500.000 Recalled Pacemakers, 2 Billion Stock Value Loss

Video thumbnail (Frame 0) Video thumbnail (Frame 1428) Video thumbnail (Frame 2553) Video thumbnail (Frame 3521) Video thumbnail (Frame 6920) Video thumbnail (Frame 9261) Video thumbnail (Frame 10279) Video thumbnail (Frame 12524) Video thumbnail (Frame 14006) Video thumbnail (Frame 14957) Video thumbnail (Frame 16150) Video thumbnail (Frame 17003) Video thumbnail (Frame 18741) Video thumbnail (Frame 19716) Video thumbnail (Frame 20796) Video thumbnail (Frame 25397) Video thumbnail (Frame 26959) Video thumbnail (Frame 27978) Video thumbnail (Frame 29144) Video thumbnail (Frame 29993) Video thumbnail (Frame 32265) Video thumbnail (Frame 33283) Video thumbnail (Frame 34540) Video thumbnail (Frame 35434) Video thumbnail (Frame 36467) Video thumbnail (Frame 37985) Video thumbnail (Frame 39233) Video thumbnail (Frame 40248) Video thumbnail (Frame 41222) Video thumbnail (Frame 42413) Video thumbnail (Frame 43449) Video thumbnail (Frame 44520) Video thumbnail (Frame 46250) Video thumbnail (Frame 48376) Video thumbnail (Frame 53348) Video thumbnail (Frame 59269) Video thumbnail (Frame 60430) Video thumbnail (Frame 66235)
Video in TIB AV-Portal: 500.000 Recalled Pacemakers, 2 Billion Stock Value Loss

Formal Metadata

500.000 Recalled Pacemakers, 2 Billion Stock Value Loss
The Story Behind
Title of Series
CC Attribution 4.0 International:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Release Date

Content Metadata

Subject Area
During an independent security assessment of several pacemaker vendors multiple lethal and highly critical vulnerabilities were found. Based on previous experience with one specific vendor a new way of monetising vulnerabilities has been chosen. After going public a huge discussion on vulnerability disclosure ethics and responsibilities began. The stock value of the affected vendor dropped by 2 billion dollar just in one single day. The security researchers got discredited and a huge lawsuit was started. After a year of mutual accusations and denial more than 500.000 pacemakers got recalled. This talk will provide insights into pacemaker security and share first-hand experience gathered during this project. A special focus will also be on ethical vulnerability disclosure and lessons learned for future security research.
Roundness (object) Insertion loss Telecommunication Projective plane Chaos (cosmogony) Mereology Information security Product (business)
Area Execution unit Patch (Unix) Cybersex Projective plane Software-defined radio Process modeling Proof theory Telecommunication Information security Wireless LAN Information security Wireless LAN Reverse engineering Physical system Firmware
Collaborationism Execution unit Weight Aliasing Projective plane Range (statistics) Data storage device Mereology Software maintenance Computer programming Connected space Frequency Programmer (hardware) Personal digital assistant Term (mathematics) Different (Kate Ryan album) Telecommunication Vector space Office suite Information security Arithmetic progression Window Reverse engineering Physical system
Direction (geometry) Number Product (business) Digital photography Labour Party (Malta) Telecommunication Term (mathematics) Googol Software Vector space Musical ensemble Software testing Information Benutzerhandbuch Wireless LAN Probability density function Information Moment (mathematics) Range (statistics) Core dump Database Limit (category theory) Digital electronics Product (business) Digital photography Frequency Function (mathematics) Website Procedural programming Block (periodic table) Diagram Physical system Firmware
Point (geometry) Service (economics) Information Perspective (visual) Product (business) Product (business) Frequency Process (computing) Frequency Googol Telecommunication Software Musical ensemble Information Information security Spectrum (functional analysis) Reverse engineering Task (computing) Firmware
Email Parametrische Erregung Line (geometry) Calculation Maxima and minima Thermal expansion Bit rate Mach's principle Frequency Bit rate Telecommunication Googol Software Uniqueness quantification Musical ensemble Software testing Configuration space Implementation Pairwise comparison Sensitivity analysis Descriptive statistics Execution unit Cone penetration test Information Computer program State of matter Parameter (computer programming) Computer network Power (physics) Sample (statistics) Frequency Resource allocation Software Coefficient of determination Function (mathematics) Telecommunication Revision control Musical ensemble Block (periodic table) Diagram Functional (mathematics) Row (database) Address space
Crash (computing) Telecommunication Multiplication sign Videoconferencing Food energy Pressure Surgery Food energy Resultant Asynchronous Transfer Mode
