SlideShare une entreprise Scribd logo

Threat_Modeling_My_Wife-Brian_Knopf-BSides_LA-2014-09-11

Brian Knopf
Brian Knopf
1  sur  32
Télécharger pour lire hors ligne
Brian Knopf – B-Sides LA 2014 brian@brksecurity.com @DoYouQA
 Director of Application Security,Belkin International (owners of WeMo & Linksys)  Member, UPnP Task Force  Previously Principal Test Architect, Office of the CTO at Rapid7  20+ years of experience in IT, QA, Development and Security  Programming,disassembling and reverse engineering since age 5
 The Accident  CRPS  Why would you Threat Model your wife?  Why is IoT security important?  Anatomy of Neurostimulators  The Threat Model  Conclusion
 My wife was injured when a sign fell on her foot  She suffered nerve damage,fractured bone, damaged tendons & ligaments,and…  Complex Regional Pain Syndrome (CRPS)  Uncommon form of chronic pain that usually affects an arm or a leg  Typically develops after an injury,surgery,stroke or heart attack  Pain is out of proportion to the severity of the initial injury Source: Mayo Clinic http://www.mayoclinic.org/diseases-conditions/complex-regional-pain-syndrome/basics/definition/con-20022844
Source: Mayo Clinic http://www.mayoclinic.org/diseases-conditions/complex-regional-pain-syndrome/basics/definition/con-20022844  Continuous burning or throbbing pain (arm,leg, hand or foot)  Sensitivity to touch or cold  Swelling of the painful area  Changes in skin temperature — sweaty or cold  Changes in skin color (range from white and mottled to red or blue)  Changes in skin texture (tender, thin or shiny) in affected area  Changes in hair and nail growth  Joint stiffness,swelling and damage  Muscle spasms,weakness and loss (atrophy)  Decreased ability to move the affected body part
Before implant – constant 8-10 After implant – 7 (spikes to 9 or 10)
 She needed a medical device implanted in her back  All other treatment options exhausted  No manual alternative  My job is to assess products for security risks  Paranoia based on previous medical device exploits  Programmers still do not focus on securing code  Specialize in IoT security
Doctor explaining options to my wife
Android or cyborg?
My wife,the bionic woman
Oh F%*k! Pentesting this is a BAD idea. Stick with the Threat Model
Source: Gartner http://www.gartner.com/newsroom/id/2636073
Sources: http://www.vizualiiz.com, http://professional.medtronic.com, http://www.nike.com, http://www.progressive.com, http://retailnext.net, http://www.skylanders.com, https://onlycoin.com  Banking  Insurance  Retail  Health & Fitness  Medical  Entertainment  Asset Management
Source: Postscapes http://postscapes.com/what-exactly-is-the-internet-of-things-infographic
Protocols • ZigBee • Z-Wave • 6LoWPAN • NFC • RFID • Bluetooth • Bluetooth Low Energy • INSTEON • Lutron • MQTT • Thread Source: Postscapes http://postscapes.com/what-exactly-is-the-internet-of-things-infographic
Source: Postscapes http://postscapes.com/what-exactly-is-the-internet-of-things-infographic
Pain Management 1970’s Pain Management 2010’s
 Hundreds of IoT devices across every vertical  Manufactures lack control of entire stack  Devices not easily updated  Focus on features and usability,not security  Exploit hardware easy to buy
 Access to personal information  Can be used to protect physical location  Share some technology with traditional networked devices  Updates are mostly manual if available  Some endpoint devices are not updateable at all (ZigBee,Z-Wave)  Consumers rarely think about patching  Consumers are dependent on manufacture updates  Many built on SDKs from chip vendors and manufactures with no security expertise  Use 3rd Party libraries as black boxes
