BIO HACKING VILLAGE - PWN to Own My Heart - TIB AV-Portal

BIO HACKING VILLAGE - PWN to Own My Heart

00:00

4

Formal Metadata

Title

BIO HACKING VILLAGE - PWN to Own My Heart

Title of Series

Number of Parts

322

Author

License

CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.

Identifiers

10.5446/39812 (DOI)

Publisher

Release Date

Language

Content Metadata

Subject Area

Computer Science

Genre

Conference/Talk

Abstract

The increase of pace in the technology field has left the race for manufacturers to increase the security in medical devices. There is the theoretically possibility that your heart can be pwned. Pacemakers have become part of the internet of things. We are putting our hearts on display. This is my journey from regular hacker to gen-one cyborg to pwning my own heart that I can own the vulnerabilities to fix it. We forget that these are devices connected to flesh and blood, a person who depends on this device to have just one more heart beat. This is a journey into the inner sanctum of living with a vulnerable device in a time where technology progression has left behind security. We can no longer have security by obscurity when it comes to devices which cyborg’s like me depend on.We should not be in the business of sacrificing security for convenience or power. As a patient, I would rather sleep knowing my device has been hardened and have the inconvenience of replacing it more regularly than the converse. I feel that we, as the security community, should be addressing and assisting medical manufacturers with the security vulnerabilities in the devices that literally keep people alive. There should be more effort placed on addressing the security vulnerabilities. The simple fact is we are not dealing with just ones and zeroes. This is, for some, a life or death situation.

Speech

Text

Image

00:00

CodeGoodness of fitMechanism designService-oriented architectureGodVideo gameVector potentialContext awarenessInformation securityCategory of being

01:18

Vector potentialCondition numberMereologyCategory of beingMechanism designVirtual machineHacker (term)Beat (acoustics)Perimeter

02:36

Connected spaceSoftwareLevel (video gaming)Basis <Mathematik>Wireless LANMechanism designMathematicsNatural numberDivisor

03:34

Computer networkSoftwareSoftwareMathematicsSelf-organizationThermal radiationDifferent (Kate Ryan album)

05:08

Vulnerability (computing)In-Memory-DatenbankMiniDiscPeer-to-peerMaxima and minimaHacker (term)Vulnerability (computing)1 (number)

05:55

InformationResultantHacker (term)Right angleFocus (optics)Information securityTouch typingChemical equationDistanceDialect

07:48

Moving averagePosition operatorInformation securityArithmetic meanIntegrated development environmentPhysical systemError messageVideo gameFamilySurgery

10:12

Degree (graph theory)TelecommunicationP (complexity)Quaternion groupDesign by contractBlock (periodic table)Addressing modeDegree (graph theory)Cubic functionLine (geometry)

10:53

Rule of inferenceRead-only memoryVoltmeterVirtual machineHost Identity ProtocolSoftware testingBitRight angleOrder (biology)

11:59

Programmer (hardware)PhysicsDegree (graph theory)Fundamental theorem of algebraEvent horizonInformation securityProgrammer (hardware)Software developerInformationEncryptionData mining

13:29

WindowPressureSoftwareMoment (mathematics)Staff (military)Group actionNear-ring

14:10

Bus (computing)IcosahedronSoftware bugBit rateMachine learningCodeSoftwareInformation security

14:58

Range (statistics)Wellenwiderstand <Strömungsmechanik>Discrete element methodFunction (mathematics)Mountain passMultiplication signDefault (computer science)BuildingComputer programmingSet (mathematics)Sensitivity analysisLine (geometry)

16:14

SurgeryBitDivisorSoftwareComputer programmingInformation

17:09

Online chatInformationMultiplication signMetropolitan area networkOffice suiteBlack boxTelecommunicationProgrammer (hardware)Arithmetic mean

18:09

Crash (computing)Standard deviationBitBit rateSlide ruleVideo gameArithmetic meanCrash (computing)

19:13

Information securityDistanceGoodness of fitContext awarenessBit rate

20:00

Universe (mathematics)FirmwareData miningMathematicsCodeAuthenticationLogic gateVideo gameVelocityComputer worm

20:57

Line (geometry)Level (video gaming)Observational studyInformationData miningSystem identificationSerial portElement (mathematics)Bit rateNumberSingle-precision floating-point format

