DEF CON 27, Artificial Intelligence Village - Yisroel Mirsky's 'Automated Injection And Removal Of Medical Evidence in CT And MRI Scans' →
Thanks to Def Con 27 Volunteers, Videographers and Presenters for publishing their superlative conference videos via their YouTube Channel for all to see, enjoy and learn.
DEF CON 27, Bio Hacking Village, Dr Avi Rubin's 'Beyond The Firmware: The Attack Surface of a Networked Medical Device' →
Securing The Internet Of The Body
via Purdue University Professor Shreyas Sen (Assistant Professor of Electrical and Computer Engineering and his students Debayan Das, Shovan Maity and Baibhab Chatterjee) comes a definative answer to securing the various machines and other connected implants we as a species are placing into and on our bodies to assist and record. Their work - entitled 'Enabling Covert Body Area Network using Electro-Quasistatic Human Body Communication' appears in Scientific Reports (a NatureResearch journal) (a portion of the Abstract of the journal entry appears below).
"Radiative communication using electro-magnetic (EM) fields amongst the wearable and implantable devices act as the backbone for information exchange around a human body, thereby enabling prime applications in the fields of connected healthcare, electroceuticals, neuroscience, augmented and virtual reality. However, owing to such radiative nature of the traditional wireless communication, EM signals propagate in all directions, inadvertently allowing an eavesdropper to intercept the information." - via the Nature ScientificResearch Journal publication entitled Enabling Covert Body Area Network using Electro-Quasistatic Human Body Communication'- via Purdue University Professor Shreyas Sen (Assistant Professor of Electrical and Computer Engineering and his students Debayan Das, Shovan Maity and Baibhab Chatterjee)
Medtronic Defibs Flaws, DHS Issues Alert
via Joe Carlson, writing at the Star Tribune, comes the tale of the dangers of medical device implantation, software & hardware vulnerablities and the Department of Homeland Security's watchlist for medical devices. The criticality of this issue cannot be overstated. Today's MustRead.
"The Homeland Security Department, which oversees security in critical U.S. infrastructure including medical devices, issued an alert Thursday describing two types of computer-hacking vulnerabilities in 16 different models of Medtronic implantable defibrillators sold around the world, including some still on the market today. The vulnerability also affects bedside monitors that read data from the devices in patients’ homes and in-office programming computers used by doctors." - via Joe Carlson, writing at the Star Tribune
University of Washington Develops Cellphone Sonar App To Detect Opioid Overdose
via Sarah McQuate, writing at the University of Washington's UW News, comes a story that may change the downward spiral of opiate addicts for the better...
"Researchers at the University of Washington have developed a cellphone app, called Second Chance, that uses sonar to monitor someone’s breathing rate and sense when an opioid overdose has occurred." - via Sarah McQuate, writing at the University of Washington's UW News
The Noggin Tales: Flaws of EEG →
News, via Sean Gallagher - writing at Ars Technica, details at least five critical flaws in a multi-vender software package shipped under the moniker 'Natus Xltek NeuroWorks 8'. Give’s one pause, before hooking up to the machines at your local body shop, eh?
"While attacking an EEG system won't necessarily harm a patient directly, the vulnerabilities described by Talos could be used to create a persistent presence on hospital networks for a number of malicious purposes, or to execute code that could install malware if the Internet is reachable from the system." via Sean Gallagher writing at Ars Technica
BGU Security Researchers Urge Physicians to Patch Their Systems →
via Zaid Shoorbajee - reporting for Cyberscoop, comes a story of security entropy, this time in medical imaging device system patching and an esteemed University's research targeting those systems. In this case, a research paper from Israel's Ben-Gurion University of the Negev Malware-Lab yielded good (but not-necessarily-acted-upon-advice) to Medical Professionals: Patch Your Flawed Imaging Systems...
'“In cases where even a small delay can be fatal, or where a dangerous tumor is removed or erroneously added to an image, a cyberattack can be fatal,” said Tom Mahler, an author on the paper. “However, strict regulations make it difficult to conduct basic updates on medical PCs, and merely installing anti-virus protection is insufficient for preventing cyber-attacks.” ' - Zaid Shoorbajee - reporting for Cyberscoop
Low Skill Attack, The Siemens Method →
Apparently, systemic - and therefore - fundamental - security incompetence 'reigns' supreme' at Siemens... Witness the reported 'low skill' (aka 'no skill') vectored attacks targeting the company's Computed Tomography (CT) and Positron Emission Tomography (PET) Medical Scanners. Shameful.
NCCOE Heralds Release of NIST SP 1800-8 Securing Wireless Infusion Pumps
The National Institute of Standards and Technology (NIST) National Center for Cybersecurity Excellence (NCCOE) has released it's latest draft medical device related security document, entitled 'NIST Special Publication 1800-8 Cybersecurity Special Publication 1800-8 Securing Wireless Infusion Pumps - In Healthcare Delivery Organizations'. Authored by Gavin O'Brien, Sallie Edwards, Kevin Littlefield, Neil McNab, Sue Wang and Kangmin Zheng - the document is available as either a PDF or web-based artifact. Enjoy.
"Medical devices, such as infusion pumps, were once standalone instruments that interacted only with the patient or medical provider. With technological improvements designed to enhance patient care, these devices now connect wirelessly to a variety of systems, networks, and other tools within a healthcare delivery organization (HDO) – ultimately contributing to the Internet of Medical Things (IoMT)." - via the National Center for Cybersecurity Excellence (NCCOE)
Johnson & Johnson, The Warning
Jim Finkle, writing at Reuters, shares a warning - via Johnson & Johnson (NasdaqGS: JNJ) - of an insulin pump security flaw that permits exploitation thereof. Kudos are in order for the diligent efforts brought to bear on this flaw by the researcher - Jay Radcliffe, of Rapid7 (see the 2016/09/28 notification at the Rapid7 Community blog). Outstanding work.
" Using industry standard encryption with a unique key pair would mitigate these issues. Affected users can avoid these issues entirely by disabling the radio (RF) functionality of the device. On the OneTouch Ping Insulin Pump, this is done through the Setup -> Advanced -> Meter/10 screen, and selecting "RF = OFF". In addition, the vendor has provided other mitigations for these issues, described on their website and in letters being sent to all patients using the pump and health care professionals. Patients should consult with their own endocrinologist about any aspect of their ongoing medical care.' via Rapid7