 Yes, I'm going to introduce myself. I am V, otherwise known as Poison Pixie, which is a recent name because apparently if you have a whole lot of malware, you tend to be poisonous. So I'm going to give you guys a backstory of who I am and where I fit in. So I received my first pacemaker at the age of 19. Can't you hear me better? Can you? Okay, I'm going to try my best, but I have a very soft voice. So I apologize. It's got to do with my stature. I think everything except my personality comes in small portions. So I'm going to talk to you guys a little bit about work that I've done mostly from my ICU bed in hospital because we all know there's nothing more to do in the cardiac ICU than fiddle with machines around you. Yes, I only hack my own devices or devices connected to myself. That's the ethical way to do it. So we're going to talk a little bit about things, the internet of medicine and how the hypothesis is that it is the next step to ultimately rooting a human being. The vulnerabilities that we will be discussing is simply connected to flesh. It's not just ones and zeros the way that we used to because devices are moving along. Is there any medical device company representatives? Yeah. Okay, good. If there's anyone opposed to me using the word fuck, unfortunately, you guys should leave because that might happen. Okay, so let's get started. So that's actually my device. That is in my chest. I refer to myself as a genuine cyborg. I'm no longer human. She's or Android, whichever one you prefer. But I think it's exciting times. Okay. So in my research that I've done while lying in ICU one week with my device, not quite functioning the way that it should and missing and sensing beats. I noticed that all the devices from my ICU room was connected to a central hub in the middle of the hospital. So everything feeds a real time sensor to the medical staff to tell them exactly what dosage of medicine you have been given with your infusion pump, what your heart rate is, what your oxygen is. Now we all know hospital are not well known for their security practices. We've seen this with the attacks that's happened. But here's the interesting thing. I refer to it, as you can see there, the web transforms us. We become data and code. We place ourselves into the cloud. Everyone has got two personalities. You've got the personality that you're sitting here, that's flesh. And the one that you've got online. Everything is online these days. But we should manage, in my opinion, and this is certainly my personal opinion, what we put online. I'm going to ask the question to the room, should medical devices be put on the internet of things? Every medical device, pacemaker, insulin pump, anyone? I agree with you. But at the way the security stands at the moment, I don't think we're ready to put everything on. We are chasing innovation in medicine. That's all you hear when a medical company says, you know, we are there to be the next innovative source of medical technology. Nowhere do you hear them saying, we want to innovate security of medical devices. The two are never interconnected. And I'll explain that a little later, where I think they are failing at it. So my opinion on this, and this is no, not yet. I think we should take a step back, relax, and do the basics right first. So here's the thing with medical devices. And this is where I think they should be on, because we need interconnectivity within our hospitals to communicate patient data amongst various groups. So for example, have real time information on scans coming in to diagnose on the rapid. And I'll tell you why in my experience, this has worked. When my mother was in hospital in December, we managed to go from, we don't know what's wrong with you to terminal cancer within 10 hours due to all systems being interconnected. So there is generally a case for having interconnected medical equipment, but I think we should be doing the basics right. I'm not going to follow the slides a lot. I rather want an interactive communication with everyone. So one thing that we've noticed in hospitals is that we've got a lot of vendors involved. You've got a lot of third party. So it makes it an absolute epic failure for people to manage that. The security teams are not well-equipped to manage proprietary software. So another thing that's happened is, while walking through the walls of a medical hospital in the passageways with sticky notes, with usernames and passwords, with SharePoint directories, and who the IT individual is to contact if you've got a problem. This logs onto the mainframe within the hospital, allowing you access to everything because their networks were not segregated. Now that's no complicated attack. That is a basic fundamental flaw in human nature where we put everything on a sticky note to make it easy to remember. Who here has been in a hospital connected to a heart monitor? Again, it collects data on everything, your oxygen, your heart rate. Who here has been defibrillated? Do you know that it actually keeps logs on whether or not the defibrillator worked, as well as the patient that had shot? That is connected to a wireless network that communicates that through to the vendor. Now you can see why the problem is there. If that system is compromised, you can control the rate in which it defibrillates. Now, who here knows what a defibrillator does? Okay, so it actually uses a set voltage to shock your heart muscle to contract again. Now, a heart muscle is a very, very sensitive portion of your heart because if you damage that, effectively it dies. There's no coming back from it. So this is one device that effectively has the capability to damage a portion of your heart that you cannot fix. And that is what I've got in my chest. So I've got what is called a defibrillator, an ICD, but also a pacemaker. My device is wirelessly communicating. How it is set up is that it needs to connect to a home monitor, which is connected to my wireless that sends data to my doctor. Obviously, I