BIO HACKING VILLAGE - Jumping the Epidermal Barrier

Video thumbnail (Frame 0) Video thumbnail (Frame 5349) Video thumbnail (Frame 8669) Video thumbnail (Frame 12658) Video thumbnail (Frame 13171) Video thumbnail (Frame 14301) Video thumbnail (Frame 16300) Video thumbnail (Frame 19523) Video thumbnail (Frame 20183) Video thumbnail (Frame 20666) Video thumbnail (Frame 21229)
Video in TIB AV-Portal: BIO HACKING VILLAGE - Jumping the Epidermal Barrier

Formal Metadata

BIO HACKING VILLAGE - Jumping the Epidermal Barrier
Title of Series
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Release Date

Content Metadata

Subject Area
This talk will focus on consumer grade glucose monitors - primarily continuous glucose monitors that are implantable or attach to the skin for extended length of time and provide readings via bluetooth low energy or have RF/BLE bridges. Research was focused on security/privacy implications.
Metre Point (geometry) Building Presentation of a group Game controller Group action Vapor barrier Computer file Range (statistics) 1 (number) Number 2 (number) Radio-frequency identification Physical law Software testing Analytic continuation Traffic reporting Physical system Fingerprint Information Regulator gene Data storage device Control flow Arithmetic mean Data management Software Personal digital assistant Radio-frequency identification Video game Right angle Transmissionskoeffizient Communications protocol Reading (process)
Email Presentation of a group Group action Serial port Computer file State of matter INTEGRAL Multiplication sign Connectivity (graph theory) Decision theory Execution unit Range (statistics) 1 (number) Mass storage Data storage device Timestamp Crash (computing) Internet forum Computer hardware Authorization Firmware Fingerprint Data integrity Authentication Default (computer science) Standard deviation Plastikkarte Mass Timestamp Entire function Logic Radio-frequency identification Speech synthesis Normal (geometry) Authorization Musical ensemble Communications protocol Reading (process) Data integrity Firmware
Web page Focus (optics) Regulator gene Bridging (networking) Interface (computing) Radio-frequency identification Multiplication sign Bridging (networking) Musical ensemble Sinc function Product (business)
Module (mathematics) Covering space Point (geometry) Multiplication sign Closed set Plastikkarte Bit Student's t-test Mereology Information privacy Tracing (software) Computer programming Number Radio-frequency identification Hacker (term) Radio-frequency identification Reflektor <Informatik> Musical ensemble Endliche Modelltheorie Perimeter Sinc function Reading (process) Physical system
Authentication Authorization Information privacy Annihilator (ring theory) Data integrity Reading (process) Information privacy Power (physics) Data integrity
Point (geometry) Video projector Code Range (statistics) Control flow Mereology Information privacy Turtle graphics Distance Event horizon Power (physics) Frequency Emulator Broadcasting (networking) Goodness of fit Causality Different (Kate Ryan album) Software testing Series (mathematics) Information security Vulnerability (computing) Regulator gene Physical law Shared memory Bit Transmitter Radio-frequency identification Factory (trading post) Transmissionskoeffizient Right angle Musical ensemble Communications protocol
without further ado on the lit I'm gonna let that introduce himself but thanks guys for attending I know it's Sunday morning hopefully you're not super hungover all yours really good morning this is the presentation at jumpin the epidermal barrier my name is Vlad Gaston L ski I've been doing penetration testing right team stuff breaking embedded systems and medical devices professionally for about 18 years to do research for the stock walk to the doctor Stan Nagin unfortunately he couldn't be here today because he had issues with his flight something about delays at the airport and somebody taking a flight for a joyride now I put disclaimer the opinions are my own not of my employer there are FDA regulations about devices the device we're going to be talking about does it require a prescription you're not supposed to just go on eBay and buy one you're not supposed to just order one from Europe and have it shipped your house so definitely don't do that I'm not picking the you one particular vendor the device I'm presenting on about today is actually one of the slightly more secure ones that we found we found divisive or far worse and until somebody actually fixes them we're not being released findings publicly because it's only fun to kill people when it's in a pen test report not in real life the device you're playing with is a freestyle Libre device it's a continuous glucose monitor now so for those who don't know let's quickly go over what it is and what it does so as I mentioned it is a control device you can't just walk into a CVS and pick one up on what's your prescription the reason people use them is because it doesn't require continuous finger print finger pricks it's a device that is continuous attached to your skin according to the FDA filings and FCC filings the sensors supposed to work for 14 days for some reason the sensors I've been given only work for seven to ten days the way that the sensor communicates with the reader is using RFID protocol it's a passive sensor in thirteen point five six megahertz range it's supposed to be readable to 3 meters from what I've been able to see it's actually more like maybe 1 meter it's a fully passive device meaning unless you have the reader near the sensor the sensor will not broadcast information you essentially have to ping the sensor it's not like your EasyPass which is an active transmitter it's more like the tags they see in a store or the kind of tags to the urine floor typically gives you two badge into a building which are more most typically passive sensors this is roughly how the ecosystems supposed to work there's three typical use cases the one that really got me interested in doing this research is the continuous glucose monitor attached to your skin paired with a pump that actually injects insulin as needed based on the way that your you and your doctor configured it the second use case is just using the reader and being able to use the reader to inject insulin to yourself or to take other action based on the numbers and the third one is if you have a cell phone that actually can do RFID reads is you can actually hold up yourself on up to the reader and get the reading and they can then push the information to your watch you push the Apple health or whatever other management software you use for your readings as I mentioned