Execution unit Synchronization Crash (computing) Real number Videoconferencing Bit Food energy Data structure Videoconferencing Wireless LAN Reverse engineering
Decision theory Multiplication sign Decision theory Cryptography Cryptanalysis CAN bus Cryptography Vector graphics Communications protocol Wireless LAN Task (computing) Reverse engineering Physical system
Programmer (hardware) Telecommunication Multiplication sign Aliasing Interface (computing) Communications protocol
Touchscreen Emulator Physical system
NP-hard Touchscreen Installation art Connectivity (graph theory) MIDI Online help Parameter (computer programming) Icosahedron Mereology Duality (mathematics) Computer configuration Booting Traffic reporting Address space Physical system Task (computing) Touchscreen Key (cryptography) Information Online help Structural load Line (geometry) Sequence Type theory Word Root Process (computing) Point cloud Convex hull Arithmetic progression Booting
Game controller Root Constraint (mathematics) Online help View (database) Multiplication sign Structural load Maxima and minima Communications protocol Formal grammar Physical system Booting
Aliasing Content (media) Programmer (hardware) Hard disk drive Interrupt <Informatik> Website Hard disk drive Game theory Information security Communications protocol Thomas Bayes Physical system Point cloud Chi-squared distribution
Authentication Matching (graph theory) Computer file Demo (music) Java applet Code Bit rate Disk read-and-write head Code Message passing Vector space Universe (mathematics) Encryption Videoconferencing Cuboid Software testing Game theory Videoconferencing Reverse engineering Communications protocol
Algorithm Authentication Set (mathematics) Data storage device Mereology Cryptography Read-only memory Semiconductor memory Encryption Energy level Office suite Message passing Wireless LAN Authentication Source code Projective plane Code Bit Cryptography Personal digital assistant Computer hardware Universe (mathematics) Interface (computing) Data Encryption Standard Key (cryptography) Backdoor (computing) RSA (algorithm)
Area Source code Electronic program guide Information systems Data storage device Data management Software Computer hardware Interface (computing) Key (cryptography) Information Information security Information security Wireless LAN Physical system
Standard deviation Server (computing) Information Electronic program guide GUI widget Computer network Control flow Entire function Software maintenance Product (business) Graphical user interface Connectivity (graph theory) Information Energy level Information security Information security Physical system Data integrity Address space
Standard deviation Execution unit Vulnerability (computing) Service (economics) Cybersex Projective plane Computer network Mathematical analysis Term (mathematics) Control flow Entire function Public key certificate Software Information Information security Information security Data integrity Address space
Software Cybersex Mathematical analysis Information security Traffic reporting Position operator
Area Vulnerability (computing) Information Multiplication sign Projective plane Correlation and dependence Water vapor Mereology Number Process (computing) Process (computing) Sweep line algorithm Window
Suite (music) Group action Student's t-test Data management Cryptography Personal digital assistant Statement (computer science) Communications protocol Traffic reporting Wireless LAN Operations research Vulnerability (computing) Polar coordinate system Decision theory Sine Principal ideal Expert system Information technology consulting Independence (probability theory) Group action Term (mathematics) Product (business) Laser Inclusion map Hypermedia Programmer (hardware) Estimation Convex hull Condition number Information security Backdoor (computing) Laptop
Transmitter Vulnerability (computing) Telecommunication Telecommunication Cybersex Statement (computer science) Information security Wireless LAN Information security Route of administration
Information Bit Computer programming Data model Transmitter Term (mathematics) Software Computer cluster Statement (computer science) Information Statement (computer science) Hacker (term) Freezing
Unitäre Gruppe Frequency Internetworking Telecommunication Telecommunication Multiplication sign Hacker (term) Information security Address space Firmware
Dependent and independent variables Scaling (geometry) Dependent and independent variables Computer network Control flow Vector potential Product (business) Vector potential Chain Process (computing) Software System programming Process (computing) Information security Information security Window Position operator Physical system
