one additional argument and Now we should boot up directly into the Yeah, we don't have a Login prompt anymore. So we have root access now in the system and there is some interesting information also there Typing is almost the hardest part For example, you see known hosts. Where is it communicating to you see? The addresses from the Merlin net from the cloud listed there. What else do you need in a cloud? You need a password how to log in? Let me check and There is for example one example FTP password listed here And it's not a very good one I think There is some room for improvement and this password is the same for every monitor Just some examples you you find very easily. So that's not very sophisticated hacking, but it did the job so we were able to extract some components from the firmware and Go further down the road of reverse engineering the protocol and what else do we now have? We also have now control of a system that has the proper our F chip for communicating directly with the pacemaker so the problem also Mentioned yesterday is when you do software to find radio you have some timing constraints because the There is some net like in every protocol you have some time slots you need to reply in a specific time and When you do this with software to find radio you have them attached by usp usp has a very high latency so sometimes you're just too slow to answer them in the right time to get accepted by the Receiver so we just then switched to at the Merlin at home as a tech device Okay What else to attack? Programmer we also bought this you can buy it on eBay We bought one recently from a German second-hand medical device reseller for 160 euros with valid medical data still on there, so I think the whole industry need to Step up their game when it comes to privacy and cyber security just as an example So if you tear down this system There's a removable hard drive No encryption. Yeah, like Austin power says They like to live dangerously. Yeah, one of my favorite movie quotes So this was our final piece in the puzzle. Why because there were Java files, so you just decompile them Have a look and there is the the whole protocol was just written there for us just to implement and not only the protocol also Some codes they are using for kind of a vector access to circumvent encryption that's not only to yeah blame them Because for pacemakers you have also like other requirements if you go to Australia and have a have a heart attack You I think you want that the doctors in Australia are also able to connect to your pacemaker and read some data So they have kind of a vector universal key for making this possible Okay So we use now the Merlin at home as an attack device. So we were able to deliver emergency shocks Reconfigured as the device make it vibrate Test shocks the demo videos are still on there On the meal. Yeah, the link is in there. Have a look. I think they're Better than the the ones before so they had a proper speaker. I think they're really good to just Get what we are doing there Okay Let's play a simple game Blaming the vendor. Yeah, which method match a message authentication code is used ABCD or E So who is for a a B See Close race D. No D. No II II No trust in the vendor It's actually see so they're doing a little bit of authentication, but 24-bit RSA What else did they do? Did they do the homebrewed crypto? You know, I told you about the universal key Use 32 bit RSA public keys or truncate keys because memory See, yeah, they did all of this And I think because you would be able to guess because when they use 24-bit Encryption and then they have 32-bit keys. So it just they truncated because they didn't have the memory It's like a first project to do in at university or at school how to do cryptography and do it the bad way and That's a sad part in it because we have some IP cams some Chinese IP cams in our office Just to get to get to get trained in the stuff. They have the same Security level as medical devices. So I think that's kind of a sad part So let's give you a short technical summary So we were able to find in two months a lot of critical vulnerabilities with potential lethal impact So everybody another authorized users could remotely just disable your pacemaker Make them vibrate deliver your shock We found a lot of security Yeah nightmares in there. Yeah, no best practice was followed And No, I think that's very bad But one might think what about security certifications because medical is for certain highly regulated area Yeah, and you see there is a logo It's ISO 27001 certified and they're very proud of it because they're the the first medical network that is Properly certified for information systems management system information security management systems and and they Express it openly They're very good at it. And that's a very stringent worldwide information security standard, but It's not yeah, it has nothing to do with product security. Yeah, that's maybe how they run their Mail server maybe But not how they do pacemakers just keep this in mind. Yeah, this certification It's not for product security Okay, but what was special yeah, because that's just a project with a lot of security vulnerabilities That's no magic done. You've seen it's not the best hacking you need for the stuff Vulnerability disclosure and that's actually I think why I'm here today And the next day is to talk to you about what's a good way of vulnerability disclosure Okay, what was special? The guys they have me and I thought we do the traditional way. Yeah, we do some research Go to big conferences Talk to a big crowd and everybody will come to us and buy the services we sell They did it differently the stay licensed the research to an investment company And the investment company took a short position In Centrude medically and bought shares from competitors This means they published a report with all the findings in there not the technical details, but with the findings in there and explained How these kind of findings will affect? the market stock market price from of Centrude so Vulnerability disclosure process process. No, there was no notification notification to the vendor Previously because there is a history attached to this vendor. Yeah This vendor was accused the same Vulnerabilities by a guy called called Barnaby Jack a couple of years ago, but they were never made public because Barnaby Jack died so the research in this area kind of got stuck and So they said Centrude they keep denying this stuff and yeah, it was would be just some litigation Let's just public Let's just partner with money waters because they are good at making these bad vendors Pay for the harm that they do. It's like a kind of a Robin Hood story. They want to sell you And as mentioned this had a very big impact because on the day The information was released the stock market dropped twelve percent Which means