when we selected this device for doing the presentation it's one of the less horrible ones that we've seen the way the ecosystem works is that this reader actually activates the sensor you're not continuously broadcasting unlike some of the other sensor fishing in the market [Music] if you were to take a sensor and come up to me your reader would not be able to read my sensor because it has been paired that's completely artificial using RFID protocol so you can actually do a wideband scan and read any kind of RFID device so the logic in the set in this reader is what prevents it from reading somebody else's sensor once you activate the reader that's attached to you you can actually configure it to be readable by any reader or by the phone but when you first place the sensor in your skin it is a in non active state and cannot be read by a by a phone it has to be activated by one reader and but you fault that's the reader that's paired to it so after that this feeder would only be looking for that particular card ID some of the things you didn't like about this is that the senses are officially time banked as I mentioned I was getting about 10 days worth of readings from my sensor upon opening up the sensor and examining the battery the battery still had sufficient charge unit to operate quite a bit longer I'd be respecting that this may have something to do with the sensor calibration or sensor corrosion since there is a needle that gives you that pierces your skin the nail is actually slightly longer than I was expecting when I go into this research knock down the needles the battery life as I mentioned it's pretty impressive but it's our official time banked either to make you buy a new sensor by the way each of these sensors that lasts only 10 days is a hundred bucks and it's set up to require authorization amenda keeping - an authorization not authentication so it's actually quite easy to bypass and spoof
so this is what the two major components look like this is the reader and this is what a package is upstair else answer is before we apply it I'm hoping not to fly with it with TSA trying to pull it off because sometimes they're not too familiar with this hardware so as I mentioned there's no actual authentication when this reader is placed on your skin it will accept activation from any reader the reader it looks for a particular serial range of sensors so if you have an American reader and you buy a sensor from Europe I actually will not activate they're trying to force you to pay us prices for these for these sensors which is totally interesting looking at this device you'll notice that there is a USB port this the device does support USB mass-storage but it's not activated by default you actually have to mess with the firmware to activate mass storage and then you can pull off of an entire CSV file of your readings from this device you can also push firmware updates over USB I have not been able to get my hands on an official firmware I've seen some on the forums but they were enough for us readers so if anybody does have a copy I would love to get my hands on it the device is also running USB debugging to face so it's easy to follows and make the device crash it's also possible to introduce false readings into a device which gets us into data integrity if you were to use a radio the standard rfid reader you could read a tag modify the data and change the glucose reading and change the timestamp you can write it back to the reader there's no integrity check it's also highly susceptible to replay attacks for example I can take a reading so since this device doesn't keep a timestamp I can keep playing back the same reading and the device will happily log it which is pretty bad if you're relying on it were making medical decisions or treatment decisions what we found is a lot of times the patients will actually call their doctor to discuss their readings before taking action now if there are out of norm so the doctors also rely on this data don't make somebody come into the hospital the firm speaking to doctors sometimes don't make a patient actually do a fingerprint a finger prick reading as opposed to just relying on the CGM there
is an add-on product that works with the sensor it provides a Bluetooth bridge which means that even if your phone does have an RFID interface the essential wear band over your sensor and they'll continuously transmit your CGM data [Music]
there's some really fun Bluetooth attacks which means you can actually force a legitimate cell phone to UM pair from the Bluetooth bridge and you can then pair with that sensor since it's not made by the same manufacturer as this glucose monitor we didn't focus on that too much but you can read up on it and so the Bluetooth bridge is actually another prescription device you can buy it and play with it because the FDA regulated device is the sensor in the reader not the Bluetooth page there's also a long-range RF bridge this is mostly designed for institutional situations where somebody may be in the hospital and they're trying to collect large amounts of data all at the same time we were able to find one on eBay
that was decommissioned by hospital and we were playing with it using a hack RF we end up writing a nice small little program for the poor the back so you could actually just walk on with the hacker up in the add-on and continues to pull the data from people around you we're here the cg amps so this is what the device actually looks like cracked open this is the part that goes up against the skin and the needle module is right there it's been removed but there's a fairly long needle that would come out here and little metallic seal there's the battery pack and the sensor the wire traces that she'd going around the perimeter is the actual RFID antenna this is what it looks like as I mentioned the needles hello gardeners expecting uh before opening up for the first time this is the clear powder clear cover and this is the part that we're facing outside when the sensor is deployed [Music] quickly before we go any further you'll notice the tamper detection tamper protection on this device namely there is none essentially if you get your
