500 000 recalled pacemakers 2 billion stock value loss
play

500.000 recalled pacemakers 2 billion $ stock value loss - The - PowerPoint PPT Presentation

May 06, 2023 •513 likes •1.1k views

500.000 recalled pacemakers 2 billion $ stock value loss - The story behind Tobias Zillner 2/26/19 2 whoami Tobias Zillner, BSc MMSc Lead IT Security Consultant | Co-Founder Expertise: Industrial Security IoT security /

  1. 500.000 recalled pacemakers 
 2 billion $ stock value loss 
 - The story behind Tobias Zillner

  2. 2/26/19 2

  3. whoami Tobias Zillner, BSc MMSc Lead IT Security Consultant | Co-Founder Expertise: • Industrial Security • IoT security / Embedded • OSINT • Wireless security (SDR) • Threat Modeling • CISSP, CISA, CEH, OSCP, OSWP, IEC 62443, PRINCE2, COBIT5, ITIL • “He’s a cool guy. His name is ‘two beers’.” Lecturer at FH St. Pölten, Uni Wien • ”Two beers?” Speaker at international security conferences 
 • “Yes, it’s a german name!” 2/26/19 3 “Ohh! Tobias!”

  4. How it all started • Early 2016 a new medical security company decided to assess pacemakers • Goal: Find 0-day vulns in pacemakers • 4 vendors assessed • Researcher for St. Jude Medical Project 2/26/19 4

  5. The ecosystem Programmer Pacemaker Merlin Net Implanted cardiac device (ICD) Alias “the cloud“ Home monitor 2/26/19 5

  6. First attack vector Programmer Pacemaker Merlin Net Implanted cardiac device (ICD) Alias “the cloud“ Home monitor 2/26/19 6

  7. First attack vector • New generation is able to communicate wireless • Medical Implant Communication System (MICS) • low-power, short-range (2 m) • high-data-rate • 401–406 MHz (the core band is 402–405 MHz) • accepted worldwide for transmitting data 
 to support the diagnostic or therapeutic 
 functions associated with medical implant devices. • Software Defined Radio / GNURadio 2/26/19 7

  8. Information Gathering • Interviews • Check FCC ID • Fccid.io • http://www.comsearch.com/articles/emission.pdf • Search for other devices from the vendor • Google Patent search • Product documentation • RF chip, Firmware, Software • Visual signal inspection • Check frequency bands for legal issues

  9. FCC ID

  10. FCC ID

  11. Google patent

  14. Signal to bits • Find a signal • Isolate the channel • Use filters to remove out-of-band interference • Detect symbol rate / baud rate • Syncronize clock • Symbols to bits • Encodings: NRZ, NRZI, Manchester, 4b/5b,…

  15. First vulns identified :D • Energy depletion attack • Crash attack 2/26/19 15 https://vimeo.com/180593205

  16. First vulns identified :D • Energy depletion attack • Crash attack 2/26/19 16 https://vimeo.com/180593205

  17. We got stuck… • Reverse engineering is very time intensive • Researcher time is expensive • Weak crypto is also hard to crack only with your eyes • Decision point 1. We go into cryptoanalysis 2. Look for other attack vectors 2/26/19 17

  18. We got stuck… • Reverse engineering is very time intensive • Researcher time is expensive • Weak crypto is also hard to crack only with your eyes • Decision point 1. We go into cryptoanalysis 2. Look for other attack vectors 2/26/19 18

  19. What else to attack? Programmer Pacemaker Merlin Net Implanted cardiac device (ICD) Alias “the cloud“ Home monitor 2/26/19 19

  20. What else to attack? Programmer Pacemaker Merlin Net Implanted cardiac device (ICD) Alias “the cloud“ Home monitor 2/26/19 20

  21. Merlin@Home • Home monitor for patients • Transmits health data to doctor • Huge comfort benefits for patient • Available interfaces • RJ11 jack • USB interface 2/26/19 21

  22. A look inside 2/26/19 22

  23. 2/26/19 23

  24. Hardware hacking ongoing 2/26/19 24

  25. The hacker‘s perspective Live Demo 2/26/19 25

  26. What else to attack? Programmer Pacemaker Merlin Net Implanted cardiac device (ICD) Alias “the cloud“ Home monitor 2/26/19 26