Placed on neurostimulator to charge (external)
 Programmable parameter: Operating range and resolution  Remotes communicate in 400 MHz range  Amplitude: 0 to 10.5V with 0.05-V or 0.1- V resolution  Amplitude – upper patient limit:Tracking limit: programmed value +0 to +4 V (0.5- V resolution) Custom limit: programmed value up to 10.5V (same resolution as amplitude)  Amplitude – lower patient limit: Custom limit: 0 V to the programmed value (same resolution as amplitude)  Pulse width: 60 to 1000 μs (10-μs resolution)  Pulse width – upper patient limit: Tracking limit: programmed value +0 to +300 μs (60-μs resolution) Custom limit: programmed value up to 1000 μs (10-μs resolution)  Pulse width – lower patient limit: Custom limit: 60 μs to the programmed value (10- μs resolution)  Rate: 2 to 1200 Hz (resolution: 1 Hz from 2 Hz to 10 Hz;5 Hz from10 Hz to 250 Hz;10 Hz from 250 Hz to 500 Hz; 20 Hz from 500 Hz to 1000 Hz;50 Hz from 1000 Hz to 1200 Hz)  Rate – upper patient limit Tracking limit: programmed value +0, +10,+20,+50, +100 Hz  Custom limit: programmed value to 1200 Hz (same resolution as rate)  Rate – lower patient limit Custom limit: 2 Hz to the programmed value (same resolution as rate)  SoftStart/Stop Off, On: 1, 2,4, or 8 second ramp duration
• Medtronic • St. Jude • Boston Scientific
 Risk: Damage to neurostimulator caused by strong EMI interference  Mitigation:Neurostimulator has EMI shielding and is MRI safe under specific conditions  Likelihood of attack:highly unlikely
 Risk: Changing programming on neurostimulator via wireless signal  Mitigation:Remote only works when directly against skin or over very thin clothes.  Remote does not work when going through jeans and a shirt  External antennas do not change this  Likelihood of attack:highly unlikely
 Risk: Attacker turns on stimulation at high voltage  Mitigation:Remote only works when directly against skin or over very thin clothes.  Likelihood of attack:highly unlikely
 Risk: Overheating the skin during charging causing burns  Mitigation:Neurostimulator monitors skin temperature and its temperature  Stops charging if unit or skin overheat  Likelihood of attack: highly unlikely
 Risk: Damaging leads with high RF causing electrocution, shock, death  Mitigation:New leads disperse RF across the entire length of the lead  Likelihood of attack:highly unlikely
Device cost was $30,000 Not willing to pentest device inside her Willing to continue research if I receive enough donations to purchase another device
 HackRF  10 MHz to 6 GHz operating frequency  Half-duplex transceiver  Compatible with GNU Radio, and Software Defined Radio (SDR)  Software-configurable RX and TX gain baseband filter  Open source hardware  Lots of applications already written to decode wireless using this  Cost: $330 Source: https://greatscottgadgets.com/hackrf/, http://www.sharebrained.com/2014/05/28/portapack-h1-imminent/
 Potential vulns mitigated by lack of antenna in neurostimulator  Researchers scare people into not using devices that could improve quality of life  Risk needs to be balanced with probability of being exploited  How likely is it that someone could exploit a neurostimulator without the patient knowing?  Other manufactures and devices do have other/higher risks  Most consumers could not do this – They deserve to know  I Am The Calvary – Working on rating system (iamthecalvary.com)  Every device should be tested and published publicly
 Huge thanks to my wife for putting up with this  Thank you for attending  Contact brian@brksecurity.com for additional information on IoT & Security  Questions?