22:12

MalwareCategory of being1 (number)Video gameGoodness of fitMalwareSpacetimeSlide ruleTelecommunicationVector potentialSelf-organizationPlanningProgrammer (hardware)Semiconductor memoryStatement (computer science)Office suiteInformationNatural numberInformation securityNetwork topology

24:03

God

24:43

Gamma functionHill differential equationMoment (mathematics)Semiconductor memoryWebsiteBenutzerhandbuchInformationAuthenticationWhiteboardGame controllerState of matterPasswordProgrammer (hardware)

26:32

Information securityProgrammer (hardware)

27:22

Connectivity (graph theory)InternetworkingVulnerability (computing)InferenceWeightBit rateHost Identity ProtocolCondition numberConnected spaceInternetworkingPoint (geometry)Arithmetic meanVulnerability (computing)Computer programmingHacker (term)

28:55

BitCausalitySurgeryMalwareMultiplication signRepresentation (politics)PlanningDifferent (Kate Ryan album)Data conversionSubsetNeuroinformatikInformationInformation securitySource codeChemical equationMeasurementMoment (mathematics)Regulator geneFamilyCircleWaveCybersexQuicksortGodPoint (geometry)MereologyLattice (order)Beat (acoustics)Physical systemMachine learningDependent and independent variablesPublic key certificateNatural numberSound effectWage labourIncidence algebraMetreTask (computing)Decision theoryTelecommunicationCommunications protocolFrustrationPulse (signal processing)Bit rateHacker (term)EncryptionTwitterSpektrum <Mathematik>Sign (mathematics)Level (video gaming)PasswordRight angleFiber bundleMultiplicationMetropolitan area networkOptical disc driveProgrammer (hardware)Default (computer science)Noise (electronics)Vapor barrierDisk read-and-write headBlock (periodic table)Statement (computer science)Set (mathematics)Shared memoryField (computer science)CodeCartesian coordinate systemAuthorizationVulnerability (computing)WebsiteRow (database)Arithmetic meanPhysicalismWeb pageMixed realityPressureTap (transformer)Electronic mailing list

Transcript: English(auto-generated)

00:00

Hey everyone, so I'm Vee, I'm poison pixie and I'm here to talk to you guys about that little device up there that's implanted in my chest. So one big, I think it's 2012 I read an article by Barnaby Jack and by then I've

00:23

had my pacemaker for a good couple of years and realising, oh my god, this is a fucking disaster. But being who I am, I find this my motto in life. My aim is to raise awareness of these potential malicious attacks and encourage manufacturers to act to review the security

00:44

of their code and not just the traditional safety mechanisms of these devices. This is something that I take with me every day. You'll see at the end there is a little puzzle for you guys to solve that I have a saying, beautifully broken, wonderfully flawed.

01:03

Because that's who I am. My heart is effectively broken in so many ways and my device is flawed. But I still find the beauty in the science that keeps me here every day something worthwhile. For me we're moving into an age where human beings in the traditional

01:24

sense of being flesh and blood will no longer exist. I in the traditional sense am no longer human. The most major part that keeps me alive is bionic, mechanical and technology.

01:42

And that is the science of heartbreak. That is the science of me and who I am. I refer to myself as a Gen 1 cyborg, a non-human hacker, half technology, half flesh and blood.

02:01

I passionately live for every beat that my pacemaker gives me, even though it traditionally sometimes does fuck it up. We all know how technology is, it's built by humans, it's not built by machines yet, and it does break. I believe that we as a community need

02:22

to break things to make them better. Because how do we know that a perimeter can be breached? We first have to break in. We cannot anticipate what needs to be fixed unless we know how to break them. This is a brief history. In 1958 the first pacemaker was

02:42

implanted. That is very long ago. I was not born yet. So this technology has been around for years. Basically everyone should know what a pacemaker is. It is a little device that listens to your heartbeats and acts as a way, a mechanism to keep your heart beating when your natural pacemaker

03:05

fails. And lastly was the first one to receive this device. At that stage there was no network connectivity. Today we find pacemakers that have wireless connectivity that connects to a program and next to a patient's bed across wireless, that a doctor can interrogate and

03:25

make changes on a regular basis sitting across the world. Because apparently according to the factors that was an excellent idea. We've seen recently, I did some research because I thought