Frequency Regulator gene Telecommunication Multiplication sign Data storage device Cuboid Vulnerability (computing) Perspective (visual)
Point (geometry) Goodness of fit Internetworking Multiplication sign Projective plane Queue (abstract data type) Password Bit Information security
Point (geometry) Complex (psychology) Equals sign Perspective (visual) Information technology consulting Bookmark (World Wide Web) Product (business) Programmer (hardware) Hypermedia Internetworking Vector graphics Information security Tunis Cybersex Execution unit Regulator gene File format Vector potential Angle Right angle Energy level Game theory Information security Communications protocol Window
Point (geometry) Theory of relativity Information Keyboard shortcut Expert system 1 (number) Public key certificate Flow separation Power (physics) Proof theory Mathematics Process (computing) Internetworking Videoconferencing Reading (process) Physical system Vulnerability (computing)
Group action Multiplication sign Data recovery Physical law Planning Bit Water vapor Coprocessor Frame problem Power (physics) Neuroinformatik Number Roundness (object) Term (mathematics) Internetworking Computer hardware Metropolitan area network Physical system Reverse engineering
yes. a i'd be able to have to be as good a tell us what happened when he did just that lets welcome him with.
heartfelt round of applause. thank you very much but a and an introduction so today were the net want to tell you a little story and i am was part of a project in two thousand and sixteen and today i want to show you some.
takes on one ability disclosure and also how to do security research for medical device products. and some of you might have seen this kind of news articles they were out in two thousand and seventeen.
and you might be thinking why is this guy talking about stuff happened and two thousand and seventeen. us such things called and he is. mine was for three years so it started to sixteen now we have met in and that's why i'm talking today about this stuff and. stories and there are some pacemakers all there with a lot of one abilities and it led to a recall of more than half a million peacemakers and also a new way forward to believe the disclosure was taking so why do i tell you about this stuff so let me first interview.
this me proof if you manage to be us. i work as security researcher and mainly i do i owe tea in bed its systems security and one of my main area of interest is reversing well as a communication and second to fifteen and a talk at the blanket of focusing and six the security and some guy from some guys from a company called me. take were watching this talk and said ok we also have a interesting project the concerning reverse engineering reverse engineering wireless communication may be higher this guy so this company was called made sec yet they are interested in medical device security.
and that a project to go to find see what they want abilities and pacemaker communication and they assessed for windows and i was part of the team doing reverse engineering four percent troops out project so quick introduction hardest the ecosystem of modern peacemaker.
this plaque so you have a pacemaker that's implant that i'm medical term is implanted cardiac device and i city and that's connected to a program that usually at the hospital or at the doctor so you can do collaboration is the main reading the has to all of the system. some and send it back to the called the merlin net in this case because there is always difficult also making an hour days and they don't have a home wanted to or. it's used for i think some comfort because the most because usually had to go to the doctor's office regularly to just to have the stuff inspect the if it works what they want to date the and just to get the project but a but dr nowadays the stuff. this critic that automatically using wireless communication so you just have it in your home usually in the bedroom and as soon as you're within the range of the system there is a quick that and sent back to the kind of a have predicted for maintaining in maintenance for for humans and it's quite the. step four patients. but it's also a first the tech victor because in the past this was done by new communications we had to be really really close by to get a connection to the pacemaker but this which is up it's now. a different frequency bands it's called the expense for medical devices its four hundred one to four hundred six maker and we chose this is a first intake victor and said ok would be cool. to shock a pacemaker the using wireless so that's easy nowadays because the harder the made a huge progress of the last use us that it was a very interesting talk about the limitations of soft to defend radio and i can highly recommend to watch the store.