  27. What else to attack? Programmer Pacemaker Merlin Net Implanted cardiac device (ICD) Alias “the cloud“ Home monitor 2/26/19 27

  28. What about the programmer? 2/26/19 28

  29. Removable HDD 2/26/19 29

  30. The final piece in the puzzle • Unencrypted HD • Java JAR files :D • No obfuscation • Reverse engineering of code 2/26/19 30

  31. Merlin@Home as attack device • Emergency shock • Disable Tachy • Vibrate • T-Shock • Demo videos released • https://vimeo.com/187962970 2/26/19 31

  32. Which message authentication code (MAC) is used? A. No authentication B. Propriatery (Let‘s build our own „crypto“) C. Hardcoded 24 bit RSA D. 56bit DES E. 1024bit RSA 2/26/19 32

  33. Which message authentication code (MAC) is used? A. No authentication B. Propriatery (Let‘s build our own „crypto“) C. Hardcoded 24 bit RSA D. 56bit DES E. 1024bit RSA 2/26/19 33

  34. Other crypto mistakes? A. “homebrewed” cryptographic algorithm B. Hardcoded “Universal Key” as backdoor C. one 32-bit RSA public key for all devices D. Truncate calculated keys because of memory 2/26/19 34

  35. Other crypto mistakes? A. “homebrewed” cryptographic algorithm B. Hardcoded “Universal Key” as backdoor C. one 32-bit RSA public key for all devices D. Truncate calculated keys because of memory 2/26/19 35

  36. Technical Summary • Critical vulnerabilities with potentially lethal impact discovered • Unauthorized user could remotely access a patients implanted cardiac device over wireless interface • Very easy debug access to Merlin@home device using an insecure hardware interface • Insecure storage of source code on the home device/programmer • Simple replay attacks for battery depletion • Reprogramming of the pacemaker using wireless • Static keys everywhere 2/26/19 36

  37. What about security certifications? 2/26/19 37

  38. The ecosystem Programmer Pacemaker Merlin Net Implanted cardiac device (ICD) Alias “the cloud“ Home monitor 2/26/19 38

  39. Vulnerability disclosure What was special? 2/26/19 39

  40. What was special? • MedSec licensed research to Muddy Waters (Hedge fond) • Muddy Waters is an investment company known for investigating companies, finding problems like accounting fraud, and profiting by shorting the stock of misbehaving companies. • Muddy Waters took short position in St.Jude Medical stock and bought shares from competitors 2/26/19 40

  41. Muddy Waters published findings report 2/26/19 41

  42. Muddy Waters published findings report • Vulnerability disclosure process? 2/26/19 42

  43. Muddy Waters published findings report • Vulnerability disclosure process? • No notification to vendor "We were worried that they would sweep this under the rug or we would find ourselves in some sort of a hush litigation situation where patients were unaware of the risks they were facing," said Bone, an experienced security researcher and the former head of risk management for Bloomberg LP, the parent of Bloomberg News. "We partnered with Muddy Waters because they have a great history of holding large corporations accountable." 2/26/19 43

  44. The Impact • Stock price fell 12% before trading being halted the day they went public • 2 billion $ value loss • 2.000.000.000 $ value loss 2/26/19 44

  45. Official response "We have examined the allegations made by Capital and MedSec on August 25, 2016 regarding the safety and security of our pacemakers and defibrillators, and while we would have preferred the opportunity to review a detailed account of the information, based on available information, we conclude that the report is false and misleading . Our top priority is to reassure our patients, caregivers and physicians that our devices are secure and to ensure ongoing access to the proven clinical benefits of remote monitoring. St. Jude Medical stands behind the security and safety of our devices as confirmed by independent third parties and supported through our regulatory submissions." 2/26/19 45

  46. The Reaction • St. Jude disputed vulnerability claims and sued the researches and Muddy Waters 2/26/19 46

  47. The Reaction • In October 2016 an independent 3 rd Party verified the claims 2/26/19 47

  48. Officiall statements released 2/26/19 48

  49. 2/26/19 49

  50. FDA - Official statement The FDA has reviewed information concerning potential cybersecurity vulnerabilities associated with St. Jude Medical's RF- enabled implantable cardiac pacemakers and has confirmed that these vulnerabilities, if exploited, could allow an unauthorized user (i.e. someone other than the patient's physician) to access a patient's device using commercially available equipment . This access could be used to modify programming commands to the implanted pacemaker, which could result in patient harm from rapid battery depletion or administration of inappropriate pacing. 2/26/19 50