03:40

to myself I believe we can do better. But how do we know we can do better unless we know what has gone wrong? 1985 to 1987 six patients received harmful radiation from their pacemaker. Such thoughts were very slow. 2002 a network was flooded and cardiac patients could not receive

04:10

critical changes to their devices because the hospital was unable to facilitate these changes. In the 2000s we started seeing recalls on ICD defibrillators. Now here's the scary thing

04:26

with an ICD. Your heart muscle is in my opinion your most sensitive organ. If it is overshocked or overstimulated it simply dies. There's no way to regenerate it at all. So I have an ICD

04:44

implanted that acts as a pacemaker. So I'll get to a little later where I did some research on the FDA and how they passed my device and the flaws that they passed within my device. 2006 we saw software updates released for pacemakers. Especially when attacks started

05:06

being facilitated on these devices. And that carries on to 2008 where we started seeing the vulnerabilities being exposed by the likes of Barnaby, Jack and other researchers. 2008

05:22

one of the biggest medical manufacturers, Medtronic, was taken to the Supreme Court for flaws within their devices. 2011 I think it was at DEFCON when Jay Radcliffe displayed how you can hack an insulin pump. And it just carries on. And this is where my journey

05:45

started in 2012. Where I decided that I no longer want to trust what the medical practitioners tell me. I want to know how my device works. Now someone like me that

06:02

has a device, I have been told that the device is not my own. It belongs to the medical manufacturer. We use the kicker. They might have that user agreement with my doctor. They don't have that legally with me. I feel that my device, if it is there to keep me alive, I should have the right to test it. I should have the

06:25

right to know how it works. I should not have security through obscurity. I think they should be more open and let security practitioners know how their devices work. And if anyone has ever dealt with medical companies, they will realize that some of

06:43

them are pure bullies. They are assholes. As much as they are awesome in designing innovation, innovation is what they focus on. They don't focus on security. We just want the next new big thing. But I say if we want to be innovative, we should be secure.

07:04

I'm not saying lock the device down. There is a very fine balance towards having a device that is accessible and secure, having information available to medical practitioners at the touch of a dial. But we don't have to open it for bad people. And it's not

07:23

necessary to say that it will be a hacker that will attack a device. If I ask anyone in the audience, who's a murderer, anyone that can stab someone has now got the ability to access these devices wirelessly and facilitate the attack. We can now have murder

07:44

from a distance and no longer just from far away. For me, what is important is ensuring the security of these devices for the future. Because if I ask you for example, what do you think would happen if the first pacemaker gets hacked? Do you think someone else would

08:03

get another device? No. So we go back 10 years. That is not the aim. The aim is to fix this going forward, that we're in a position to keep innovation going. Now I'm going to share something very personal and it's something that I've never shared

08:23

in public, is how I was diagnosed and what led me on this path of getting my pacemaker. At 19 I was admitted with heart failure. My conductive system simply does not work and I had to get a pacemaker. Now inside Africa you have medical aid. Our medical

08:44

aid declined to pay for my pacemaker, meaning that effectively according to medical personnel I had two weeks left to live at the age of 19. I prepared myself to go home because I refused to die in a medical environment. I wanted to be surrounded by my

09:02

mom, my dad, my brother, my family, my people. And on the way out my doctor stopped me and said, you know what, you're going in for surgery. I've paid for your pacemaker. So I'm here today doing what I'm doing because I got a second chance. I got a device

09:22

that has saved my life from the age of 19, has given me two amazing little goals that I would never have had. But I have concerns about my device. In January was admitted again because I got a new pacemaker two years ago and my pacemaker failed.

09:47

It did not resuscitate me and I spent eight minutes clinically dead. After, here's the kicker, after the device was tested by three technologists from the medical company

10:01

stating that there's no errors on the device. It still failed and no one can tell you why. This is a little poem that the medical practitioners use to explain what a third

10:20

degree heart block is. If the R is far from P, then you have a first degree. Longer longer drop, then you have a weakened buck. If some Ps don't get through, then you have Mopeds too. If Ps and Qs don't agree, then you have third degree. Basically it means my heart cannot pump on its own. It is unable to relay communication for it

10:47

to contract together. So it flat lines. Now my device that I have has been passed

11:02

by the FDA. Now who here knows what a pre-market assessment is? What that means is that one clinical trial with a small amount of people are done to test whether this device works. In the United States we have more stringent and strict tests for

11:23

drug FDA tests than we do for medical devices, which for me is a bit of a problem because if you take the wrong medication that can be reversed. If you receive a shock from an ICD, which is higher than what it should be, you die. We have our

11:45

whole idea of how these devices are passed, absolutely confused. I think that the FDA should start stepping up, start fixing legacy shit and just do what's right.

