Kevin Fu is an Associate Professor at the University of Michigan where he directs the Archimedes Center for Medical Device Security and cofounded Virta Labs. At Troopers 16 he held a talk in the field of his research: medical device security.
He started his talk with a brief introduction how he got started with medical device security and how it has changed since he started. Round about ten years ago he started dumpster diving for medical devices to investigate how they are protected and maintained. In 2006 he held his first talk about medical device security at the FDA. In 2008 he presented a wireless replay attack against a pacemaker. In 2013 concerns about medical device security became more and more mainstream when the television series homeland featured an episode where the pacemaker of the American vice president was attacked resulting in his death. Now, instead of dumpster diving for medical devices, he works together with clinicians and has a lab for testing devices. The communication with clinicians is very important for his work, so he visits hospitals with his student so that they can learn how the process works on the inside.
After that introduction he started the main part of his talk. He stated funny or irritating sounding statements about medical device security and then proceeded to debunk the statement. Here are some highlights he mentioned:
One of these things was for example the question if a dental x-ray does server beer ads.
This one for example was true, as his dentist used an x-ray running on a normal computer and in parallel used the same machine to listen to music with Pandora, thus resulting in the beer advertisement.
Another thing he tackled was the prejudice that medical device vendors are not concerned about security.
In his experience this has changed over the time as he has reported some issues to vendors their responses did change to the better. And on the other hand are vendors involving IT-Security experts in the design process of the devices.
Kevin Fu talked also about the progress currently taking place in the US where the FDA is trying to establish a procedure how vulnerabilities in medical devices can be disclosed. This is still work in progress and takes time. For example, a student of his was able to write a replicating malware for a defibrillator and the FDA did response one year after the initial report.
He also presented a device developed by his company Virta Labs. The so called power guard monitors the power used by the medical device and derives from the data if the device might be infected with malware. The advantage of this procedure by monitoring only the power usage is that the device and software itself are not touched and can operate without any extra resources.
So if you are interested in more absurd sounding statement about medical device security watch the talk or check out the slides by Kevin Fu and get frightened and entertained at the same time.
Thanks,
Till Osswald