Neat stuff

You have to disable your ad blocker to view the Washigton Post, but its a fun story.
So, this has been going on for a long time, but its worth reading if you haven’t before.

LAS VEGAS — Ten of the nation’s top medical device companies will give hundreds of ethical hackers free rein this weekend to poke and prod their pacemakers, drug infusion pumps and other devices — and look for bugs that could hurt people or even end their lives if they’re exploited by criminals.

And the hacks will take place out in the open — in a realistic hospital replica here at the Planet Hollywood Casino that includes hospital rooms, a lab for bloodwork, and neonatal and intensive care units.

“Medical devices are lifesaving and life preserving, but they also can have flaws that could put someone’s life at risk,” Beau Woods, who organized the Medical Device Lab at this year’s Def Con cybersecurity conference, told me. “So, we’re trying to create a safe space to bring security researchers and medical device manufacturers together.”

That marks a massive shift since 2011, when cybersecurity researcher Jay Radcliffe first demonstrated how he could hack his own implantable insulin pump at Def Con’s sister conference Black Hat.

Back then, Radcliffe got fierce blowback from the insulin pump maker Medtronic and from the broader device industry. Most medical device companies viewed hackers who tried to point out digital bugs in their products with a mix of suspicion and hostility — and worried that they were either exaggerating dangers or giving malicious hackers a road map to hurt patients.

Now, the medical device event is among Def Con’s biggest live hacking events. And medical device makers are engaging far more with the hackers than other industries are willing to help similar efforts to test their products at the conference. This year, vendors have submitted 40 medical devices for hackers to test, compared with about 10 last year.

And the U.S. government is on board, too. “In 2011, researchers felt they had no other recourse than getting onstage at Black Hat and doing a live demo of a potential hack to grab the industry’s attention,” Suzanne Schwartz, leader of a Food and Drug Administration division that focuses on medical device cybersecurity, told me. “After that, we really saw the need to bring everyone to the table.”

Since 2011 the FDA has released a series of rules urging device makers to vet their own products for digital vulnerabilities and to have a formal process for dealing with bugs found by outside researchers.

At a conference in January, the FDA urged companies to bring their medical devices to Def Con to face hackers in an effort Schwartz compared to the viral “ice bucket challenge” aimed at funding research to combat ALS disease. The agency also launched a webpage titled “Wehearthackers” where it publicized the companies that agreed to bring their products to Def Con.

“There have been some real growing pains in the process and we wanted the industry to see that FDA really values working together with [cybersecurity] researchers,” Schwartz told me.

Among the device makers that are participating this year is Medtronic, which is bringing a newer generation of its insulin pump for hackers to examine for bugs.

“There’s been a shift, not only at Medtronic, but industrywide,” Erika Winkels, a Medtronic spokeswoman, told me. “Security’s evolved … Medtronic has really made a concerted effort to embrace this community and we recognize the value they bring.”

Def Con’s medical device “village,” as hacking efforts are called at the conference, is also trying to bring in other groups that deal with medical devices.

The medical device company Abbott, which funded the mock hospital built by California Polytechnic State University’s California Cybersecurity Institute, is bringing a team of doctors to pair up with cybersecurity researchers doing the hacking.

“It really helps to create that hospital environment for the [cybersecurity] researchers to work,” Chris Tyberg, vice president of Abbott’s product security division, told me. “It will help them understand how these devices are really used, how they fit into the clinical setting, how a patient really uses this.”

The FDA has also invited patients with implanted medical devices to weigh in at the village, some of whom are also cybersecurity researchers, Schwartz told me.

“There is no intent toward making [patients] into subject matter experts, but certainly they need to speak the same language,” she told me, “to be able to have significant enough understanding that they can make that benefit-risk calculus so we can have an informed dialogue with patients around what those cybersecurity risks are.”

This is the last Cybersecurity 202 newsletter this week, due to the congressional recess schedule. Stand by for more news on the collaboration between the government nad ethical hackers in Las Vegas in next week’s editions.

3 Likes

Just turn off java script to read most of the sites that want adbockers disabled

their is a firefox extension to toggle java script - one click does it

Just make sure to turn it back on <<<<< — READ THIS

And now they are inviting hackers while any company with a brain has been doing it for 20 years

1 Like

Does that apply to slot machines?

1 Like

If you want to lose your hands to a circular saw

2 Likes

They brought down the slot machines in Deadwood, SD last year, I think.

@Tony24, this is kinda surprising - But, not everybody is running off something made by a company. I spoke with someone in Deadwood who’s friend brought their vagus nerve stimulator to LV a couple years ago. She was just curious if they could get in. They did, on the spot. Thats for epilepsy. Some of those are custom built for the patient. They get built out of kindness, not for $$$. There’s some really interesting devices out there floating around.

1 Like

I think that they, traditionally, do this stuff in gambling towns because they are targeted a lot.

This is bothersome. https://www.wired.com/story/imessage-interactionless-hacks-google-project-zero/?bxid=5cc9e1cd3f92a477a0e9052a&cndid=54299847&esrc=WIRED_CRMSeries&source=EDT_WIR_NEWSLETTER_0_DAILY_SPECIAL_EDITION_ZZ&utm_brand=wired&utm_campaign=aud-dev&utm_mailing=WIR_Special_Defcon_PaywallSubs_080819&utm_medium=email&utm_source=nl&utm_term=WIR_PaywallSubs

1 Like

Uggh. Bothersome indeed.

Interaction-less iOS bugs are highly coveted by exploit vendors and nation-state hackers, because they make it so easy to compromise a target’s device without requiring any buy-in from the victim.