12:04

Here is something that I did with my cardiologist before I came to DEFCON. He's got one of the biggest brands in South Africa that supports. I cannot name their name. I have been told not to say any manufacturer's names. While I was undressing, so how it works is I go

12:20

in every six months. I lie down and my heart gets stopped and started in varied degrees to test my device. I took a rubber ducky and I placed it behind the programmer with permission from my cardiologist and I managed to capture everything that he changed

12:40

along with all my PII information, what was wrong, what events were noted for the last six months. Now, it wasn't just for mine. It was everything that has been stored on that device and that's where the problem comes in. We've got these phenomenal programmers

13:02

running XP, having USBs activated, hard-coded credentials, no encryption, no command white listing. It's just badly built. It's not that it's just unsecure.

13:21

It's that the fundamentals and basics of secure development has not been adhered to. I fight a battle at the moment where I don't have a cardiologist no more. The medical company that owns my device or manufactures my device has effectively put so much pressure

13:43

on my medical staff that support me that they can no longer help me with any of my research. I'm without a doctor. I'm without support fighting a battle that is pretty much on my own until I found a small group of people that led me here today. I don't know,

14:05

does everyone know who I am, the cavalry is? They're pretty awesome. The problem is important. We need to be able to verify the software that we use within

14:21

devices because most of my problems that I had in January was due to machine learning failing and software bugs. Would you believe that when asking the medical manufacturer to see the code to review what is keeping my heart rate going, I was declined access

14:41

to this code because it's proprietary. They are practicing security through obscurity. I have to trust a big corporate that what they are saying is good, effectively is what is going to keep me alive. This is what the FDA has passed on my specific device and

15:05

they have said that these are acceptable risks. My electrical component has failed in January causing me to flat line. It does not connect with the program and will not always retain

15:22

its settings. It will reset to default and I've actually experienced this. I took the chance to enter the wireless village because I like living dangerously and needless to say within about half an hour started feeling ill. Just because we need to be scientifically

15:40

correct, we replicated it for a second time. If anyone's got a pacemaker, stay clear of the wireless village. There's way too much signal going about. These are devices that should not be that sensitive to signals going on outside the body because technology is signal driven. It is simply not there to be that sensitive. I'm convinced these

16:08

medical companies are building snowflake devices because I think my device has got more emotion than I do. This is what my device costs and this is excluding the leads. I have a

16:23

little battery running my programs, running my software with two leads. When they need to be replaced, it's not simply like popping out, open my skin with a little tag. They cut me open, they take out the whole device, hoping not to rip out the leads connected

16:41

to my heart. You can see that when a device is recalled, it's a bit of a fuckup. You have to go into hospital and have surgery. For example, St. Jude fixed their problem however the legacy devices are unable to be, firmware updated. Those patients will

17:01

need to have new devices implanted. They will need to have surgery because the manufacturer fucked up. This is just to explain exactly how the FDA passes their information. One

17:24

day I decided to sit outside the doctor's offices with a backpack and a hoodie because that's what we wear. That's what I wear every day. I black boxed. I just listened and I learned. What do you guys think I picked up? Anyone? I managed to capture communication

17:44

between the programmer and the pacemaker, meaning I could potentially replicate a man in the middle attack, sitting outside my doctor's offices, just listening, looking like any normal patient. Again, this is all done with permission from my cardiologist

18:05

who at that time was very supportive. This is one of the attacks that we theoretically formulated because if you ask any heart association, they will say no patient has been hacked that we know of. It's the that we know of situation that worries me

18:26

is because we don't check because we think it's theoretical. Why is it not showing? I'm going to have to read this a bit of a technical difficulty with the slides. If you take a pacemaker and you start adjusting the way that it paces, you can take a heart

18:44

rate up from 60 to 160, meaning that your heart will be exhausted and your battery will be depleted. The standard pacemaker battery will last 10 to 12 years. You will be able with a crash attack theoretically to take that down to about three years, which