  51. Official security update 2/26/19 51

  52. The end? 2/26/19 52

  53. VulnDisclosure - The traditional way • Billy Rios & Jonathan Butts • Security assessment of Medtronic Pacemakers • Disclosed bugs they had discovered in 
 Medtronic's software delivery network • Discovered a chain of vulnerabilities in Medtronic's infrastructure that an attacker could exploit to control implanted pacemakers remotely, deliver shocks patients don't need or withhold ones they do, and cause real harm. • Medtronic took 10 months to vet the submission, at which point it opted not to take action to secure the network. 2/26/19 53

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Dr. Zhihao Jiang Real-Time & Embedded Systems Lab Dept. Electrical & Systems Engineering

Dr. Zhihao Jiang Real-Time & Embedded Systems Lab Dept. Electrical & Systems Engineering

Dr. Zhihao Jiang Real-Time & Embedded Systems Lab Dept. Electrical & Systems Engineering University of Pennsylvania zhihaoj@seas.upenn.edu 1 Implantable Pacemaker 2 1990-2000: 600,000 implantable pacemakers were recalled 200,000 of

848 views • 61 slides
The Recalled Total Hip: My Approach The Lawyer is Calling! Michael B. Cross, MD Assistant

The Recalled Total Hip: My Approach The Lawyer is Calling! Michael B. Cross, MD Assistant

ADULT RECONSTRUCTION AND JOINT REPLACEMENT The Recalled Total Hip: My Approach The Lawyer is Calling! Michael B. Cross, MD Assistant Attending Orthopaedic Surgeon Disclosures Consultant: Smith & Nephew Link Orthopaedics

488 views • 24 slides
EDWARD MAZRIA Architecture 2030 60% An area equal to 60% of the entire building stock of the

EDWARD MAZRIA Architecture 2030 60% An area equal to 60% of the entire building stock of the

EDWARD MAZRIA Architecture 2030 60% An area equal to 60% of the entire building stock of the world During the next two decades, over 80 billion m 2 (900 billion ft 2 ) of new and rebuilt buildings will be constructed in urban areas

792 views • 17 slides
Calculating S Corp Stock and Debt Basis: Avoiding Loss Limitations and Excess Distributions

Calculating S Corp Stock and Debt Basis: Avoiding Loss Limitations and Excess Distributions

Calculating S Corp Stock and Debt Basis: Avoiding Loss Limitations and Excess Distributions WEDNESDAY, JUNE 3, 2015, 1:00-2:50 pm Eastern IMPORTANT INFORMATION This program is approved for 2 CPE credit hours . To earn credit you must:

1.48k views • 101 slides
Leadless and Subcutaneous Pacemakers and ICDs Where Are We Now and What Is the Future? Byron K.

Leadless and Subcutaneous Pacemakers and ICDs Where Are We Now and What Is the Future? Byron K.

Leadless and Subcutaneous Pacemakers and ICDs Where Are We Now and What Is the Future? Byron K. Lee MD Professor of Medicine Samuel T. and Elizabeth Webb Reeves Endowed Chair Director of the EP Labs and Clinics University of California, San

506 views • 24 slides
Calculating S Corp Stock and Debt Basis: Avoiding Loss Limitations and Excess Distributions

Calculating S Corp Stock and Debt Basis: Avoiding Loss Limitations and Excess Distributions

FOR LIVE PROGRAM ONLY Calculating S Corp Stock and Debt Basis: Avoiding Loss Limitations and Excess Distributions WEDNESDAY , AUGUST 16, 2017, 1:00-2:50 pm Eastern IMPORTANT INFORMATION FOR THE LIVE PROGRAM This program is approved for 2 CPE

1.22k views • 103 slides
CS 598 - Computer Security in the Physical World: Project Submission #1 & Pacemakers and