because a lot of stuff. i have experienced it myself. officially the limitation side so have a look at it ok so we used to have to find radio to inspect make spent to find first to take victor so how do you do this because you don't have any information or to sorts of first would do well as recent nearing and i also want to just two. few short introduction what's your my best practice for doing this is not for the pacemaker but in general i would strongly recommend to take something called the f.c.c. eighty every product sold in the us has to be checked but if the sea and you get a labour with the number. and you can connect this number to the wrong direction to some information because there is online database but you find some stuff from testing procedure if you're lucky was sometimes you just have one device you don't want to open it because maybe you damage it but you want. to get to know of the internals and if you're lucky you would find on this website also was stuff like in terms of what moment in turn photos of the book that graham use amended so that's very good the first start to investigate and wireless device.
also i can recommend check that that's a good has a patent search online you won't find the most detailed information but sometimes you find. specific as of product was so hard as this communication were in general also point to check and of course product the condition or if to suspects from are softer of whatever you get have a look at it take this information it would speed up your process of reverse engineering dressed to kill it.
from everything doesn't work for big to use a signal inspection and but it's very hard task and you have to be kind of experience the do it and that i wouldn't recommend to start with this with this. m k also frequency bands fully issues. reduce spectrum is very wide so where to start for medical devices obviously haven't started to make spent because it just reserved for this is a start and what we also this did was interviews interviews is always good ask people who have experience with this tooling. what other problems sometimes they can tell you how how it works but they have experience in trouble shooting me to say ok if we have a lot of wife and it works for example our stuff didn't work so you can think maybe there is a problem with some interference from by fire and it doesn't work we are. also used an additional service. company bought the service the books you up with the former employees of companies so we got access to form and develop as work there we talk with them when they sing the problems are on a security perspective with the star sometimes a big big give us good teams were to have a look. but i would touch it later on.
ok but then as a told that an example from sixty but you see there's a description how to basic networking works also are left to the commission what would i check but wait it's not that that transceiver chip from the pacemaker but that's a good example.
so for example it's listed what kind of medications are supported and what frequency inches or supported and also what they the rate of in legal issues so the radio spectrum is highly regulate that if you have a look for something that this thing is now.
not as and bands have a look here maybe it has also dedicated and some something dictated space. we get the stuff get some information that some basic testing started with a simple replay a tech so we just record of communication and paid back today city and what happened was.
we knew instantly have fallen first one abilities on mean what kind of one abilities first called pressure take was no attack the just crashed if you replayed communication for some time. from the piece make us they just crashed and they didn't recover so were you were not able to use them again was no feel safe no no safety knows truth mode or just broken. devices just a simple reaping stuff was and now is still in most major concern i have because that's no real yeah advance the tech it's just this might happen by of the banks didn't.
and we also found the way to deplete the energy very fast it's a problem because you have limited energy as you can't reload to the battery so if you're better result you need to have surgery and year to have it replaced. so this means. i'm also very bad. we released some videos or we company cosmetic release videos online about this this deal on their put some references on their if you wanted to see it proves how this works.
funny side story and there is one comment on their because the videos are not have a very great production quality and i like the comment that i think it's kind of funny and they're so replay picks first they want to believe these identified but then.
we did a little bit deeper and that some real reverse engineering so we get our hands on the basic a picket structure we followed the cave where to start with the synchronization which to see their using what to do for a correction but we still struggle with that they the books now.
i'm in r.f. there are a lot of ways to cover up your stuff you can do it the widening can to encrypt can. it was not possible for us to find it easily so i kind of got stuck because reverse engineering is often the very time consuming task and since they had merely only external researchers it's also very expensive task if you buy like.