Recommandé

IoT_and_the_Impact_on_Security_Brian_Knopf_ISSA-OC_July-2014
IoT_and_the_Impact_on_Security_Brian_Knopf_ISSA-OC_July-2014IoT_and_the_Impact_on_Security_Brian_Knopf_ISSA-OC_July-2014
IoT_and_the_Impact_on_Security_Brian_Knopf_ISSA-OC_July-2014
Brian Knopf
 
Rat a-tat-tat
Rat a-tat-tatRat a-tat-tat
Rat a-tat-tat
SensePost
 
2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot
Marius Sescu
 
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPT
Expeed Software
 
Product Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsProduct Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage Engineerings
Pixeldarts
 
How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthHow Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental Health
ThinkNow
 
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfAI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
marketingartwork
 
Skeleton Culture Code
Skeleton Culture CodeSkeleton Culture Code
Skeleton Culture Code
Skeleton Technologies
 

Recommandé

IoT_and_the_Impact_on_Security_Brian_Knopf_ISSA-OC_July-2014
IoT_and_the_Impact_on_Security_Brian_Knopf_ISSA-OC_July-2014IoT_and_the_Impact_on_Security_Brian_Knopf_ISSA-OC_July-2014
IoT_and_the_Impact_on_Security_Brian_Knopf_ISSA-OC_July-2014
Brian Knopf
 
Rat a-tat-tat
Rat a-tat-tatRat a-tat-tat
Rat a-tat-tat
SensePost
 
2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot
Marius Sescu
 
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPT
Expeed Software
 
Product Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsProduct Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage Engineerings
Pixeldarts
 
How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthHow Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental Health
ThinkNow
 
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfAI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
marketingartwork
 
Skeleton Culture Code
Skeleton Culture CodeSkeleton Culture Code
Skeleton Culture Code
Skeleton Technologies
 
PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024
Neil Kimberley
 
Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)
contently
 
How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024
Albert Qian
 
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie Insights
Kurio // The Social Media Age(ncy)
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024
Search Engine Journal
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary
SpeakerHub
 
ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd
Clark Boyd
 
Getting into the tech field. what next
Getting into the tech field. what next Getting into the tech field. what next
Getting into the tech field. what next
Tessa Mero
 
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentGoogle's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Lily Ray
 
How to have difficult conversations
How to have difficult conversations How to have difficult conversations
How to have difficult conversations
Rajiv Jayarajah, MAppComm, ACC
 
Introduction to Data Science
Introduction to Data ScienceIntroduction to Data Science
Introduction to Data Science
Christy Abraham Joy
 
Time Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesTime Management & Productivity - Best Practices
Time Management & Productivity - Best Practices
Vit Horky
 
The six step guide to practical project management
The six step guide to practical project managementThe six step guide to practical project management
The six step guide to practical project management
MindGenius
 
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
RachelPearson36
 
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Applitools
 
12 Ways to Increase Your Influence at Work
12 Ways to Increase Your Influence at Work12 Ways to Increase Your Influence at Work
12 Ways to Increase Your Influence at Work
GetSmarter
 
ChatGPT webinar slides
ChatGPT webinar slidesChatGPT webinar slides
ChatGPT webinar slides
Alireza Esmikhani
 
More than Just Lines on a Map: Best Practices for U.S Bike Routes
More than Just Lines on a Map: Best Practices for U.S Bike RoutesMore than Just Lines on a Map: Best Practices for U.S Bike Routes
More than Just Lines on a Map: Best Practices for U.S Bike Routes
Project for Public Spaces & National Center for Biking and Walking
 
Ride the Storm: Navigating Through Unstable Periods / Katerina Rudko (Belka G...
Ride the Storm: Navigating Through Unstable Periods / Katerina Rudko (Belka G...Ride the Storm: Navigating Through Unstable Periods / Katerina Rudko (Belka G...
Ride the Storm: Navigating Through Unstable Periods / Katerina Rudko (Belka G...
DevGAMM Conference
 
Barbie - Brand Strategy Presentation
Barbie - Brand Strategy PresentationBarbie - Brand Strategy Presentation
Barbie - Brand Strategy Presentation
Erica Santiago
 

Contenu connexe

En vedette

Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie Insights
Kurio // The Social Media Age(ncy)
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024
Search Engine Journal
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary
SpeakerHub
 
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Applitools
 

En vedette (20)

PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024
 
Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)
 
How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024
 
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie Insights
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary
 
ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd
 
Getting into the tech field. what next
Getting into the tech field. what next Getting into the tech field. what next
Getting into the tech field. what next
 
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentGoogle's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search Intent
 
How to have difficult conversations
How to have difficult conversations How to have difficult conversations
How to have difficult conversations
 
Introduction to Data Science
Introduction to Data ScienceIntroduction to Data Science
Introduction to Data Science
 
Time Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesTime Management & Productivity - Best Practices
Time Management & Productivity - Best Practices
 
The six step guide to practical project management
The six step guide to practical project managementThe six step guide to practical project management
The six step guide to practical project management
 
