Unpatchable: Troopers 2016 edition

•

0 gostou•686 visualizações

Gradually we are all becoming more and more dependent on machines, we will be able to live longer with an increased quality of life due to machines integrated into our body. However, our dependence on technology grows faster than our ability to secure it, and a security failure of a medical device can have fatal consequences. This talk is about my personal experience with being the host of an unpatchable medical implant, and how this has forced me to become a human part of the "Internet-of-Things”.

Tecnologia

Unpatchable
Living with a vulnerable implanted device
@MarieGMoe
@SINTEF_Infosec
Marie Moe, PhD, Research Scientist at SINTEF

How the heart works
3https://www.youtube.com/watch?v=d6RbN5lPqIU

Pacemaker
5
https://www.youtube.com/watch?v=-f2FKmMneXY

The Internet of Medical ”Things” is real,
and my heart is wired into it…

Pacemaker/ICD
Programmer
Home monitoring
unit
Cellular or
Telephone Network Web portal
Inductive
near field
communicationMICS/
ISM
POTS/SMS
Remote monitoring

With connectivity comes vulnerability…
10

Potential threats
Device is vulnerable?
Access point is vulnerable?
Mobile network is compromised?
Server at vendor is compromised?
Web site that doctor logs in to is vulnerable?

Personal Infrastructure
Your reliance on an infrastructure is inversely
proportional to how invisible it is to you.
We all rely on oxygen, our lungs, and our hearts, but
how often to we think about them?
How often do we do maintenance or debug them?

“Tech is not neutral nor value-free.”
Ben Zevenbergen, Troopers16

”We need to be able to verify the software that
controls our lives”
Bruce Schneier on “Volkswagen and Cheating Software”

When trust is broken
http://www.startribune.com/guidant-to-pay-a-fine-of-296m/113367264/

Previous work
• Kevin Fu et al:
– Pacemakers and implantable cardiac defibrillators: Software radio attacks and
zero-power defenses (2008)
– Mitigating EMI signal injection attacks against analog sensors (2013)
• Barnaby Jack
• Hardcoded credentials
• Medical device honeypots
• Drug infusion pumps
20

Hacking can save lives!
21
http://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm456815.htm

Research needed
• Open source medical devices
• Medical device cryptography
• Personal area network monitoring
• Jamming protection
• Forensics evidence capture

Credits
Éireann Leverett (@blackswanburst)
Tony Naggs (@xa329)
Gunnar Alendal (@gradoisageek)
Hugo Campos (@HugoOC)
Scott Erven (@scotterven)
Alexandre Dulaunoy (@adulau)
Claus Cramon Houmann (@ClausHoumann)
Joshua Corman (@joshcorman)
Beau Woods (@beauwoods)
Suzanne Schwartz (US FDA)
Family & Friends

Thank you!
marie.moe @ sintef.no
www.infosec.sintef.no
www.iamthecavalry.org
@MarieGMoe
@SINTEF_Infosec

Mais conteúdo relacionado

Semelhante a Unpatchable: Troopers 2016 edition

The next generation of IT security

Sophos Benelux

Vår avhengighet av systemer som styres av programvare øker raskere enn vår evne til å sikre systemene. Når alle våre ”dingser” kobles på nett øker angrepsflaten og våre verdier blir sårbare for hacking. Dette utgjør ikke bare en trussel mot informasjonssikkerhet og personvern; også menneskers liv og helse trues når dingser som kan påvirke fysiske systemer i økende grad kobles opp mot Internett. Marie Moe er avhengig av et medisinsk implantat, en pacemaker som sørger for at hjertet hennes slår. Som sikkerhetsforsker ønsket hun å finne ut mer om informasjonssikkerheten i denne datamaskinen inne i sin egen kropp, men hun fikk ikke tilgang til å se koden som holder henne i live. Marie startet derfor et hacking-prosjekt for å finne ut av sikkerheten i sin egen personlige kritiske infrastruktur.

