9/11
直播連結:國際會議廳 R0
第一會議廳 R1
第二會議廳 R2
遠距會議室 R3
交誼廳 R4
報到時間
嘉賓致詞
總召致詞 & Opening
Industrial Cybersecurity Landscape in 2020: Trends, Challenges, and Opportunities
劉榮太
Break
[ HITCON 論壇 ] 金融業如何迎擊數位戰場的第一道烽火
翁浩正 蔡福隆 處長 郭建中 董事長 蘇清偉 資安長 劉培文 執行副總經理
A Million Boluses: Discovery and Disclosure of Vulnerabilities in an Insulin Pump
Julian Suleder
Lunch
[ HITCON 論壇 ] 主動式資安防禦策略,解決 OT 資安相依性風險
毛敬豪 所長 劉榮太 執行長 鄭嘉信 執行長 楊瑞祥 技術長 王仁甫 總監
APT Chimera - Operation targets Semiconductor Vendors
陳仲寬 Inndy Lin JohnThunder
人力徵才
Bug Bounty Competition
Break
[ HITCON 論壇 ] 如何兼顧疫情控制與隱私保護
李柏鋒 OCF 簡宏偉 處長 龐一鳴 處長 劉宇倫 醫師 Sherry Chung MyData Taiwan
網軍內網滲透之奇技淫巧 (Operation: I am Tom)
zha0 Tom Aragorn
Bug Bounty Competition
TDOH Village
Coffee Break
[ HITCON 論壇 ] 疫情後資安人才培育的挑戰與契機
Alan Lee 黃俊穎 博士 Tzong-Chen Wu Seungjoo Kim Kana Shinoda Yan Shoshitaishvili
Reversing In Wonderland: Neural Network Based Malware Detection Techniques
Sheng-Hao Ma Shin-Ming Cheng
Tropic Trooper’s Back: USBferry Attack Targets Air-gapped Environments
Joey Chen
5G Village Session
Break
A CTF-Style Escape Journey on VMware Workstation
Yanyu Zhang
5G Village Session
Closing
9/12
直播連結:國際會議廳 R0
第一會議廳 R1
第二會議廳 R2
遠距會議室 R3
交誼廳 R4
報到時間
Opening
Break
Breaking Samsung's Root of Trust: Exploiting Samsung S10 Secure Boot
Cheng-Yu Chao
Bug hunting from zero to 0(day) to ($)0
Anthony Lai Byron Wai Ken Wong
CTI Village
Break
From LNK to RCE: Finding bugs in Windows Shell Link Parser
Lays
Potential Security and Privacy Issues in Novel Taiwanese National eID system
何明洋
First step in the quest for manufacturing cyber-resilient IoT devices
Jun Sato 張智翔
CTI Village
Break
RE: 從零開始的 OOO DEF CON CTF & DEFCON 28 準備與競賽分享
ddaa yuawn
LEAYA: Last Exploitation 絢 - An Embedded System Detection and Response
cp zet freetsubasa
Exploit (Almost) All Xiaomi Routers Using Logical Bugs
Aobo Wang Jihong Zheng
CTI Village
Lunch
協會時間
Break
Development of Signaling Spoofing Attacks Using Function Containerization of Rogue Base Stations
Shin-Ming Cheng Bing-Kai Hong
Guarding the Factory Floor: Catching Insecure Industrial Robot Programs
Federico Maggi Davide Quarta Marcello Pogliani Stefano Zanero Marco Balduzzi
CTI Village
Break
-
Bug Bounty X Router X IP Cam X 電子支付
The Great Hotel Hack: Adventures in attacking hospitality industry
Etizaz Mohsin
CTI Village
Coffee Break
Lightning Talk / 閉幕 / 花絮與展望 HITCON 2021
A Million Boluses: Discovery and Disclosure of Vulnerabilities in an Insulin Pump
議程摘要 Abstract
A Million Boluses: Discovery and Disclosure of Vulnerabilities in an
Insulin Pump
Background
Hacking medical devices and cybersecurity in public health is the
subject of recent discussions [1]. The Federal Office for Information
Security (BSI) aims to improve transparent communication regarding
cybersecurity risks of networked medical devices [2]. To this end, the
BSI initiated the project ManiMed – Manipulation of Medical Devices to
facilitate a trustful communication and cooperation between
manufacturers, security researchers, and authorities. This study targets
the current cybersecurity state of smart and connected medical devices
[3,4] and illustrates what kind of questions the medical device industry
is facing by making their devices smart.
This article focuses on security vulnerabilities identified in the DANA
Diabecare RS insulin pump to illustrate what kind of questions the
medical device industry faces by making their devices smart. The
exemplifying vulnerabilities affected the pump's proprietary, Bluetooth
Low Energy (BLE)-based communication and affected patient safety.