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
 
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
 
12 Ways to Increase Your Influence at Work
12 Ways to Increase Your Influence at Work12 Ways to Increase Your Influence at Work
12 Ways to Increase Your Influence at Work
 
ChatGPT webinar slides
ChatGPT webinar slidesChatGPT webinar slides
ChatGPT webinar slides
 
More than Just Lines on a Map: Best Practices for U.S Bike Routes
More than Just Lines on a Map: Best Practices for U.S Bike RoutesMore than Just Lines on a Map: Best Practices for U.S Bike Routes
More than Just Lines on a Map: Best Practices for U.S Bike Routes
 
Ride the Storm: Navigating Through Unstable Periods / Katerina Rudko (Belka G...
Ride the Storm: Navigating Through Unstable Periods / Katerina Rudko (Belka G...Ride the Storm: Navigating Through Unstable Periods / Katerina Rudko (Belka G...
Ride the Storm: Navigating Through Unstable Periods / Katerina Rudko (Belka G...
 
Barbie - Brand Strategy Presentation
Barbie - Brand Strategy PresentationBarbie - Brand Strategy Presentation
Barbie - Brand Strategy Presentation
 

Threat_Modeling_My_Wife-Brian_Knopf-BSides_LA-2014-09-11

  • 1. Brian Knopf – B-Sides LA 2014 brian@brksecurity.com @DoYouQA
  • 2.  Director of Application Security,Belkin International (owners of WeMo & Linksys)  Member, UPnP Task Force  Previously Principal Test Architect, Office of the CTO at Rapid7  20+ years of experience in IT, QA, Development and Security  Programming,disassembling and reverse engineering since age 5
  • 3.  The Accident  CRPS  Why would you Threat Model your wife?  Why is IoT security important?  Anatomy of Neurostimulators  The Threat Model  Conclusion
  • 4.  My wife was injured when a sign fell on her foot  She suffered nerve damage,fractured bone, damaged tendons & ligaments,and…  Complex Regional Pain Syndrome (CRPS)  Uncommon form of chronic pain that usually affects an arm or a leg  Typically develops after an injury,surgery,stroke or heart attack  Pain is out of proportion to the severity of the initial injury Source: Mayo Clinic http://www.mayoclinic.org/diseases-conditions/complex-regional-pain-syndrome/basics/definition/con-20022844
  • 5. Source: Mayo Clinic http://www.mayoclinic.org/diseases-conditions/complex-regional-pain-syndrome/basics/definition/con-20022844  Continuous burning or throbbing pain (arm,leg, hand or foot)  Sensitivity to touch or cold  Swelling of the painful area  Changes in skin temperature — sweaty or cold  Changes in skin color (range from white and mottled to red or blue)  Changes in skin texture (tender, thin or shiny) in affected area  Changes in hair and nail growth  Joint stiffness,swelling and damage  Muscle spasms,weakness and loss (atrophy)  Decreased ability to move the affected body part
  • 6. Before implant – constant 8-10 After implant – 7 (spikes to 9 or 10)
  • 7.  She needed a medical device implanted in her back  All other treatment options exhausted  No manual alternative  My job is to assess products for security risks  Paranoia based on previous medical device exploits  Programmers still do not focus on securing code  Specialize in IoT security
  • 11. Oh F%*k! Pentesting this is a BAD idea. Stick with the Threat Model
  • 13. Sources: http://www.vizualiiz.com, http://professional.medtronic.com, http://www.nike.com, http://www.progressive.com, http://retailnext.net, http://www.skylanders.com, https://onlycoin.com  Banking  Insurance  Retail  Health & Fitness  Medical  Entertainment  Asset Management
  • 15. Protocols • ZigBee • Z-Wave • 6LoWPAN • NFC • RFID • Bluetooth • Bluetooth Low Energy • INSTEON • Lutron • MQTT • Thread Source: Postscapes http://postscapes.com/what-exactly-is-the-internet-of-things-infographic
  • 17. Pain Management 1970’s Pain Management 2010’s
  • 18.  Hundreds of IoT devices across every vertical  Manufactures lack control of entire stack  Devices not easily updated  Focus on features and usability,not security  Exploit hardware easy to buy
