1 00:00:00,080 --> 00:00:02,430 The following content is provided under a Creative 2 00:00:02,430 --> 00:00:03,810 Commons license. 3 00:00:03,810 --> 00:00:06,060 Your support will help MIT OpenCourseWare 4 00:00:06,060 --> 00:00:10,150 continue to offer high quality educational resources for free. 5 00:00:10,150 --> 00:00:12,690 To make a donation, or to view additional materials 6 00:00:12,690 --> 00:00:16,600 from hundreds of MIT courses, visit MIT OpenCourseWare 7 00:00:16,600 --> 00:00:17,260 at ocw.mit.edu. 8 00:00:31,680 --> 00:00:36,210 PROFESSOR: So welcome everybody, and I actually 9 00:00:36,210 --> 00:00:38,830 used to be at MIT in the '90s, so it's good to be back. 10 00:00:38,830 --> 00:00:41,540 And so we're going to talk today about a different kind 11 00:00:41,540 --> 00:00:42,170 of security. 12 00:00:42,170 --> 00:00:44,550 It's going to be less on the technical mechanism side, 13 00:00:44,550 --> 00:00:46,200 and more on the, well, what happens 14 00:00:46,200 --> 00:00:48,492 when all this technology gets put in place in something 15 00:00:48,492 --> 00:00:49,824 where there's high consequences? 16 00:00:49,824 --> 00:00:52,060 Not quite so high-consequence as, say, an airplane in 17 00:00:52,060 --> 00:00:55,290 the sky, but getting pretty close. 18 00:00:55,290 --> 00:00:57,470 Just to let you know where I'm coming from. 19 00:00:57,470 --> 00:00:59,680 So I used to be part of the midnight coffeehouse club 20 00:00:59,680 --> 00:01:02,299 myself, but this is Michigan, actually. 21 00:01:02,299 --> 00:01:04,090 We're not quite as big as your campus here. 22 00:01:04,090 --> 00:01:06,895 But a short while ago somebody decided 23 00:01:06,895 --> 00:01:09,700 to put a hot tub on our computer science building, 24 00:01:09,700 --> 00:01:11,364 so they're doing research inside there. 25 00:01:11,364 --> 00:01:13,030 But what we're going to talk about today 26 00:01:13,030 --> 00:01:16,016 is some of the research that bubbled out of that. 27 00:01:16,016 --> 00:01:17,640 So we're going to talk about everything 28 00:01:17,640 --> 00:01:23,010 from exploding defibrillators to other issues of privacy 29 00:01:23,010 --> 00:01:24,667 in medical devices. 30 00:01:24,667 --> 00:01:26,250 And this mainly is going to be related 31 00:01:26,250 --> 00:01:29,460 to just one thread of research from one of my former graduate 32 00:01:29,460 --> 00:01:32,880 students here, who is actually at this point 33 00:01:32,880 --> 00:01:36,020 sanitizing explanted pacemakers. 34 00:01:36,020 --> 00:01:38,540 But we're going to mostly talk about the security 35 00:01:38,540 --> 00:01:41,210 of medical devices today. 36 00:01:41,210 --> 00:01:43,670 Got a bunch of acknowledgements. 37 00:01:43,670 --> 00:01:44,510 There it is on tape. 38 00:01:47,030 --> 00:01:49,370 This work is by tons of people, and I'm 39 00:01:49,370 --> 00:01:51,480 going to try to summarize for you some 40 00:01:51,480 --> 00:01:54,400 of the modern bits about medical device security 41 00:01:54,400 --> 00:01:56,530 through all sorts of places. 42 00:01:56,530 --> 00:01:58,620 I'm also required to put up this boilerplate 43 00:01:58,620 --> 00:02:01,580 slide of my potential conflict of interest, 44 00:02:01,580 --> 00:02:03,860 so now you can know about any potential biases 45 00:02:03,860 --> 00:02:05,080 on my thinking. 46 00:02:05,080 --> 00:02:06,740 But I'd like to think that I am less 47 00:02:06,740 --> 00:02:08,820 biased than the average person. 