19:05

the patient will be unaware of because effectively he would think it would take 12 years. A denial of life attack is one that has been done successfully where if you send RF signals to a pacemaker at a sequential rate, it will count one,

19:27

two up until nine and who can guess what happens then? What would be good security? Did it cut it off? It just starts counting at one again. That is not how it should be

19:41

because how do we drain battery life on RF devices? We keep on attacking it. RF signal that I am aware of, the distance from is 50 feet is the furthest that I'm aware of. That is pretty far. That means I don't have to stand next to you. I wonder

20:02

what went wrong with this life. Anyway, the replay attack basically means that I'm going to replicate wherever your doctor has changed. I've listened. I've reverse engineered these packets and I'm going to replicate what he's done to authenticate your device. Once you've authenticated to that device, it's got no whitelisted commands.

20:23

It will effectively open up like a fresh fruit and accept any code that you give it. One of the things that I discussed with friends of mine at Varsity at the university that I was at was you could potentially authenticate to a device which is universal across the world. Upload new firmware. This firmware can update and authenticate to other

20:46

devices effectively creating a worm that self-replicates. Those are things that we should be looking at and being aware of. These are some changes that have been found by researchers

21:03

that you can do within a pacemaker. Identification of a device. As with anything, you don't want too much information to be beakened out. From studies and work that we've done, these devices will give you their serial number, patient information. It will disclose

21:24

your cardiac data which is something I don't want out there because it's the most personal thing of mine. You will be able to change the clock on your ICD which is fundamentally an important element in ensuring when the device is implanted to estimate when the device

21:43

will run out. You can change the therapies. Again, this is what happened to me in January when my device decided that it would be able to learn on its own. I had a software issue. My device thought that when my heart rate fell to 30, it was acceptable and that it

22:02

ended up in its missing, my heart flatlining. That is just like the tip of the iceberg. Here's the interesting thing. I was preparing for my slides and every medical manufacturer said malware is not a problem. At Black Hat, they actually managed to put malware

22:26

on an ICD programmer. Meaning if I go into the offices with a device that has been compromised, potentially without knowing, I can have malware on my ICD. That would mean that it

22:41

could infect other ICDs. It could mean that it could kill me because I think the one thing that we forget about these medical devices is they are connected to human beings. They might be security devices, electronic of nature, ones and zeros, but there's a human life

23:00

that is at stake. Now this might seem a little bit dark, but what would you rather pay for if your pacemaker is ransomed? Your information or your life? Your organs, obviously. It's a good business plan, ransoming medical devices, not that I say you should do it, but I mean people are going to pay for their organs. This is real organized crime situations where

23:25

we see that it's a monetary situation. If you infect a programmer with ransomware, for example, that reinfects other devices, you have the potential to constantly have revenue. This is not something that should be possible. This is something that should

23:44

be addressed with reserved memory space within these devices. My device is AES-enabled. How many of you think that that is exactly what they use? Anyone? They don't. It's available, but it's not being used. I got a statement from a medical company saying, you are coming

24:08

to DEFCON and you have a pacemaker. You are going to die. I'm like, well, I think I've got a bigger chance sitting across from you being killed than I do being with the community, because it's the community that's going to help me fix the problems

24:23

that you've created. I think that if we start interrogating these devices and being less worried about, oh my God, we're talking about killing people. Well, yes, we need to start talking about saving people rather than killing people. I want to explain

24:46

this to you, because this is something, it's almost a soapbox moment. When I started talking to the FDA, they said, but we've got pre-market assessment. What that means is they go through documentation of a device saying, okay, this is what the device claims

25:01

it does, and it's a checkbox exercise. That is all it is. They try and design these innovative, new, phenomenal devices that don't even get the fundamental basics right. And you have a patient that could potentially die, because the device is bald-pearly.