Med hjertet på Internett - Sikkerhet i min personlige infrastruktur

Marie Elisabeth Gaup Moe

Cybersecurity Awareness Month_2021_PartnerPresentation_Final.pdf

Soo Chin Hock

Ccdc 2012 Wireless Data Exfiltration - building and using low cost signal int...

warezjoe

The Internet Of Things UOP

Ahmad Atef Al-Shoubaki

A description of the general working scheme of the three main protocols proposed for COVID-19 contact tracing, namely DP3T, Google-Apple Standard and PEPP-PT, in all their designs. This part is followed by an introduction to security and privacy issues regarding both local and network attacks to the system, with particular attention dedicated to the disputed PEPP-PT protocol. After a focus on what is happening in Italy with 'Immuni', the final considerations are devoted to a broader analysis of the context in which Contact Tracing apps should be deployed and a possible future development of privacy controversies.

Introduction to contact tracing apps and privacy issues

Christian Spolaore

IS L07 - Security, Ethics and Privacy

Jan Wong

Security for Implantable Medical Devices (IMDs)

HCL Technologies

Who are the players and use cases of #AI in healthcare

Steve Ardire

Security Awareness Program

David Wigton

Capturing Data and Improving Outcomes for Humans and Machines Using the Inter...

Altoros

I am the Cavalry (The Cavalry Is Us) Sourceconf September 2015

Claus Cramon Houmann

These are the slides from Misha Seltzer's talk at Product of Things Conference in Tel Aviv on July 2018: Who this talk is for: this talk is for product managers that want to avoid common design flaws that lead to easily hackable IoT devices. After this workshop you will be able to: Spot and eliminate security design flaws early Know where you, as a PM, can get involved to improve your product's security Learn from mistakes done by others, and not repeat them What is covered: RTOS as well as Linux-based IoT protection Rules of thumb for basic IoT security Unexpected areas from which security flaws might creep into your products. In the land of IoT, with so many different companies/manufacturers competing for the same space, it's essential to have a good reputation. One embarrassingly hackable product can not only hurt sales but kill the company altogether. In this talk, we'll go over a couple of cases of embarrassing IoT security flaws, learn how/where those mistakes were made, and what can you, as PMs, do not to repeat those mistakes.

Avoid embarrassing press by designing secure IoT products with Misha Seltzer

Product of Things

How Informatics Will Change the Future of Pharmacy

Kevin Clauson

Speaker: Jay McBain, Co-Founder, ChannelEyes A look at disruptive technologies such as the internet of things, pervasive computing, consumerization, connected advertising and marketing, smart factories, intelligent traffic management, parking space management, waste management systems, smart electricity grids, smart water systems and smart warehouses will drive future profit and innovation for the technology channel. The latest numbers on BYOD, BYOA and 7 futurist predictions on what the next 10 years will bring for the IT industry.

How Disruptive Technologies Drive Innovation in the Channel

Jay McBain

Privacy and Security by Design

Unisys Corporation

AI Innovation Healthcare Summit Oct 25 – 26 in Boston by @sardire

Steve Ardire

Securing IoT medical devices

Benjamin Biwer

AI in healthcare disruption or hype HealthSlam Dec 2nd 2016

Sudha Jamthe

IoT tietoturva terveydenhuollossa, 2017-03-21, gko

Glen Koskela

Semelhante a Unpatchable: Troopers 2016 edition (20)

The next generation of IT security

Med hjertet på Internett - Sikkerhet i min personlige infrastruktur

Cybersecurity Awareness Month_2021_PartnerPresentation_Final.pdf

Ccdc 2012 Wireless Data Exfiltration - building and using low cost signal int...

The Internet Of Things UOP

Introduction to contact tracing apps and privacy issues

IS L07 - Security, Ethics and Privacy

Security for Implantable Medical Devices (IMDs)

Who are the players and use cases of #AI in healthcare

Security Awareness Program

Capturing Data and Improving Outcomes for Humans and Machines Using the Inter...

I am the Cavalry (The Cavalry Is Us) Sourceconf September 2015

Avoid embarrassing press by designing secure IoT products with Misha Seltzer

How Informatics Will Change the Future of Pharmacy

How Disruptive Technologies Drive Innovation in the Channel

Privacy and Security by Design

AI Innovation Healthcare Summit Oct 25 – 26 in Boston by @sardire

Securing IoT medical devices

AI in healthcare disruption or hype HealthSlam Dec 2nd 2016

IoT tietoturva terveydenhuollossa, 2017-03-21, gko

Mais de Marie Elisabeth Gaup Moe

The demand for insurance against cyber attacks is rapidly increasing and insurance companies are entering the field as actors in the incident response food chain. Businesses that want to use cyber insurance as a risk management strategy need to understand the risk they are facing, and how cyber insurance can reduce this risk. This implies a need to understand and evaluate cyber insurance policies. Insurance companies, on the other hand, need to be able to differentiate between potential clients based on the risk they are facing, so as to reduce the risk of adverse selection. They also need to understand the needs of the various market segments, in order to offer cyber insurance products that are relevant. Presentation by Marie Moe and Eireann Leverett at the 28th Annual FIRST Conference in Seoul, June 14th, 2016.