two billion dollars? Yeah, it's my milliard. It's a very big number And I think it's the First time this was done for vulnerability disclosure and for monetizing vulnerabilities and I think a quite big one and Then it all started. Yeah, because Centrude started to deny the stuff. They said, okay, these research researchers. They just want to make money off out of us It's there the results are false. They are made up. That's everything that's true Let's sue them and the suit a lot of the person's involved like money waters the CEO the doctors that were involved in this project and in October because so The report was published in August and in October We had a third party Independent third party to just recheck what the work we did It was an expert team from Bishop Fox and US based cybersecurity company company and they verified every claim we made So we were ready to go and said, okay, we didn't made it up somebody has to take actions and Couple months later the ICS cert released vulnerability node and also the FDA released vulnerability node together with a first update for cyber security And sent you to say, yeah, we are proud of our security. We are leading the way But it's not true because the update was just for communication Between the Merlin and the cloud because this was done unencrypted in the past and they just put certificates on there So that's not the update. We wanted to happen because the pacemaker communication the wireless communication was still unpatched Also Fun Stuff because there is a in German a nice phrasing for Tödliche shocks. Yeah, you see abgabe unangemessener stimulations impulse is the proper word Medical term for I will kill you with the shock So everything is a kind of phrasing Little bit later down the road the FDA also took Reviewed the information and they made an official statement. So okay said That's true what they are what they are claiming. That's possible Centrude you need to do a second update and they did Nearly one year later the final update came out With which also targeted the insecure communication. I never retested the stuff But I think there were a lot of knowledgeable people involved. So this might be good and We are back at the beginning It ended in a big recall with more than 500,000 pacemakers. So I Think that's kind of a interesting way, but vulnerability disclosure Yeah, we have now the way we just push it out and make the vendor pay but funny stuff is that Nearly at the same time and to other researchers from America Billy rise and Jonathan butts from white scope They also into medical device security and they reviewed pacemakers from From another vendor called metronic So they did a security assessment and they also found a lot of bugs and vulnerabilities in there Especially in the ecosystem. So they were able to deploy their own firmware. I think on the pacemakers Using the software delivery system of metronic They disclosed it to the vendor and try to work with the vendor to fix it and You have a new vendor response So they also they reviewed it because they have an internal vulnerability disclosure process But they found this is no new potential safety risk. So It's no problem if you are able to Deployed a firmware on a large scale to your to the pacemakers. That's no problem for them has nothing to do with safety and that's What very often in in this position when you're a security researcher talk to vendors, then They're not used to talk to security researchers and they try to Downplay the findings. They don't talk to you. They will Come up with a lot of stories just to don't fix the vulnerabilities and One of the guys I think Jonathan but said For the time they just talked about the bugs with metronic. They could easily just fixed it It's just a question of they won't admit They made a failure because this would affect maybe the new regulations Maybe the the payment from the CEO. I don't know but it's very very frustrating also for them because two years later The vulnerabilities were still in there and there was no patch out so They were in the situation Still discussing with the the vendor so this leads me to the point. What is the better way because that's the traditional way and I think the more Yeah, ethically way and the broad perception When you get to go to the the first approach you have one year later. You have an update Sounds not the traditional ethical way, but a very effective way to do it So what is the better better way? I don't know first in this project I was pretty pissed because I wasn't expecting this way of mobility disclosure and Yeah, then loss you'd started so it was not the best time But now I think more open about the way they took maybe this was a good approach I'm not sure and I'm open to discuss afterwards Let me give me your thoughts on this in the Q&A Let's sum it up key takeaways. So the first point in Medical or in general safety and security if it's not secure. It's not safe. Yeah, keep this in mind there is no safety without security and Security is not ISO 27 one certified. Yeah, that's not equal. I am secure Especially not if it comes to products security There are some new regulations out there You need to do now cyber security risk assessments if you build a new Security product. We are working with vendors doing this stuff, but I think there is a lot of room for improvement still Problems they have lots of potential new attack vectors. Yeah, it's like you have seen you have a pacemaker a programmer A cloud maybe there are some apps in the future. Maybe there is a lot of Interconnected stuff so it's getting getting more complex also for medical devices So you need to cover every potential attack vector. Yeah, also the the cheap end-user devices Maybe there are the weakest point and they were into the ecosystem Also this way was a new way of monetizing vulnerabilities. It was the first time and With a big hit especially on the media and the American media and it started a huge Discussion about ethics and vulnerability disclosure again It's clay. I think in infosec Every couple of years. There's a discussion about how to do proper vulnerability disclosure, and I think there is no one way It depends at the answer from a consultant Okay, then one last thing why this picture because it's my favorite picture in information security. Let me explain This picture symbolizes my experience In the project because first you start you have a look at it up front. I think okay Seems properly secured there might be a way to climb above and do some stuff, but it's a hard way and Yeah, maybe they have done a good job But if you switch your perspectives and take a different angle one step by to the to the side To to stay with this picture. It gets much much easier easier So you have to really cover every angle of your product. Don't go down the rabbit holes in security research try to Take a step back get a new look