don't make use of this because for me, it became a concern with privacy and access because it authenticates at a regular time at 2am in the morning because it needs to test the device. So for me, that is an instance where we have not gotten anything right yet, but we are running innovation ahead of time. And this is where the community for me comes in because the medical companies will not be fixing this. Independent research needs to be done on these devices. This is where I am so happy to be a DEF CON because the key to fixing the problems are in this room. It's not in some corporate office. It is literally everyone sitting here taking up that challenge and starting to break things to fix them. Okay, so just to give you an idea, these are devices that I identified with in my hospital, which is in fact connected to the BLAN, the wireless MRI machines. MRI machines connect to a DICON server which notes all the images that it has taken. CT scanners, again, everything to a centralized server. There are infusion pumps whereby the nurse on a regular basis can take the sugar of the patient and distribute the insulin as needed. Also on the wireless LAN. Heart pumps, which is a device that is used to pump the heart that is insufficient to pump on its own. It's not a pacemaker. It literally is there for 24 hours to keep a patient alive. External pacemakers, robotic surgery arms. Now, this is a new area of research that I'm busy looking at is the effects that this has because they have regular firmware updates. Firmware is not pushed via hardware. It's pushed by wireless. Therefore, that makes it a big vulnerability that these devices can have bad firmware put on. Because yes, the kicker of it all, a lot of companies don't have signed firmware. That means these devices are incapable of distinguishing between what is real and what is malicious. Not all of them. There are a couple of companies that have started proactively signing firmware, but not all. Remote patient monitoring devices, those are the ones that I told you about that effectively I was connected to. I went on to show them just before I came to DEF CON for interest sake to see whether devices are connected. I managed to get feed for heart rate monitors and pediatric monitors that are connected to the internet, which I don't think is a good thing. Those are devices that should never be internet facing and most of them are. Now, this is the real interesting thing. I did research to see where medicine is going. In 2050, we will all be implanted with medical sensors, communicating to our centralized doctor or medical officers, telling them ahead of time whether you're going to have a heart attack, stroke, whether anything biologically changes within you. Again, these devices need to communicate out somewhere. It needs to be in that information out. And the proposal that they've got is that they will be connecting on the medical wireless band and communicating out. But recent research has shown that this has been prone to cross signaling with other devices like ham radios, which is a big problem for me in that smart sensors. Everything by 2050 will be centralized, integrated into IoT. We have until then to fix it because there's no stopping at this stage. Let's see if anyone's paying attention. Hello! Thank you. Come see me for a badge when I'm done, okay? Okay, just so you guys know, if I catch you talking, I will be distributing asshole patches. Okay? So I think the interesting thing for me in being in a hospital and being a patient is that I see it from both angles. I have a device that I can tell you now is more fucking broken than it works. And I know this because I have numerous times nearly died and had to have resuscitation at hospital. My poor husband finds me more on the floor than he finds me, you know, walking around. And that is due to advanced software development that's riddled with bugs. So to give you an idea, who here thinks machine learning is an excellent idea in medical devices? Can I tell you why not? Okay, my condition, I need to have a heartbeat of 60 and no more than 140. That machine cannot distinguish between what is a relevant heartbeat and when my heart's going to fuck up. So what's been happening, it's been saying, oh, no, this looks normal. And then at flat lines. And there is no way for it to learn in time to be able to distinguish that. I think with medical devices, there should be clear parameters according to a patient. We shouldn't be handing that off. This is an organ that keeps me here. It's an organ that keeps me alive. Without it, I would be dead. My heart cannot function on its own. But again, we are chasing the innovation of medicine to be the next big thing. But security is left behind. I want to see medical companies saying we are going to have the next device that's got security in it, usability and access, the triad. We want it to be accessible. We need it to be secure. And we need it to be usable. Next, I promised I would tell you guys why security is a problem in medical devices. My pacemaker. Hey, thank you. My medical device has got a lifespan of maximum 12 years, minimum eight. It is capable of AES encryption. But who here can tell me what effect that would have on the device? My battery will run out in about five years. Okay, who here knows how to actually, how they change a pacemaker's battery? I don't have a little tag that they flip open, take it out, put new batteries in. I wish they did. They cut me open. They carefully remove the pacemaker, hoping they don't yank too hard on the two wires connected to my heart and replace the whole device. That is how batteries are changed. And you have about a six-month recovery process where you feel like you've had a drinking spree of about six months. It's a hangover of note. And that is how you recover. That is the main challenge that medical companies face, is that we cannot have this amazingly secure device, but we have a battery that does not last. I've been asked the question, why