Does it pay to be cyber-insured

Marie Elisabeth Gaup Moe

Når cyberangrep får fysiske konsekvenser

Marie Elisabeth Gaup Moe

Sikkerhet i Internet of Things

Marie Elisabeth Gaup Moe

Software Security: Hvordan bygge sikre systemer?

Marie Elisabeth Gaup Moe

Informasjonssikkerhet og personvern: Hva må vi tenke på ved tilgjengeliggjøri...

Marie Elisabeth Gaup Moe

Incident handling of intrusions related to cyber espionage operations is a complex and challenging task. As a national CERT with a unique national early warning detection system, NSM NorCERT has detected and responded to incidents that vary from traditional incident response and abuse handling to counter-intelligence operations. Based on some real-world examples, this talk will be about incident handling of cyber espionage intrusions. What are the most common pitfalls and how can companies be better prepared?

Incident handling of cyber espionage

Marie Elisabeth Gaup Moe

Er smarte systemer dumme på sikkerhet? -Hvordan ITS krever enda mer intellige...

Marie Elisabeth Gaup Moe

Mais de Marie Elisabeth Gaup Moe (7)

Does it pay to be cyber-insured

Når cyberangrep får fysiske konsekvenser

Sikkerhet i Internet of Things

Software Security: Hvordan bygge sikre systemer?

Informasjonssikkerhet og personvern: Hva må vi tenke på ved tilgjengeliggjøri...

Incident handling of cyber espionage

Er smarte systemer dumme på sikkerhet? -Hvordan ITS krever enda mer intellige...

Último

Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving

Edi Saputra

With more memory available, system performance of three Dell devices increased, which can translate to a better user experience Conclusion When your system has plenty of RAM to meet your needs, you can efficiently access the applications and data you need to finish projects and to-do lists without sacrificing time and focus. Our test results show that with more memory available, three Dell PCs delivered better performance and took less time to complete the Procyon Office Productivity benchmark. These advantages translate to users being able to complete workflows more quickly and multitask more easily. Whether you need the mobility of the Latitude 5440, the creative capabilities of the Precision 3470, or the high performance of the OptiPlex Tower Plus 7010, configuring your system with more RAM can help keep processes running smoothly, enabling you to do more without compromising performance.

Boost PC performance: How more available memory can improve productivity

Principled Technologies

Abhishek Deb(1), Mr Abdul Kalam(2) M. Des (UX) , School of Design, DIT University , Dehradun. This paper explores the future potential of AI-enabled smartphone processors, aiming to investigate the advancements, capabilities, and implications of integrating artificial intelligence (AI) into smartphone technology. The research study goals consist of evaluating the development of AI in mobile phone processors, analyzing the existing state as well as abilities of AI-enabled cpus determining future patterns as well as chances together with reviewing obstacles as well as factors to consider for more growth.

Exploring the Future Potential of AI-Enabled Smartphone Processors

debabhi2

Automating Google Workspace (GWS) & more with Apps Script

wesley chun

Strategies for Landing an Oracle DBA Job as a Fresher

Remote DBA Services

Building Digital Trust in a Digital Economy Veronica Tan, Director - Cyber Security Agency of Singapore Apidays Singapore 2024: Connecting Customers, Business and Technology (April 17 & 18, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...

apidays

Imagine a world where information flows as swiftly as thought itself, making decision-making as fluid as the data driving it. Every moment is critical, and the right tools can significantly boost your organization’s performance. The power of real-time data automation through FME can turn this vision into reality. Aimed at professionals eager to leverage real-time data for enhanced decision-making and efficiency, this webinar will cover the essentials of real-time data and its significance. We’ll explore: FME’s role in real-time event processing, from data intake and analysis to transformation and reporting An overview of leveraging streams vs. automations FME’s impact across various industries highlighted by real-life case studies Live demonstrations on setting up FME workflows for real-time data Practical advice on getting started, best practices, and tips for effective implementation Join us to enhance your skills in real-time data automation with FME, and take your operational capabilities to the next level.