Methods
The assessment of medical devices is highly specialized and individual
in terms of the device's medical use case, present interfaces, used
technologies and assumptions to its environment [5]. The device was
assessed following a black-box approach. The proprietary communication
protocol built on top of Bluetooth Low Energy (BLE) was
reverse-engineered using the manufacturer's Android and iOS applications
and captures of the communication between the pump and its mobile apps
using elementary BLE prototyping hardware. In the scope of the
assessment were applied cryptography, Man-in-the-Middle attacks,
eavesdropping of the communication, as well as the authentication and
pairing process.
A coordinated vulnerability disclosure process (CVD) was initiated to
keep the smart medical device on the market while ensuring that it no
longer poses a threat to patient safety. The disclosure deadline was set
with the constraint that measures must not harm the therapeutic purpose
of the medical device. The Federal Institute for Drugs and Medical
Devices (BfArM), as the national authority for vigilance in Germany, was
notified and involved.
Results
During the security assessment, client-side controls, weak generation of
encryption keys, improper verification of the pump's identity, missing
replay protection, the insecure transmission of cryptographic keys, and
an overall weak authentication mechanism were identified. By hijacking
the pump, an attacker can administer insulin boluses remotely, causing
severe patient harm [6].
The coordinated vulnerability disclosure (CVD) process was extended and
lasted several months until a patch was rolled out to patients with a
new pump firmware and major mobile application upgrades. The
manufacturer released security advisories in the forms of a Field Safety
Notice (FSN)
[7]. A Medical Advisory (ICSMA) as well as CVEs were published by the
Cybersecurity and Infrastructure Security Agency (CISA) [8].
Conclusion
This example demonstrates that mature processes for handling
cybersecurity vulnerabilities with safety impact on active medical
devices are not yet common among all medical device manufacturers, even
though recognized procedures [9, 10] based on pervasive community
knowledge are in place.
References
[1] Newman L. These Hackers Made an App That Kills to Prove a Point.
WIRED. 2019 [Accessed 15 July 2020]. Available from:
https://www.wired.com/story/medtronic-insulin-pump-hack-app/.
[2] Federal Office for Information Security (BSI). Report on the State
of IT Security in Germany 2019. 2019 [Accessed 15 July 2020]. Available
from:
https://www.bsi.bund.de/EN/Publications/SecuritySituation/SecuritySituation_node.html.
[3] Federal Office for Information Security (BSI). Medizintechnik. 2019
[Accessed 15 July 2020]. Available from:
https://www.bsi.bund.de/DE/Themen/DigitaleGesellschaft/eHealth/Medizintechnik/Projekte/Projekte_node.html.
[4] SPECTARIS Deutscher Industriebverband für Optik, Photonik, Analysen-
und Medizintechnik e.V. Die deutsche Medizintechnik-Industrie: SPECTARIS
Jahrbuch 2019/2020. 2019 [Accessed 15 July 2020]. Available from:
https://www.spectaris.de/fileadmin/Content/Medizintechnik/Zahlen-Fakten-Publikationen/SPECTARIS_Jahrbuch_2019-2020.pdf.
[5] German Federal Office for Information Security (BSI). Cyber Security
Requirements for Network-Connected Medical Devices. 2018 [Accessed 15
July 2020]. Available from:
https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/ICS/Medical_Devices_CS-E_132.pdf?__blob=publicationFile&v=2.
[6] Suleder J, Kauer B, Emmerich N, Pavlidis R. ERNW Whitepaper 69:
Safety Impact of Vulnerabilities in Insulin Pumps. In Press.
[7] Bundesinstitut für Arzneimittel und Medizinprodukte (BfArM).
Dringende Sicherheitsinformation zu Insulinpumpe DANA Diabecare
RS;mobilen Anwendung AnyDANA von SOOIL Development Co. Ltd. 2020
[Accessed 15 July 2020]. Available from:
https://www.bfarm.de/SharedDocs/Kundeninfos/DE/07/2020/17203-19_kundeninfo_de.pdf.
[8] Cybersecurity and Infrastructure Security Agency (CISA). ICS Medical
Advisory (ICSMA-20-XXX-XX) – SOOIL DANA Diabecare RS. In Press.
[9] Food and Drug Administration (FDA). Postmarket Management of
Cybersecurity in Medical Devices. 2016 [Accessed 15 July 2020].
Available from:
https://www.fda.gov/regulatory-information/search-fda-guidance-documents/postmarket-management-cybersecurity-medical-devices.
[10] The European Commission. MDCG 2019-16 - Guidance on Cybersecurity
for medical devices. 2019 [Accessed 15 July 2020]. Available from:
https://ec.europa.eu/docsroom/documents/41863.
Julian Suleder
Julian Suleder is a Security Analyst & Researcher at ERNW Research GmbH
in Heidelberg, Germany. His research interest is the security of medical
devices as he holds a master’s degree in medical informatics from
Heidelberg University and Heilbronn University, Germany. Besides IT
security, he enjoys researching in the special interest group Consumer
Health Informatics (CHI) of the German Association for Medical
Informatics, Biometry, and Epidemiology (GMDS).