ten guys looking at pacemakers are we are not the cheapest i think it costs a lot of money and also even if it's we who put cryptography you won't be able to bring good with the eyes just looking at it won't solve the problem so we had a decision decision to. make and get somebody. who's from the crypt analysis or look at a different tactic or we go go go for the second have because. there is a lot of other things to tech and the us also complex i o t system and you don't need to take the the hardest target because every you one speaking the same protocol this means with which the up and set up a pacemaker.
the and the wireless communication directly might be too hard for us to break in time let's have a look at the home monitor what the homeowner to because it also communicates wirelessly with a pacemaker and it's a very cheap device so you can just buy it on.
you pay for it in the us you can get at home i brought one today with me just to show you. how good that they're made and we said ok maybe there is some stuff on their that helps us understand the protocol so we took it apart and i'm checked out what are its chips are are in the hard working and just took us know little for them.
further down the road but the big breakthrough was we found some on the book court they are not protect that so it's york just look up and you're connected to the system and the book though it's not very protective gear you see maybe.
on the screen joked in if you are capable of and some basic stuff it's easy to get through to exist or let me show you.
i pray to the demagogues that everything works so i hooked up to abbas pirate that's connected to my system and it's also connect to the pacemaker monitor i have to see and now i'm stuck at the low been so it was the tradition of sequence what i'll do is i just press the reset.
but. let me and i see some stuff is that seven thing and i just need to press one button to escape to blow to him during the screen you just see it's a rope. used n n n you go we just have to wait for the report. i pressed the button so now we jump directly into the boat load or. and you can see that there is written all the book in progress as any key to stop so it's easy to help and what should we do. just type in help you see what month you have there is one could shoot who is very promising to linux in graeme with the option of kind of options are some promising because may be our goal is to directly to the into the shell but out how to do this. just happens that those who see your kind will come on line arguments there just copy them. the newness that's very hard task boot. just inserted again and. the. it's just wanted to show that argument. and it's not all we should move up the directly into the we don't have a lot and from any most we have through texas now in the system and there is some interesting information also there and. typing is all of us that the hardest part for example you see are known host of it where his of communicating to see the addresses from the minute from the cloud is that their what else do needs in a cloud you need to pass were taught to look in. let me check. and there is for example one example if the p.p.s. words listed you them and it's not the very good one. think there's some room for improvement and this best where is the same for every monitor just some examples you find very easily so it's not very sophisticated taking but it did the job so we were able to extract some components from the former and to go further down the road.
reverse engineering protocol and what else have we also have no control over system that is the proper are effective for communicating directly with the pacemaker so the problem also mentioned yes that is when you do so if the offender a do you have some timing constraints.
because the. if there is some and neglect and every protocol you have sometimes loads and you need to reply in a specific time and when you do this with those of the find radio you have them attached by use be used he has a very high latency so sometimes you just to slow to answer them were in the right time to get accepted the. by to the receiver so we just then switch to the and the men at home as a tech device ok what else to take.
some program. it's about this you can buy it on e bay bought one recently from a german content medical device or sell it for one hundred sixty euros with medical data is still on this so i think the whole industry need to step up their game when it comes to privacy.
the site was security just as any examples so if you tear down this system.
from removable hard drive.
no interruption you know like course imposters leg to lift dangerously and one of my favorite movie quotes so this was our final piece in the puzzle why because there were chobham finds so you just to compile them have a look and there is the the whole protocol was just written there for us.
just to implement and not only the protocol also some codes they're using for kind of a big to exist to circumvent encryption it's not only to blame them. because for pacemakers you have also like other requirements if you go to australia and haven't had a heart attack you think you want to the boxes in australia are also able to connect to a pacemaker and read some data so they have kind of a vector university for making this possible.
ok so use now million at home as an effective as we were able to deliver merchants the shocks. the biggest device making vibrate. test talks to them of videos on their on the meal. isn't there have a look. think there are better than the head once before so i had a proper speaker i think they're really good to just get what we're doing there. ok but this simple game and blaming the vendor and which with a match a message authentication cold is used a.b.c. the or he.