don't they put usernames and passwords on? Well, think of it, yeah, I'm lying. I'm basically dying. I'm going to say to the paramedic, oh, let me give you my username and password before I pass away. Can't do that. Or I'm in the US, I don't have a doctor here, something happens. They need to be able to authenticate globally to these devices. And this includes all devices in hospitals. You'll find they have a default username and password, which you can find in the manual, which you can find online. So one medical manufacturer, when I was doing my research, I thought, let's go look at their websites. Let's go see what's publicly accessible, because how do we hack things? Reconnaissance, right? We do our research. We understand what boards are connected to the device, how the protocol works. That's how we do it. Do you think that these medical, technical manuals are available free online? Have you guys looked? Infusion pumps, robotic arms, I'm sitting within the excess of 300 technical manuals, giving me the specifications of the boards, the protocols used, and the usernames and passwords of the devices. I effectively can take over every hospital, every device connected to someone. Yes, I need to be in close proximity, but I think the furthest that they've tested are it has been 50 feet. That's far enough. We've all seen, I don't know, has anyone heard of the vulnerabilities in the infusion pumps, the wireless infusion pumps? These devices are what is used in oncology, for example, where they have to administer morphine on a regular basis in a controlled environment. They are prone to buffer overflow attacks, meaning you send them a message, it counts one, two, up to nine, and it restarts itself. It has nowhere to distinguish whether it is receiving legitimate packets or communication, and the amount that is allowed. And that for me is a fundamental flaw in how it was built. Because we all know, how do you deplete the battery? You just keep communicating with it, eventually it starts running down. Proper certification, this is where I explained to you that the firmware of these devices that are on them are not digitally signed, meaning if you authenticate onto the device, there's the potential that you can replace it with malicious code. I saw it happen at Black Hat. Ironically enough, my manufacturer said that is impossible. We'll know I saw it happening yesterday. Again, we're having to bridge this, what the manufacturers are telling us when they've tested it in a lab versus when you have hackers have at it. The other thing that is interesting is I said to you guys, the hard-coded credentials. These devices all have basic default passwords, whether you're in South Africa, Australia, United States, and there's a nice note from the manufacturer. If you change this, you avoid any online support to these devices. So we have manufacturers telling medical staff to not change usernames and passwords. Who here can tell me, when you have a Cisco device, for example, what's the first thing it tells you to do? The password. And you still have Cisco support. So why are we letting medical companies get away with the shit to tell us that you're not allowed to do it because it's extra work for us to fix? It's basic fundamentals again that companies are getting wrong. Interesting thing in the infusion pump, the configuration field has got your password and key text, which makes it very easy once you've got the configuration file to access the device. As I mentioned, improper access control. These are some of the steps that they have identified to fix the problem. I don't think it's good enough. They've said that static IPs had to be addressed. Monitor for OBD and ASIN DHCP. But again, this is not stopping things. This is things how we monitor them. So when you monitor something, something's already happened. You can't monitor for something before it happens. You can only monitor for after it's happened. So for me, these remedial steps are again to try and identify something that has happened, not something that is going to happen. It's a very reactive approach versus a proactive approach. So the interesting thing my device, the home system that my device is supposed to be having, has got actual hard photo credentials and infrastructure data within the back end. My remote monitor runs, we can guess which OS. I'll give you a badge if you can guess the OS right. Come see me. Windows XP. And we all know how secure XP is. It's very secure. It's the best. These are some interesting things that have happened when firm code gets exploited. Again, because the home monitor device that authenticates onto my device and can change my therapies is running XP with hard coded credentials and unsigned firmware. Anyone else see the problem or am I paranoid? I don't think there's support for medical devices on Windows 10 yet. Theory. And I apologize. This might sound fairly scary, but we had this discussion with friends of ours. If you go into a cardiologist office and they authenticate onto your device, they can initiate a firmware update. But using a man in the middle attack stepping in between the telemetry device and the pacemaker, you can effectively take control of it. We've seen that the firmware is unsigned. So we can technically upload our own malicious firmware that authenticates automatically out to other devices it comes into connection with within the hospital, reloads the firmware, and that way you have a self-replicating worm and a zombie of pacemakers at your disposal. That is the one idea that we've had and we've been playing around with. And we've been seeing it that it's much easier than what we've actually anticipated it to be. The file system is not encrypted as I explained to you about these devices and this includes the programmer, the home device, and the pacemaker. And this is one subset of medical devices. This is basics. Who here is in software development? Okay, am I wrong? This is basic things we're getting wrong? This is what we taught