25:23

I was able to go onto all of the manufacturer's websites and download in excess of about a thousand technical user manuals meant for medical practitioners. I could fool them and state that I'm in the United States when I was sitting in South Africa. None of these

25:42

websites had user authentication. They don't know if I was a doctor or not, but I had access to how these devices were built. I know exactly what controller it's got, what board it's got implanted, and what memory it has. What do you think I can do with that information when I start reverse engineering it? Because then I can start knowing how

26:04

these devices work, and that is exactly what I did with my own device. And we were shocked to find that this device has actually got a wireless controller in even after I stated when they put this in two years ago, I did not want it. But that is what was available,

26:22

because having a programmer next to your bed that communicates with your device with no username and password seems like an excellent idea. This is something that's very close to my heart. These people are really working their asses off for the companies. And as

26:41

I've said, the companies are not nice people. The legal teams, they scare me. Not a lot scare me. Those legal guys scare me. But I am the cavalry, needs more researchers. They need people in the device labs, interrogating the infusion pumps, the pacemakers, the programmers, and hacking the shit out of these devices. Then we can start shaking up the room and

27:05

saying, these devices are surely fucking unsecure. I want a future where we can say that we not only have innovation, we have security, availability, and accessibility to devices that are working. This lady has been instrumental in supporting me in doing the work that I

27:33

like to do, getting me in connection with the right people. And this is the reality. I am, like her, one of two people having our condition, insecurity, being connected

27:45

to the wonderful DEFCON internet and IoT and being fucking unprotected. I have never felt vulnerable the way I did two days before DEFCON, realizing that my device was passed by someone that I trust and stating that the vulnerabilities that they have associated

28:04

with it is acceptable. It is not acceptable to flatline and have to be resuscitated for eight minutes. When I have a device I paid for, a fuckload of money, and it doesn't work. That doesn't mean I'm going to get hacked. But surely enough, we just need

28:26

one skitty to decide it's a fucking good idea to go toy with these things, writes a program, accesses the devices and not realize what they've done. We have situations where researchers at the point are being bullied. Big pharma does not want to play nice, and

28:46

there's one way to solve that. It's for the community to basically step up and say, enough is enough. Whoever solves that, I will buy a beer for. You guys can run it. If

29:03

it doesn't work, I was drunk when I wrote it. But I really want to motivate you guys to get involved with I Am The Cavalry. It doesn't even have to be hacking. It's just looking at better ways to get protocols in place for companies to start fixing the

29:22

stuff. Having support from the community is important because I can tell you I can access my device through multiple ways and means. I was very shocked to find that no encryption was used. Now I understand. Now look, I'm going to say, I understand physically. I

29:41

cannot be dying on the floor, having a heart attack or having an issue and go to the doctor and say, oy, let me give you my username and password. It's not going to work. But there has to be some balance. At the moment, there is none. So who's going to

30:05

go? Because we need the community to start taking up the research again and start getting shit done. Because the future is coming, we're going to have our first malware. We could have had it already. Because if you start asking medical companies, what's

30:22

your incident response plan? Do you check someone that's passed away from a pacemaker? Do you know why they died? No, it's natural causes. They've had a heart problem. Well, how do you know the pacemaker did not fail? They don't do checks and balances. For me,

30:41

that is a fundamental problem. And I am tired of dealing with the shit alone. I am tired of being bullied. And I want the community to start stepping up. And I want the youngsters, the new, the future, because I'm not the future, I'm old, to start stepping

31:01

up and doing things. So thank you for your time. Yeah. You talked about trying to get these devices fixed by contacting manufacturers and whatnot, but it seems like that it's such a struggle to ever play out. I was wondering what

31:24

do you think about somebody who can try to actually put together a new company and what kind of entry barriers they would have to face to actually go and put a market solution that actually has security measures in its market that way? I can tell you. Can you repeat the question?

31:40

Thank you. I'm sorry to ask you that. I wanted to ask what you think about market solutions that would involve security measures that are marketed this way so that the consumer knows they're getting a device and what kind of entry barriers like a new company would have to face to be able to get this on the market and actually be able to kind of solve these

32:01

problems without having to deal with the current manufacturers of these devices. Thank you. I think if we had a new kid on the block that is able to offer a secure and transparent solution to patients, I wouldn't mind an open source device. Not that I'm saying I would like to program it myself because, God, I'm an awful programmer, but I would like to know what the code is doing.

32:23

I would like to be able to read and understand it because, for example, machine learning is an excellent idea in many applications, but not in a situation where your heartbeat does certain specific things. The doctor knows what it's supposed to do. So I think if a new company can come on board and start doing secure

32:40

devices and they focus a little bit more on security, I would go get that device every five years. I would have the surgery because I would sleep better. And just on another note, I want to say thank you to the Sockboons that made time to come visit. Thank you, guys. They've been working hard, so buy them a beer later today, hey? But seriously, we need to build secure medical devices.