so who is for a a be. see those race the wealthy know he. the. no trust in the vendor it's actually see so there are doing little bit of authentication but twenty four bit r.s.a. what else to do do the home brewed crypto you know i told you about the university. you said that it as a public case or trunk it he's because memory. c n n they did all of this. and because you would be able to guess because when they used twenty four bit encryption and then and there have been he's just the truncated because they didn't get the memory up. it's like a first project to do in a university or at school hard to do cryptography and the to the bad way and that's a set part in it because we have some i pick em some chinese it becomes an office just to get to to get to get trained in the stuff they. they have the same level as medical devices so i think that's kind of a set apart so let's give you a short technically summary so we were able to find in two months a lot of critical want to believe this was potentially lethal imperfect i'm so everybody on a us to authorize users.
could remotely just disable your a pacemaker make them vibrate deliver your shock i'm we found a lot of security in our nightmares. and there are no prospect this was followed and now i think it's a very bad but one might think what about security said occasions because medically is for certain highly regulated area and you see there is a logo on.
the size of twenty seven thousand on a certified and they're very proud of it because they're the the first medical network that this is a properly certified for information systems management system information security management systems and and they express it open.
only then they're very good at it and that's a very stringent world but information school to stand up but it's not that it has nothing to do with a product security and it's maybe how they run their own made server maybe but not totally the.
there's just keep this in mind.
this certification it's not for productivity and.
ok but what was special and because that's just the project with a lot of security one abilities that is no magic done you have seen it's not the best taking you need for the stuff. the disclosure and that's actually a i think why i'm here to stay in the next day's to talk to you about what's a good way of one until it is crucial.
ok what was special. on the guys they have me and i thought we do the dishes way we do some research go to conferences talk to a big crow them and everybody would come to us and by the services with said they did differently to stay license their research.
to an investment company. and the investment company took a short position. central america and cultures from competitors this means they published a report with all the findings in there are not the technically this but with the findings in there and explained how these kind of findings will affect them are a stock market prize from have centred.
so when we believe this goes approach the process know there was no notification notification to the vendor previously because there is a history attached to this when the euro. this meant the was accused. seem one abilities by a guy called called on a project. a couple of years ago there were never made public because of benefit cheque died. so the research in this area kind of got stuck and so i said i sent to them they keep denying this stuff and was just some litigation. let's just public the first part and with money waters because they're good at making his bed and us pay for on the harm they the they do it's like a kind of a robin hood story they want to sell your and and as mentioned said a very big impact because on the day.
the information was released the stock market dropped percent which means two billion dollars to twenty up and it's a very big number. and i think it's the first time this was done for one really disclosure and from wanted to sing all abilities and i think quite big one and then it all started that because.
sent troops started to deny the stuff they said ok this reached the researchers they just want to make money off of a farce. that's the reason it's a false their made up everything that to let students and the suit a lot of the persons involved like mother walked those the c.e.o. doctors that were involved in this project and inaccessible because of the report was published.
just in august and in october. when we had a search party independents are party to just retake with the work we did it was an expert team from bush folks and u.s. based us he said his group the company company and they vary the five every claim we made so we are ready to go and said ok we did. and made up somebody has to take the actions.
and a couple of months later that the ice is certain released want to believe in old and also the fifty least one believed an old together with the first update for seven security and sent to the city of we are proud of our security we are leading the way but it's not true because the up. they was just for communication between them elin and twelve because this was the unencrypted in the past and that just a tool to tickets on the so that's not the opposite we want that to happen because the pacemaker communication wireless communication was still and pitched.
i'm also.
fun stuff because there is a truman nice freezing for a shock to see a woman to miss the stimulus was important to the top of her the medical term for i will kill you with the shock and. so everything is a kind of freezing.
and a little bit later down the road if the also to review the information and the minute official statements ok said i'll it's true what they are what they're claiming that's possible. the central you need to do a second up that and and did some of the nearly one year later the final up that came out.
which also targeted in secure communication i never read this that the stuff. think a lot of knowledge of the people involved so this might be good.