From Event to Action: Accelerate Your Decision Making with Real-Time Automation

Safe Software

The value of a flexible API Management solution for Open Banking Steve Melan, Manager for IT Innovation and Architecture - State's and Saving's Bank of Luxembourg Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - The value of a flexible API Management solution for O...

apidays

As privacy and data protection regulations evolve rapidly, organizations operating in multiple jurisdictions face mounting challenges to ensure compliance and safeguard customer data. With state-specific privacy laws coming up in multiple states this year, it is essential to understand what their unique data protection regulations will require clearly. How will data privacy evolve in the US in 2024? How to stay compliant? Our panellists will guide you through the intricacies of these states' specific data privacy laws, clarifying complex legal frameworks and compliance requirements. This webinar will review: - The essential aspects of each state's privacy landscape and the latest updates - Common compliance challenges faced by organizations operating in multiple states and best practices to achieve regulatory adherence - Valuable insights into potential changes to existing regulations and prepare your organization for the evolving landscape

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments

TrustArc

Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood

Juan lago vázquez

Scaling API-first – The story of a global engineering organization Ian Reasor, Senior Computer Scientist - Adobe Radu Cotescu, Senior Computer Scientist - Adobe Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe

apidays

Discord is a free app offering voice, video, and text chat functionalities, primarily catering to the gaming community. It serves as a hub for users to create and join servers tailored to their interests. Discord’s ecosystem comprises servers, each functioning as a distinct online community with its own channels dedicated to specific topics or activities. Users can engage in text-based discussions, voice calls, or video chats within these channels. Understanding Discord Servers Discord servers are virtual spaces where users congregate to interact, share content, and build communities. Servers may revolve around gaming, hobbies, interests, or fandoms, providing a platform for like-minded individuals to connect. Communication Features Discord offers a range of communication tools, including text channels for messaging, voice channels for real-time audio conversations, and video channels for face-to-face interactions. These features facilitate seamless communication and collaboration. What Does NSFW Mean? The acronym NSFW stands for “Not Safe For Work,” indicating content that may be inappropriate for professional or public settings. NSFW Content NSFW content encompasses material that is sexually explicit, violent, or otherwise graphic in nature. It often includes nudity, profanity, or depictions of sensitive topics.

Understanding Discord NSFW Servers A Guide for Responsible Users.pdf

UK Journal

A Principled Technologies deployment guide Conclusion Deploying VMware Cloud Foundation 5.1 on next gen Dell PowerEdge servers brings together critical virtualization capabilities and high-performing hardware infrastructure. Relying on our hands-on experience, this deployment guide offers a comprehensive roadmap that can guide your organization through the seamless integration of advanced VMware cloud solutions with the performance and reliability of Dell PowerEdge servers. In addition to the deployment efficiency, the Cloud Foundation 5.1 and PowerEdge solution delivered strong performance while running a MySQL database workload. By leveraging VMware Cloud Foundation 5.1 and PowerEdge servers, you could help your organization embrace cloud computing with confidence, potentially unlocking a new level of agility, scalability, and efficiency in your data center operations.

Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...

Principled Technologies

Effective data discovery is crucial for maintaining compliance and mitigating risks in today's rapidly evolving privacy landscape. However, traditional manual approaches often struggle to keep pace with the growing volume and complexity of data. Join us for an insightful webinar where industry leaders from TrustArc and Privya will share their expertise on leveraging AI-powered solutions to revolutionize data discovery. You'll learn how to: - Effortlessly maintain a comprehensive, up-to-date data inventory - Harness code scanning insights to gain complete visibility into data flows leveraging the advantages of code scanning over DB scanning - Simplify compliance by leveraging Privya's integration with TrustArc - Implement proven strategies to mitigate third-party risks Our panel of experts will discuss real-world case studies and share practical strategies for overcoming common data discovery challenges. They'll also explore the latest trends and innovations in AI-driven data management, and how these technologies can help organizations stay ahead of the curve in an ever-changing privacy landscape.