at adversity or college to get right. There's no command whitelisting, meaning you can tell it to do what it needs. It's a very giving device. It takes instruction very well. And that worries me because you would think that these devices need to have a set of commands that will accept versus what not to accept. But again, we're focusing on making this device the best device out there without effectively securing it. And this is where I set GI par versus security. All the devices in a single hospital room connected to one or another protocol. We see Bluetooth there. That doesn't make us worried. Smart prosthetics makes use of Bluetooth to connect to a cellular phone to an app that you can program it. Then you have devices on Wi-Fi. You have, you know, link the hot internet points. Who here thinks that ransomware or medical devices is going to happen soon? Me too. Who's going to rather pay? You're going to pay for your data. You're going to pay for your organs. It's a money market, but we're not securing these devices. We've seen the firmware is not signed. We've seen that it accepts certain things very much easy. Therefore, I think medical malware is going to be the next big threat. The malware scope is going to start moving into it. And we are going to see ransomware, things like WannaCry, things like Petia. So, we're lucky. That was not me running on medical devices. Okay. So, I did a bit of showed and work. And these are devices and medical devices, dark room servers, people monitors, all connected to the internet running the vulnerability MS-17-010, which should have been fixed a long, long time. That's more than makes me comfortable. I don't know. I was hoping to see three and it's like, that's an acceptable risk. I'm going to go on a soapbox and I apologize for it. I have a real problem with the fact that that the FDA is more strict on drug testing than medical devices. With drug testing, you have to go through two large clinical trials versus one pre-market assessment for medical devices. Okay. So, you can, you know, the pool that you pop is safer than the device in my chest. And that to me is fundamentally wrong in so many levels. Okay. Healthcare has been a massive, massive target with malware recently, but not just malware attacks. Because if you take away a hospital's capabilities to run, you effectively can kill off half their patients because all their records are electronic. We don't do paper or notepads anymore. If you cannot administer someone's correct insulin dosage at the right time or have access to that information, you could effectively have a patient that passes away. If you do not have access to certain specific treatments or diagnosis of a patient, you run the risk of that patient dying away. My theory is that if we only have things on the internet of things in terms of medical devices, medical records, what do we do when disaster strikes? When that moment occurs, it's no longer looking back and saying, oh shucks, what do we do now? Because by means, you're pretty fucked at that point. This is what I found at a local hospital doing a pen test and a VA. We found that most of the staff there are not aware of network awareness. Don't just come in and plug any device into the network. It's not bring your own device day. It's keep your own device day. There's a lack of monitoring and logging. Most logs are kept about an excess of 30 days. Who here can tell me, I think sans that a study takes about 290 days before you will see a threat that has occurred on instance, that has occurred on your network. That means 30 days has passed and you no longer have logs of an attack. The network infrastructure is insecure and broken. There's no access control. Because again, as I explained, in an emergency room, you cannot have authentication going on. It's a fast-paced where lives are at stake. Legacy systems, most MRI machines still run on XP due to a chip that's no longer manufactured. That chip is only compatible with one of those XP. These legacy devices, I think that is the pain of my existence because I'm in forensics and security. The worst thing for me is legacy devices. I think they suck. Remote access. You guys will see in Shoden later on, I looked for medical devices that have got remote access, RDP with the false credentials. I found about 11,522 devices. Did not log in just for the record. Don't want to get into trouble. I just looked. As I said, insecure vendors and so forth. These are some of the things that I've identified from Shoden. That has been a problem for me. Medical equipment with enabled protocols with default usernames and password. We had Telnet, RDP, UPNP, SMB and DICOM. Who knows what DICOM is? It is a medical protocol that is used for most imaging devices. This is what the hospitals will look like by 2050. We'll have a central hub that connects everything out. The centralized server. Meaning your doctor can send you your prescription your phone saying he's going to get this or this is your test result. Every single point in a hospital will no longer be pen and paper but will be connected. Now we get into the fun stuff. These are one of the attacks that we actually tested in the hospitals in South Africa. We actually circumvented the perimeter of an external facing server from a vendor with a legacy XP machine. And you guys should know that opens you up to a whole host of vulnerabilities when you use XP. What we did next is what anyone does. You pivot in the network. You see how far you can get up the food chain. We probe to identify medical devices and access it because we had the default username and password. And these are not sophisticated attacks that takes a rocket scientist to do it. You had a forensics person do it. I am not the best hacker. I will admit it to you. But I'm shit hot in forensics. So I can tell you off to the fact what's gone wrong. This is one that I tested in the in the cardiologist offices. I said who you know what a black box technique is. You just listen. Do nothing. We