and we are back at the beginning it ended in a big recall with more than five hundred thousand pacemakers so. i think that's kind of for interesting way but we're not really the disclosure every half an hour to the way we just pushed out and make given the pace but funny stuff is that nearly at the same time and two other researchers from america the resin jonathan bought from.
i hope they also into medical device security and they reviewed peacemakers from. from another when the called him a traumatic so did a secret this assessment and they also phone a lot of parks and one abilities in the specially in the ecosystem so do able to deploy the phone from her and i think on the pacemakers using hair. the delivery system of metro nick out the disclose the to defend the and try to work with the window to fix it.
and now you have a new mental response. they also the review that because they have an internal really disclosure process but the phone this isn't the whole new potential safety risk so on. it's no problem if you are able to. deployed a firmer on a large scale to put a pacemaker us that's no problem for them has nothing to do with safety and and that's what very often in this position when years into the researchers took the vendors.
and they're not used to talk to secure the researchers and they tried to downplay the findings they don't talk to you they were to come up with a lot of stores just don't fix the vulnerabilities and one of the guys think china's about said. for the time they just talked of all the box with the metrolink they could easily just fix that and it's just a question of they won't admit they made a failure because this would affect maybe the new regulations.
maybe the the payment from the c.e.o. i don't know but it's very very frustrating also for them because two years later. the vulnerabilities was still in there and there was no pitch out so. they were under sedation. still discussing with the vendor so this leads me to find what is the better way because that's the traditional way and i think the more of a yeah i think the way and the broad perception when you could go to the.
first approach you have one year later the you have an update and sounds not the traditional ethically way but the very effective way to do it so what is the bit the better way i don't know first in this project i was pretty pissed because i wasn't expecting this way from have been disclosed. and then lawsuit started so it was not the best time. but now i think more open about the way they took maybe this was a good approach i'm not true and i am open to discuss off towards of the meat give me your thoughts on this in the queue in a.
on the summit up the takeaways so first point in making or internet safety and security if it's not secure it's not safe and keep this in mind there is no safety without security and security is not the eyes of twenty seven one.
a certified out that's not equal i am secure especially not if it comes to product or security and there are some new regulations all their you need to do know cyber security risk assessments if you build a new secret the product we are working with windows doing this stuff but i think there is a lot of. of room for improvements that. problems they have lots of potential new technique has it's like you've seen your face make a programme on. i thought maybe there are some tips in the future maybe there's a lot of to connect the stuff so it's going to be getting more complex also for medical devices so you need to cover every potential take victory and also the cheap and use of devices maybe there are the weakest point and the way into the ecosystem. also this way was a new way of monetizing want to believe this was the first time and with a big hit especially in the media and the american media and started a huge discussion a bald essex and would have believed the disclosure can scale think in the sec every couple. years there's a discussion about how to to drop of one of the disclosure and i think there is no one way or the pants that on so from a consultant and ok then one last thing why this picture because it's my favorite picture information security let me explain. this picture he symbolizes my experience in the project because first to start you have a look at it up front you think ok i tunes properly secured there might be a way to clamber buff and to some stuff but it's a hard way and. maybe there's been a good job but if you switch of perspectives and take a different angle one step but to decide to stay with this picture it gets much much easier easy as so you have to really cover every angle. of your product don't go down the rabbit polls in security research tried to buy. take a step back get a new look on your problem and maybe there is an easier way trust right next to the way you're in so i don't think because you just you invested twenty days of research on this protocol metres a second protocol have also been much. what to do ok so that's my journey and that's a story i want to share with you i hope you enjoyed it. if you have some questions please ask them well and i would be also round off the roads and the next day's to talk about this thank you very much.
thank you so much to be as so we have microphone angels over there may be a yes he's waving his hand we have a microphone angel over there and we have questions from the internet perhaps no it questions and. the internet internet step up your game sold over here just about the legal situation first question they just sued for the formation libel something like this like you are lying but isn't also an aspect of manipulating the stock market.