on your problem and maybe there is an easier way Just right next to the way you're in so and don't think because you just you invested 20 days of research on this Protocol, maybe there's a second protocol Also built in that's much easier to do. Okay, so that's my journey That's the story. I wanted to share with you. I hope you enjoyed it If you have some questions, please ask them now And I will be also around Afterwards and the next days to talk about this. Thank you very much Thank you so much Tobias. So we have microphone angels over there Maybe yes, he's waving his hand. We have a microphone angel over there and We have questions from the internet perhaps No questions from the internet internet step up your game. So over here Just about a legal situation first question. They just sued for Defamation libel something like this like you were lying But isn't there also an aspect of manipulating the stock market? That's that's the point. Yeah, they claimed because due to this false information They manipulated the stock market. Yeah, I'm an expert in the last of especially not in the American ones, but Long story short, that's not in set a trading. Yeah, that's what everybody usually asks Because there is no inside information taking it's a proper way to just Have a look at the books of a company to do your own research and do an evaluation and say, okay, we think this company Has no outlook on the market. We bet against the stock Okay, another question from the sign. Thank you You didn't discuss the role of the FDA and In my experience also in cardiology. We had a lot of outdated amplifiers because they were They had the certification and they will still be used even though we could build better ones I think this is one of the places where there's also place is that They had the system that was Allowed on the market and it is an enormous investment to re Certify it at the FDA and I think that's the reason why they took a shortcut and I think it's Unless these whole system with the FDA changes. It's unavoidable that this kind of products keep on the market All right, so the impact of the certification process. Yeah That's a very very good point and I'm completely with you But I think there is Movement. Yeah, they acknowledged that's a problem and they will need to do a different kind of Different process how to get Updates out how to get security updates out yet. You need to do some kind of separation between safety Related systems and other systems But they're on it. Yeah, but I think now It's still very like the old system, but they're at least thinking about it and I know from some very Well-known popular security experts. They are talking to them giving them input how to Come up with a better solution Hi Great story. I don't know if my question is too easy or too hard because I'm really in the sector and thing But I was wondering when the zero-day exploit was Disclosed publicly if Somebody would have maybe in the next week used it to cause real harm to a patient How is it likely that the company would have tried to sue? you okay Good question But I think that's an easy one to answer because that's maybe my fault We didn't release proof of concept code. We just said okay There is a vulnerability have a look at this video this video proofs that there is a that there is a vulnerability in there We never put out the real code See to make it happen, but to elaborate on this What is the potential the worst impact you can generate to kill someone? But there are other ways to kill people and you don't need to to pacemaker hacking You just shoot them or strangle them or run them over by car if you're not a Politically exposed person. I think that's maybe not your most the major concern of getting killed by a random hacker Yeah, if you have other problems, but for especially exposed persons. This might be a way. Yeah Do we have any questions from the internet now? Still an internet come on I see a question over here Okay, you said they had to cut 36 bit RSA down to 24 because of the low power hardware So, how do you think say we're able to fix it with this hardware? the proper algorithm Yeah, that's why I always mention it I don't I didn't retest retest it and I had a look at a lot of the code and I'm curious by myself, but I think They needed I think there is still a way in there how to get the kind of a backup access I think they just change codes and protected them a little bit better But if you have the same hardware you have the same hardware Yeah, you you can't just do a different register size and switch from Yeah to a different key length. I think that's not possible But I think maybe they did some compensative measures in there Yeah Yeah Our very popular microphone angel over here has yet another customer Yes, you were talking about the US legal system I assume I just want to add that if you were working in Europe or especially in Germany You would have problems with the Urheberrecht, which is like copyright law When reverse engineering there was a great talk on the last Congress about two Researcher groups from Berlin and Munich running into difficulties in there being sued on the base of copyright So be careful around there. I have to follow up on this the law changed this year So it's better now for researchers But what I what I wanted to ask yeah great. Thanks to the you what I want to ask did you look at the CPU? So what hardware is inside these things? Is this a very solo power or what is it? They have custom chips So but it's I Can't remember that the specific processor, but I can look it up if you want. Yeah, but but they did a Custom solution for the stuff Could it be that our lonely microphone angel has found yes a question just a very short question So how much money did muddy waters make out of this? I was I'm still curious by myself. Yeah, there are no numbers out I just know that I didn't get paid for all of my work Yeah, because as soon as they get got sued they froze all accounts and they set it up long term because the company was Founded in St. Kids and Nevis. That's an island in the Caribbean Sea not even in the US and They once explained me by beer. They had every lawyer on this island. So they can't be sued by a lawyer from this island So they had a plan in mind already But I don't know how much money they made I think their plan didn't work out as they wanted it because the the stock market the stock price recovered As well, but I think it was a huge outburst of curiosity at the beginning because dropping by two to billions and There were and there was a merger ongoing Centrude was bought by Ebert So I think that wasn't at the best Time frame to get hit by such a market drop. I see. All right. We have time for one more Is it gonna come from the internet? Hi, all right, and the one else no then please Another great warm heartfelt round of applause for Tobias Thank you very much