33:08

These aren't little devices that just do something. They keep someone alive. And it's not just about me. I think there's about 2.2 million people with pacemakers or ICDs or

33:21

brain implants or any medical device. That could be genocide when we have a Stuxnet situation on our hands. I hope this question isn't too much of a sidetrack, but you've mentioned Barnaby Jack a couple of times who died under

33:41

somewhat mysterious circumstances shortly before giving a talk about hacking these implanted devices at Black Hat. Do you know of any information sources about any investigations around this death or anything? Or is there anything you would comment on about what you've heard about it?

34:03

I don't have any information. I would love to have more information. I was not lucky enough to have known him. Heaven alone knows if I could reanimate someone, that would be probably the one person I would reanimate to have a conversation with. Because that man had a big set of walls.

34:21

He took on a big manufacturer. That's not a small task. I have had this much in the couple of years that I've done. And the friends that know me very well have heard me cry and I don't cry often because I don't have feelings. I don't have a heart that works. I've got a metal heart. But frustration has been there.

34:42

I wish I could tell you what's happened. I don't know. And I don't think there's enough evidence for me to hypothesise about it. And I think it would be disrespectful for me because the man was a legend. It was a very sad thing to happen to the community.

35:03

And I think this research would have gone much further if that did not happen. So, just a quick side note on that. The Wikipedia page says that he died of a mixed chemical overdose in the week before giving this discussion.

35:22

Which seems of an odd circumstance for a respected speaker to... I don't know. I don't have the odds of you. I think you guys should all have a beer afterwards and discuss it

35:47

because we're getting sidetracked and this is not a conversation. I have to respect you so you can have the stage. The vulnerabilities you brought up, they don't seem like tough ones.

36:01

I'm a little shocked about that. I'm wondering if it's just more relevant. If there's a big list of vulnerabilities that we can put in the community and say, hey, this is just people in violation of encryption. This is stupid old shit. I need to fix this stuff. But that's exactly what Barnaby said after all. It is fundamentally small things

36:20

that if you start thinking the way that malicious attackers will think it's easy. I can. I will do that for you guys. Find me on Twitter, poisonpixie. If you want to know the story behind my nickname you can come ask me. But I don't have any information for you guys unfortunately.

36:45

So it's kind of related to that point. One of the talks the other day had a representative of the FDA who I think was here personally but still knew what was going on. And she stated that there are cyber security regulations in FDA.

37:00

So I was just kind of curious of what's going on. If those exist, are they just not sufficient? Are they not being followed? They do exist. I actually have met with the FDA representative. We will be having more conversations about that. I have a bit of a difference of opinion because a lot of their things are acceptable and acceptable risks.

37:21

And I'm saying fuck that it's not. I cannot explain to you guys lying in bed in ICU. Well ICU is fine because I'm used to it. I get to scan awesome devices lying in bed. They are very used to me where I'm from having multiple computers going while being hooked up to monitors. But feeling the sense of dread I've never felt that sad.

37:42

And I'm not supposed to have that feeling when your heart rate heats about 30 and your blood pressure is 40 over 30 and your doctor taps you on the head and says I've got you. And you're thinking what the fuck is about to happen because my ICD is supposed to now start doing its thing. And it just switched itself off. It went to default.

38:01

And it decided I'm not going to do anything. The FDA is trying to fix things but it's legacy devices. Anyone in IT and hacking and security knows legacy devices fucks us over. Okay, they're difficult to fix and this is not something that I can go pull off a shelf. This is physically something that's implanted into someone.

38:21

When you implant cardiac leads they grow into the heart. If you pull those out not carefully you can kill someone the aorta can burst. So it is very difficult for the companies to fix these legacy devices.

38:41

I don't want to come see me often because I'm not quite willing to make the statement publicly yet. But I'll tell you what they told me. Hello and thank you very much for the personal sharing of your story. You were in a situation where it was a very short time between the decision of having a pacemaker

39:01

and actually having an implant. What are your concerns about how the general public, people who wear the decision about taking a pacemaker may be influenced on the way that we as a community of IT specialists is actually influencing the general public into taking another pacemaker because they are afraid.