but that's the point that they claim to have because you to this false information they many believed that the stock market that. an expert in the last enough. the american one but. short it's not consider trading and that's what everybody usually asks because there is no inside information take a proper way to just have a look at the books of a company to do your own research and two in every nation and say ok we think this company. has no all look on the market we bet against this look for another question from this i think you and you didn't to discuss the role of the f.d.a. and in my experience also in cardiology we had a lot of data it's a m p. buyers because they were they had to certification and they will still use even though we could build better ones i think this is one of the places where is also a place is that the day has a system that horse and allowed on the market and it is an enormous is the investment. to to read yesterday fight if they have to be a and i think that's the reason why they took a shortcut hand i think it's unless the bees whole system with a fifty eight changes its it's unavoidable that this kind of potosi keep on the market art so the impact of the certification probably yes. well that's a very good point and out i'm completely the with you but i think there is movement the they acknowledged that the problem and they wouldn't need to do a different kind of so different process how to get the updates all hope to get security updates. all yet you need to do some kind of separation between safety related to relate systems and other systems but there are on it but i think now it's still very like the old system but they at least thinking about that and i know from some very well known popular. experts are talking to them giving them in put hard to come up with a better solution. i paid so i don't know if my question is to use your to fired because i'm really in the sector and him but i was wondering when this year they exploited was disclosed publicly if somebody you would have maybe next week used it to cause. the a han to a patient how he is likely that the company would have tried to sue you get. the question. but i think it's an easy one to answer because that's made in my fault we didn't release proof of concept coat which just sit there is a one ability to look at this video this video proof that there is a that there is a vulnerability in the we never put all the real coat to make it happen but. to elaborate on this. what is the potential versed in picked you can generate to kill someone and but there are other ways to kill people and you don't need to do pacemaker taking it just took them or bringing them or on the move by car or if you're not politically explosive person i think that's maybe note.
most the major concern of getting killed by a random hca. if you have other problems but for especially expose person's this might be way. we have any questions from the internet now still internet c'mon the i see a question over here ok you said they had to cut surtees six but as a down to twenty four because of still low power harper so how do you sing say very.
able to fix it was this harper. everest. whether that's where i was mentioned i don't agree to its richest man had a look at a lot of the cold and i'm curious promise of but i think they needed i think there is still a way into how to get kind of a pickup excess i think they just change codes and protect them. little bit better but if you have the same how great you have to say how do you you come close to two different richest the size and switch from. to different killing i think that's not possible but i think maybe did some compensate the measures and the. the. well yeah. are very popular microphone angel over here has yet another customer the us and you were talking about the u.s. legal system i assume i just want to add that if you were working in the europa or especially in germany you would have problems with the one here but i would just like copyright law all the way to reverse engineering there. those are great talk on the last congress a boat to the research groups from bowl in munich running into difficulties and they are being sued on the base of copyright so be careful around their own. i have to follow them says a lot changed this year so it's better now for researchers but what i wanted to ask at great sense to the you what i want to ask that you look it's a c.p.u. so what hardware is inside she sings is very so low power of what is it. they have custom troops. so that's it. i can't remember the the specific processor but i can look it up if you want the but but the custom solution for the stuff. could it be that are lonely microphone angel has found yes a question just very short question so how much money did muddy waters make out of this i was. the curious been a cell phone numbers op. just know that i didn't get paid for all of my work here because as soon as the get go through to the pros all accounts and set up long term because the company was founded in since it's a nervous and that's an island in the caribbean sea. in the us and they want to explain you but your they had every lawyer on this island so the computer and lawyer from this island so they had a plan in mind already but i don't know how much money they made i think their plan didn't work all this the. wanted because the stock market price recovery. as well but i think it was a huge outburst of curiosity at the beginning because dropping by to make billions and the war. so there was a merchant ongoing it was bought by a boat so i think it was not the best time frame to get hit by such a market drop us i we have time for one more is it going to come from the internet. on all our a in the one else know then please another great war my heartfelt round of applause for to be us. thank you very much. have. have. the on.