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery

TrustArc

Artificial Intelligence Chap.5 : Uncertainty

Khushali Kathiriya

🐬 The future of MySQL is Postgres 🐘

RTylerCroy

Three things you will take away from the session: • How to run an effective tenant-to-tenant migration • Best practices for before, during, and after migration • Tips for using migration as a springboard to prepare for Copilot in Microsoft 365 Main ideas: Migration Overview: The presentation covers the current reality of cross-tenant migrations, the triggers, phases, best practices, and benefits of a successful tenant migration Considerations: When considering a migration, it is important to consider the migration scope, performance, customization, flexibility, user-friendly interface, automation, monitoring, support, training, scalability, data integrity, data security, cost, and licensing structure Next Wave: The next wave of change includes the launch of Copilot, which requires businesses to be prepared for upcoming changes related to Copilot and the cloud, and to consolidate data and tighten governance ShareGate: ShareGate can help with pre-migration analysis, configurable migration tool, and automated, end-user driven collaborative governance

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff

sammart93

Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...

Neo4j

The Good, the Bad and the Governed - Why is governance a dirty word? David O'Neill, Chief Operating Officer - APIContext Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...

apidays

💉💊+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHABI}}+971581248768 +971581248768 Mtp-Kit (500MG) Prices » Dubai [(+971581248768**)] Abortion Pills For Sale In Dubai, UAE, Mifepristone and Misoprostol Tablets Available In Dubai, UAE CONTACT DR.Maya Whatsapp +971581248768 We Have Abortion Pills / Cytotec Tablets /Mifegest Kit Available in Dubai, Sharjah, Abudhabi, Ajman, Alain, Fujairah, Ras Al Khaimah, Umm Al Quwain, UAE, Buy cytotec in Dubai +971581248768''''Abortion Pills near me DUBAI | ABU DHABI|UAE. Price of Misoprostol, Cytotec” +971581248768' Dr.DEEM ''BUY ABORTION PILLS MIFEGEST KIT, MISOPROTONE, CYTOTEC PILLS IN DUBAI, ABU DHABI,UAE'' Contact me now via What's App…… abortion Pills Cytotec also available Oman Qatar Doha Saudi Arabia Bahrain Above all, Cytotec Abortion Pills are Available In Dubai / UAE, you will be very happy to do abortion in Dubai we are providing cytotec 200mg abortion pill in Dubai, UAE. Medication abortion offers an alternative to Surgical Abortion for women in the early weeks of pregnancy. We only offer abortion pills from 1 week-6 Months. We then advise you to use surgery if its beyond 6 months. Our Abu Dhabi, Ajman, Al Ain, Dubai, Fujairah, Ras Al Khaimah (RAK), Sharjah, Umm Al Quwain (UAQ) United Arab Emirates Abortion Clinic provides the safest and most advanced techniques for providing non-surgical, medical and surgical abortion methods for early through late second trimester, including the Abortion By Pill Procedure (RU 486, Mifeprex, Mifepristone, early options French Abortion Pill), Tamoxifen, Methotrexate and Cytotec (Misoprostol). The Abu Dhabi, United Arab Emirates Abortion Clinic performs Same Day Abortion Procedure using medications that are taken on the first day of the office visit and will cause the abortion to occur generally within 4 to 6 hours (as early as 30 minutes) for patients who are 3 to 12 weeks pregnant. When Mifepristone and Misoprostol are used, 50% of patients complete in 4 to 6 hours; 75% to 80% in 12 hours; and 90% in 24 hours. We use a regimen that allows for completion without the need for surgery 99% of the time. All advanced second trimester and late term pregnancies at our Tampa clinic (17 to 24 weeks or greater) can be completed within 24 hours or less 99% of the time without the need surgery. The procedure is completed with minimal to no complications. Our Women's Health Center located in Abu Dhabi, United Arab Emirates, uses the latest medications for medical abortions (RU-486, Mifeprex, Mifegyne, Mifepristone, early options French abortion pill), Methotrexate and Cytotec (Misoprostol). The safety standards of our Abu Dhabi, United Arab Emirates Abortion Doctors remain unparalleled. They consistently maintain the lowest complication rates throughout the nation. Our Physicians and staff are always available to answer questions and care for women in one of the most difficult times in their lives. The decision to have an abortion at the Abortion Cl

+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...

?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@