39:21

That is what scares me about the future because I'm seeing more and more patients become aware of the recall for St Jude's which got a lot of press. And that's sad to me because I had the opportunity to be here today because I got a pacemaker. So that is where my saying

39:40

beautifully broken, wonderfully flawed comes from because yes the devices are flawed but we also can't expect miracles. They are built by humans. Humans are flawed by nature. All that we can do is learn to go forward and learn together. There has to be a bridging done and that is what I think I Am The Cavalry is doing so successfully. They are bridging manufacturers

40:00

with researchers. They have included the EFF in that as well. They are bringing everything full circle but it scares me for the future knowing that people might decide not to get devices and pass away which would be being a cyborg is awesome. I mean you know it would be sad if I got my second implant so I'm taking it

40:22

further now but I mean biohacking is a real thing. We as humans will evolve but I mean why not use technology that's there to keep us alive longer. It seems stupid but I can understand someone being concerned about the security of the device. I am as well. Luckily I'm not a high level target.

40:43

So I'm not Dick Cheney. Do you guys know Slash has got a pacemaker? I'm part of the cool kids. He's actually got a pacemaker. There's lots of influential people that have these devices and they are awesome. If you think about it, what it does is

41:00

it's amazing. It can take over the beat of the human heart. It keeps me here. It enables me to wake up tomorrow morning and survive another day. I mean time for me is precious because at 19 I got given two weeks. I cannot describe it to you guys.

41:21

It is the worst feeling in your world thinking God I should have had that for breakfast rather. Or I should have seen Guns N' Roses live. You should have seen Metallic live. Luckily for me after my pacemaker I got to see Metallic twice. She said I'm making up for lost time but there are people that will not get these devices. I know one person that's refusing to get

41:41

it because they are afraid of being hacked. And that's sad because I would like to say to them your device is not as flawed as you think. But that would be lying and untruthful. I am carrying the flaws with me. I'd rather have a flawed device than no device because I can still make a difference but if I'm dead

42:02

I cannot do the same. So that's what I'm saying is we need everyone to step up and do this together. This is not a me thing. It's an us thing. It's a tribe thing. It's a coming together of great minds because I think forensically. You might think some

42:22

different way. Or someone might think offensive, defensive. We need to bring that full circle. And I think that's what we're lacking in the security. We'll be segregating from each other. We actually want family doing the same thing with different skills. But I think that

42:41

coming together is an advance like this, facilitating it with the different villages. So yeah, that's all from my side. Please do the recording. I got maybe a very strange question.

43:00

To program the pacemaker that can be in 10 meters part or it can be 30 centimeters. It depends on what kind of system you're at. I'm more afraid for a PMG attack than a malware that somebody uses an electronic pulse and everything's talking in 10 meters. I'm more afraid for those things than malware, personally.

43:20

That is one of the fears because I actually read my devices technical manual and went holy fuck, this was a bad decision. Because it's cold, it's electromagnetic fields, it's all those kind of things. This is a funny story. I'm a very nice person, right? You guys think I'm friendly. The sock boons aren't allowed to answer because I've been hassling them.

43:43

I'm a nice person. Apparently coming to Defcon presenting the talk that I do I get a freedom fondle at every point. I generally do though because I can't go through the magnetic metal detectors. Because effectively that magnetic field switches my pacemaker

44:01

off. So these are little things that they haven't fixed yet. And that I have experienced. It's not fun. If you have a pacemaker, don't do it. Because I did. I said let's see what happens. I like to live dangerously. I need to know what happens when I go through

44:21

a metal detector. Don't do it. Trust me, it sucks. So the thing is if you read these technical manuals and go onto any of the websites we had a great chuckle about it. We actually checked the SSL certificates. Everything. The security sucks. So if I can't get that right

44:41

I'm a little bit worried about them doing my device to be quite blunt about it. But you can get the technical manuals and then the precautions in there I can trust, tell you my doctor can tell me about them. He just said don't go through a metal detector. Well how do you do when I fly this cosmic radiation

45:00

internationally? That has an effect on how my device is programmed as well. So effectively after every international travel I have to go to my doctor pay a lot of money and have my device reprogrammed. Small things we can fix but it's labor intensive and time intensive.

45:22

That's all. Anyone else? Was it that bad?