CS 598 - Computer Security in the Physical World: Project Submission #1 & Pacemakers and

CS 598 - Computer Security in the Physical World: Project Submission #1 & Pacemakers and Implantable Cardiac Defibrillators Professor Adam Bates Fall 2016 Security & Privacy Research at Illinois (SPRAI) Oct 4th Deliverable

792 views • 20 slides
Patients, Pacemakers, and Implantable Defibrillators: Human Values and Security for Wireless

Patients, Pacemakers, and Implantable Defibrillators: Human Values and Security for Wireless

Patients, Pacemakers, and Implantable Defibrillators: Human Values and Security for Wireless Implantable Medical Devices Tamara Denning 1 , Alan Borning 1 , Batya Friedman 1 , Brian Gill 2 , Tadayoshi Kohno 1 , William H. Maisel 3 Implantable

491 views • 37 slides
EXTRATERRITORIAL REACH OF U.S. PATENTS IS NARROWED TO EXCLUDE METHOD PATENTS Cardiac Pacemakers,

EXTRATERRITORIAL REACH OF U.S. PATENTS IS NARROWED TO EXCLUDE METHOD PATENTS Cardiac Pacemakers,

EXTRATERRITORIAL REACH OF U.S. PATENTS IS NARROWED TO EXCLUDE METHOD PATENTS Cardiac Pacemakers, Inc. v. St. Jude Medical, Inc. 91 USPQ2d 1898 (Fed. Cir. 2009) Abraham J. Rosner Sughrue, Mion PLLC Background: In the 1972 case of Deepsouth

328 views • 8 slides
6th Annual State of Automotive Recalls Summit 2018 Recap Number of vehicles recalled in the

6th Annual State of Automotive Recalls Summit 2018 Recap Number of vehicles recalled in the

6th Annual State of Automotive Recalls Summit 2018 Recap Number of vehicles recalled in the U.S. has stabilized since elevated activity during 2014 - 2016 Number of individual campaigns greater than years of exceptional activity Number

1.05k views • 100 slides
Introduction Pacemaker Training Program Pacemakers are programmed to ensure Special

Introduction Pacemaker Training Program Pacemakers are programmed to ensure Special

Introduction Pacemaker Training Program Pacemakers are programmed to ensure Special Functions an adequate atrial and ventricular rhythm Managed Ventricular Pacing Sometimes the pacer will pace the ventricle even when intrinsic

428 views • 9 slides
Pacemakers and implantable cardiac defibrillators: Software radio attacks and zero-power

Pacemakers and implantable cardiac defibrillators: Software radio attacks and zero-power

Pacemakers and implantable cardiac defibrillators: Software radio attacks and zero-power defenses Ben Ransford ransford@cs.umass.edu U. Washington: UMass Amherst: BIDMC/ D. Halperin T. S. Heydt-Benjamin Harvard: T. Kohno S. Clark B.

507 views • 46 slides
Understanding the CARES Act Programs for Employers The CARES Act $250 billion in $260 billion

Understanding the CARES Act Programs for Employers The CARES Act $250 billion in $260 billion

April 1, 2020 Understanding the CARES Act Programs for Employers The CARES Act $250 billion in $260 billion in cash payments unemployment to families and insurance individuals benefits $377 billion in small business loans $500 billion

599 views • 29 slides
Automata for Real-time Systems B. Srivathsan Chennai Mathematical Institute 1/26 In this

Automata for Real-time Systems B. Srivathsan Chennai Mathematical Institute 1/26 In this

Automata for Real-time Systems B. Srivathsan Chennai Mathematical Institute 1/26 In this lecture An academic case-study that investigates methods to build more reliable pacemakers 2/26 Lecture 10: Towards reliable pacemakers 3/26 References

478 views • 27 slides
Lyon INSA Team SIX BILLION DOLLARS SIX BILLION DOLLARS 24 000 Ferraris ! SIX BILLION

Lyon INSA Team SIX BILLION DOLLARS SIX BILLION DOLLARS 24 000 Ferraris ! SIX BILLION

Lyon INSA Team SIX BILLION DOLLARS SIX BILLION DOLLARS 24 000 Ferraris ! SIX BILLION DOLLARS DISINFECTANTS WHY SO MUCH DISINFECTANT ? BIOFILM BIOFILMS : THE INDUSTRIAL ENEMY ! More pumping power / Pressure drops Source: N. Zelver,