  • 19.  Access to personal information  Can be used to protect physical location  Share some technology with traditional networked devices  Updates are mostly manual if available  Some endpoint devices are not updateable at all (ZigBee,Z-Wave)  Consumers rarely think about patching  Consumers are dependent on manufacture updates  Many built on SDKs from chip vendors and manufactures with no security expertise  Use 3rd Party libraries as black boxes
  • 20. Placed on neurostimulator to charge (external)
  • 21.  Programmable parameter: Operating range and resolution  Remotes communicate in 400 MHz range  Amplitude: 0 to 10.5V with 0.05-V or 0.1- V resolution  Amplitude – upper patient limit:Tracking limit: programmed value +0 to +4 V (0.5- V resolution) Custom limit: programmed value up to 10.5V (same resolution as amplitude)  Amplitude – lower patient limit: Custom limit: 0 V to the programmed value (same resolution as amplitude)  Pulse width: 60 to 1000 μs (10-μs resolution)  Pulse width – upper patient limit: Tracking limit: programmed value +0 to +300 μs (60-μs resolution) Custom limit: programmed value up to 1000 μs (10-μs resolution)  Pulse width – lower patient limit: Custom limit: 60 μs to the programmed value (10- μs resolution)  Rate: 2 to 1200 Hz (resolution: 1 Hz from 2 Hz to 10 Hz;5 Hz from10 Hz to 250 Hz;10 Hz from 250 Hz to 500 Hz; 20 Hz from 500 Hz to 1000 Hz;50 Hz from 1000 Hz to 1200 Hz)  Rate – upper patient limit Tracking limit: programmed value +0, +10,+20,+50, +100 Hz  Custom limit: programmed value to 1200 Hz (same resolution as rate)  Rate – lower patient limit Custom limit: 2 Hz to the programmed value (same resolution as rate)  SoftStart/Stop Off, On: 1, 2,4, or 8 second ramp duration
  • 22. • Medtronic • St. Jude • Boston Scientific
  • 23.
  • 24.  Risk: Damage to neurostimulator caused by strong EMI interference  Mitigation:Neurostimulator has EMI shielding and is MRI safe under specific conditions  Likelihood of attack:highly unlikely
  • 25.  Risk: Changing programming on neurostimulator via wireless signal  Mitigation:Remote only works when directly against skin or over very thin clothes.  Remote does not work when going through jeans and a shirt  External antennas do not change this  Likelihood of attack:highly unlikely
  • 26.  Risk: Attacker turns on stimulation at high voltage  Mitigation:Remote only works when directly against skin or over very thin clothes.  Likelihood of attack:highly unlikely
  • 27.  Risk: Overheating the skin during charging causing burns  Mitigation:Neurostimulator monitors skin temperature and its temperature  Stops charging if unit or skin overheat  Likelihood of attack: highly unlikely
  • 28.  Risk: Damaging leads with high RF causing electrocution, shock, death  Mitigation:New leads disperse RF across the entire length of the lead  Likelihood of attack:highly unlikely
  • 29. Device cost was $30,000 Not willing to pentest device inside her Willing to continue research if I receive enough donations to purchase another device
  • 30.  HackRF  10 MHz to 6 GHz operating frequency  Half-duplex transceiver  Compatible with GNU Radio, and Software Defined Radio (SDR)  Software-configurable RX and TX gain baseband filter  Open source hardware  Lots of applications already written to decode wireless using this  Cost: $330 Source: https://greatscottgadgets.com/hackrf/, http://www.sharebrained.com/2014/05/28/portapack-h1-imminent/
  • 31.  Potential vulns mitigated by lack of antenna in neurostimulator  Researchers scare people into not using devices that could improve quality of life  Risk needs to be balanced with probability of being exploited  How likely is it that someone could exploit a neurostimulator without the patient knowing?  Other manufactures and devices do have other/higher risks  Most consumers could not do this – They deserve to know  I Am The Calvary – Working on rating system (iamthecalvary.com)  Every device should be tested and published publicly
  • 32.  Huge thanks to my wife for putting up with this  Thank you for attending  Contact brian@brksecurity.com for additional information on IoT & Security  Questions?