listened. And we could pick up or a frequencies of devices that he's changing. So we could capture it all. Very easy. Do you think that someone with a hoodie and a backpack looks out of place in a hospital. No because everyone wears it. So in my backpack I had RFA equipment and I blended in with everyone. Everyone just assumed I'm waiting there for someone sitting working on my computer. If I was thinking maybe she's a business person that's waiting for a doctor. Soft skills. Human skills are being used. What we did is we looked for a vendor specific platform. In this case it was a coffee machine connected to the wireless. We could print it in the network and actually gain access to hospital records. This was just for the record. This was all done with permission before I get like stopped at the airport again. I will share a story. So it's my second time in the U.S. I'm from South Africa. I had a freedom fondle at every point on my trip. At our Tambo they stopped and checked my bag again because apparently I'm flagged as a high risk traveler for some reason. Secondly at London I had the freedom fondle again and thirdly when I landed in Las Vegas. So if you think about it coffee machine on the Wi-Fi why? I don't think it's needed. Same with your fridge. Why do you need this? I'm all for the IOT but people logic is there. You don't need your coffee machine on the network because it's going to open the door for people that are not as nice as me to come screw around with your life. It's basics. And this is the electronic healthcare reports. Big surprise there. It's vulnerable to XSS. You can still do cross-site scripting on their controls. Can you guys hear me fine? There's a new room back there. It's very noisy. This is the thing that I do whenever I talk except for DEF CON. I didn't want to risk it because I generally drop a keylogger wherever I have a conference or a talk. The keylogs back to me just to teach people that you don't plug in every device. In the hospital we dropped the keylogger and walked away and you go. And we dropped five devices. How many of these devices do you think got plugged in? If there was 10 there would be 10 but yes. And the lesson there that's not sophisticated but we still have bring your own device or come charge your phone on the hospital records server. We had a nurse that wasn't quite aware of network security. Bring a device that's got Peacap and big fish games with the cracks and the kitchens that run the Trojan in the back or a rat for example. She was playing this into the server by her desk that's got the electronic hospital records on and they could not understand where this rat came from. While you're opening your USB ports for no reason they don't use it so why have it active? It's small things that they are getting wrong. The interesting thing 6.4 billion devices will be connected to the internet of things by the end of this year. That is 6.4 devices connected to a human being connected to the unsecured internet open to attack. The only reason we have not seen these attacks yet is A we don't know about them because again when someone dies with a medical device they don't necessarily check it. They don't check the logs to see oh you know that my device fucked up or that the person really just died. I had this conversation and said what is your plan when stuff goes wrong? Well to our knowledge nothing has gone wrong. That says to me that you have not thought that something is going to go wrong. Now I got asked the question who would kill someone by hacking a device? Well who would stab someone and kill them in everyday life? This way you actually don't have to physically do it well you do it yourself but you don't stand next to someone and stab them. It's opening it up for more and more problems. We asked a survey that was done 85% of the hospitals and enterprises stated that they are planning to go through IoT internet of medicine. That's a big surprise. Only 10% could say we are confident that we're not going to fuck it up but 85% of them is going to do it. So 75% know they shouldn't be doing it yet they're still going to be doing it because we're chasing innovation. We want to be the next new kid on the block. These are suggestions not given by me these are suggestions given by vendors on how you will fix it. You fix everything. You split your network into smaller portions. You have a firewall dedicated for each device. You have a bridge detection system IPS IDS patch management but for me this is almost the approach of let's just throw everything at NC was six. We aren't thinking what the internet of things are we're not actually thinking the design out from stock. I asked you guys a question and this is a serious one. When we talk about medical device vulnerabilities do you guys see the ones in the zeros or do you guys realize that behind that device is someone like me that's actually needs that device because I think in security we tend to forget that it's all it's not all about ones and zeros it is about someone's life and if we plan to put things on the internet of medicine we have to ensure that this stuff is as secure as we can make it because let's face it nothing is unhackable nothing is unbroken that is still pretty much the way that we need to go that we need to start thinking on how to break things to fix them because the only way to know what is wrong with the network or a device is to find out how to break in we generally not going to you're not going to try and break out of your network you're going to try and break in okay this is something fun that I that I wrote for everyone so I have a saying for me that is pretty much me and and my life story so if you want to copy this art or maybe there's someone that can figure out there's a badge in play if you figure out what the key is to do the season cipher anyone should I give you guys two minutes going to the whole room for the hackers and no one can solve it do I code that bad but guys seriously thanks for having me I'm done