624 views • 41 slides
Software specification in CASL - The Common Algebraic Specification Language Till Mossakowski,

Software specification in CASL - The Common Algebraic Specification Language Till Mossakowski,

Software specification in CASL - The Common Algebraic Specification Language Till Mossakowski, Lutz Schr oder January 2007 Semantics of CASL basic specifications (recalled) Semantics of CASL basic specifications (recalled) 3 The CASL

1.03k views • 63 slides
Implantable Cardiac Devices Pacemakers Correct for slow heart

Implantable Cardiac Devices Pacemakers Correct for slow heart

CPS: Beyond Usability: Applying Value Sensi8ve Design Based Methods to Inves8gate Domain Characteris8cs for Security for Implantable Cardiac Devices Tamara Denning

2.37k views • 48 slides
Addressing Disparities Advisory Panel Webinar October 21, 2015 2:00 PM 4:30 PM Welcome and

Addressing Disparities Advisory Panel Webinar October 21, 2015 2:00 PM 4:30 PM Welcome and

Addressing Disparities Advisory Panel Webinar October 21, 2015 2:00 PM 4:30 PM Welcome and Setting the Stage Romana Hasnain-Wynia, PhD, MS Grant Jones Program Director, Addressing Disparities Co-Chair, Addressing Disparities Advisory

864 views • 67 slides
Percutaneous Repair with the MitraClip Device for Severe Secondary Mitral Regurgitation Pr Jean

Percutaneous Repair with the MitraClip Device for Severe Secondary Mitral Regurgitation Pr Jean

Percutaneous Repair with the MitraClip Device for Severe Secondary Mitral Regurgitation Pr Jean Franois OBADIA - LYON on behalf of the MITRA-FR Investigators Declaration of Interest Research grant : Abbott, Neochord Consulting fee :

626 views • 29 slides
The Current State of Cybersecurity in Medical Devices Medmarcs Webinar Series August 22, 2019

The Current State of Cybersecurity in Medical Devices Medmarcs Webinar Series August 22, 2019

The Current State of Cybersecurity in Medical Devices Medmarcs Webinar Series August 22, 2019 Vulnerable Devices Pacemakers / implantable defibrillators Insulin pumps Infusion pumps Mobile health technologies (mHealth

613 views • 40 slides
This presentation is an outgrowth of work done under contract to the Institute for

This presentation is an outgrowth of work done under contract to the Institute for

This presentation is an outgrowth of work done under contract to the Institute for Telecommunication Sciences and does not represent the views or policies of the United States federal government. Mystery Mystery Signal Signal Challenge!

1.97k views • 178 slides
Cyber-Physical Systems Security IECE 553/453 Fall 2019 Prof. Dola Saha 1 Security Threats

Cyber-Physical Systems Security IECE 553/453 Fall 2019 Prof. Dola Saha 1 Security Threats

Cyber-Physical Systems Security IECE 553/453 Fall 2019 Prof. Dola Saha 1 Security Threats in the IoT Cyber attack on the Ukrainian power grid Power outage caused by hackers Security in the IoT is essential, not just for information

1.21k views • 76 slides
Transcript for Confirmation of Death Training To be read in conjunction with NHS Lothian Clinical

Transcript for Confirmation of Death Training To be read in conjunction with NHS Lothian Clinical

Transcript for Confirmation of Death Training To be read in conjunction with NHS Lothian Clinical Education and Training Department powerpoint presentation (if no sound available on computer) SLIDE 1 Title Slide Nurse Verification of Expected

301 views • 7 slides
Embedded Devices Security Firmware Reverse Engineering Jonas Zaddach Andrei Costin August 11,

Embedded Devices Security Firmware Reverse Engineering Jonas Zaddach Andrei Costin August 11,

Embedded Devices Security Firmware Reverse Engineering Jonas Zaddach Andrei Costin August 11, 2013 Andrei Costin/Jonas Zaddach www.firmware.re 1/104 About Jonas Zaddach PhD. candidate on "Development of novel binary analysis

1.25k views • 104 slides

More recommend