hands on the sensor you could open up you could modify it you could be seal it there's no way to know the sensors have been tampered in love with the packaging itself is simply a sterile packaging doesn't really have any tamper detection tamper protection systems fairly trivial to get this open modified and reseal it so you have no idea that was opened this is a shot of the actual viateur opened up again no protective seals on the outside sorry no tamper evidence seals on the outside no tamper detection no tamper protection inside after device is cracked open you can easily modify it ivory closes will continue to operate without any issues [Music] so after realizing that has absolutely no protection for Reid states a completely passive device I had a really cool idea what how much data could harvest about people around me who actually do or see GM's since it's using a simple RFID thirteen point five six megahertz so stinking how cool would be to actually build some kind of a doorway sensor something that you could places killzone such people walk through you could force a reading from their sensors obviously there's number solutions for them this particular solution is actually at a school for attendance so somebody could be the student IDs I was hoping to get something a little bit less intrusive looking something that would we've been essentially almost invisible and not make people ask questions you'll notice there's two beers in the doorway that's kind of model of was going for the mock-up was a little rough but I think I still nailed it so cheap Chinese RFID card reader nice large antenna we Raspberry Pi battery pack and the seven inch LCD for the Raspberry Pi privacy risks as I
mentioned is a passive sensor and no authentication simple authorization is essentially based on good faith so you could read it with any commercial reader so if you were essentially getting into medical privacy risks somebody could walk around and continuously poll your reader and gather the same medical data that is only really meant for you and your doctor so getting into HIPAA violation issues data integrity fairly
trivial to read the data and if you have a device that's transmitting it more power then you're now broadcasting than you the new glucose readings
they're literal to get more power so this sensor when activated by this device I uses 0.3 watts which is pretty much nothing it's very feasible to get your hands on the transmitters they'll push have 1 or 2 watts I'm thirteen point five six megahertz the best
weirded to actual emulator there's this one you have an entry price of under 50 it's you play with this there are cheaper readers this is in the twelve dollar range but the range is very limited you're getting three to six centimeters range which basically means you're essentially at the contact distance we did disclose some of the findings if you're working with any factories who actually fared the worse than this device first simply because if I easy was to mess with the data any questions just like turtle did you have so the question was if I think trouble working with the equipment or debugging I was actually fairly straightforward because it's a consumer medical device it's meant to be used by kids it's meant to be used by people with no idea experience or medical experience the hardest part was actually getting the sensor onto you and getting it to stick the actual RF part was very straightforward because as I mentioned it's just RF for the RFID protocol thirteen point five six megahertz there's a review tons of tools to work with it to parse up the data and to transmit yes so my thoughts on is not using the RFID protocol they use the primarily for power consumption is because they're using a passive protocol the reader pulls it and provides it actual power there are ways to use more securely but it would make the sensor a lot bulkier than it currently is and heavier so they could license a different frequency for example and I use thirteen point five six megahertz that would force an attacker to retool use different antennas perhaps change the code a little bit but it wouldn't it wouldn't be possible to use the tools are out there essentially prepackaged for an attacker yes maybe share instruments we have not spoken with this particular vendor we don't have been have a really good point of contact for them we've contacted the other manufacturers that we've done use for initial research that you've done [Music] you have the chance to recommend so the vulnerabilities were thirteen point five six megahertz and RFID are widely documented as far as the vulnerabilities we found with the replay attack and USB that we feel that's really up to their R&D department and their on the general security department I it feels like they haven't really done basic series security testing on their own there's a new law in Europe the general data protection regulation these things are sold in Europe break they are sold in Europe and Eastern Europe yes as well as United States what do you think of the possibility that if there was an actual privacy breach someone could file a gdpr complaint and the company could be fined four percent of their annual income that's pretty interesting you could essentially do that by forcing an event as I mentioned if you were at the place that we are on there and do something similar to wall up sheep and just transmit people's CGM data on the wall you've essentially forced a dependent yeah you need to have it happen kind of more in the wild you know if somebody else did it like you wouldn't want to be if you're gonna file a complaint you wouldn't want to be part of the cause somebody to set up a sensor and the projector right there and then they are poor then broadcasts on the wall and there you go okay well well I predict someone will do this within the next month or so maybe not on this device right it might happen in next 24 hours as everyone's flying home any other questions I'm available offline if you don't want to ask any other questions so publicly thank you very much for coming [Applause]