48 00:02:08,820 --> 00:02:11,360 OK. 49 00:02:11,360 --> 00:02:12,580 So moving on. 50 00:02:12,580 --> 00:02:15,256 So an interesting thing happened about a year ago, 51 00:02:15,256 --> 00:02:17,130 when FDA-- the Food and Drug Administration-- 52 00:02:17,130 --> 00:02:19,540 released a draft document saying they are now 53 00:02:19,540 --> 00:02:22,580 going to be expecting manufacturers to consider cyber 54 00:02:22,580 --> 00:02:24,814 security-- or as we call it, security and privacy-- 55 00:02:24,814 --> 00:02:27,480 not only in their implementation of the medical device software, 56 00:02:27,480 --> 00:02:29,560 but in their design of their software. 57 00:02:29,560 --> 00:02:31,970 Before a single line of code has been written. 58 00:02:31,970 --> 00:02:33,744 And so we're going to talk about how 59 00:02:33,744 --> 00:02:35,910 this has affected the thinking in the medical device 60 00:02:35,910 --> 00:02:37,340 manufacturing community. 61 00:02:37,340 --> 00:02:40,040 Their final guidance came out just a couple weeks ago, 62 00:02:40,040 --> 00:02:42,330 and we just held a conference call. 63 00:02:42,330 --> 00:02:44,730 FDA held a conference call, and over 650 people 64 00:02:44,730 --> 00:02:46,922 decided to join the teleconference. 65 00:02:46,922 --> 00:02:49,380 So there's a lot of interest in the manufacturing community 66 00:02:49,380 --> 00:02:51,838 about how to take some of the concepts you're learning here 67 00:02:51,838 --> 00:02:54,760 in your class and actually apply it to the medical community. 68 00:02:54,760 --> 00:02:55,640 But it's really hard. 69 00:02:55,640 --> 00:02:58,864 And I noticed one of the questions up on the website 70 00:02:58,864 --> 00:03:01,530 was about how to get the culture change in the medical community 71 00:03:01,530 --> 00:03:03,080 to understand security. 72 00:03:03,080 --> 00:03:05,260 And this slide illustrates that. 73 00:03:05,260 --> 00:03:08,010 So, who washed their hands this morning? 74 00:03:08,010 --> 00:03:08,635 OK. 75 00:03:08,635 --> 00:03:11,250 Oh, this is not MIT, everybody. 76 00:03:11,250 --> 00:03:15,520 So actually about 164, 165 years ago, 77 00:03:15,520 --> 00:03:18,670 there was a famous physician, Ignaz Semmelweis, 78 00:03:18,670 --> 00:03:21,130 who was looking into something called childbed fever. 79 00:03:21,130 --> 00:03:23,650 And he discovered that his medical students 80 00:03:23,650 --> 00:03:26,150 who were working in the morgue in the morning who later went 81 00:03:26,150 --> 00:03:27,941 to work with patients, well, those patients 82 00:03:27,941 --> 00:03:29,320 tended to die more often. 83 00:03:29,320 --> 00:03:32,260 And he discovered if you washed your hands, then statistically 84 00:03:32,260 --> 00:03:35,740 you were less likely to pass on some kind of probability 85 00:03:35,740 --> 00:03:38,220 of not living longer. 86 00:03:38,220 --> 00:03:41,435 So he recommended that physicians wash their hands. 87 00:03:41,435 --> 00:03:43,310 And the reaction from the physician community 88 00:03:43,310 --> 00:03:45,290 was, doctors are gentleman, and therefore 89 00:03:45,290 --> 00:03:48,190 their hands are always clean. 90 00:03:48,190 --> 00:03:50,487 And to some extent we're seeing some 91 00:03:50,487 --> 00:03:52,570 of those kinds of attitudes toward security today, 92 00:03:52,570 --> 00:03:53,780 so it's not too surprising. 93 00:03:53,780 --> 00:03:55,490 But I'll try to draw some parallels 94 00:03:55,490 --> 00:03:56,960 with that throughout the talk. 95 00:03:59,452 --> 00:04:00,910 I've got a lot of material to cover 96 00:04:00,910 --> 00:04:02,618 so I'm going to whip through some things. 97 00:04:02,618 --> 00:04:04,930 But first thing I'm going to do-- anyone a physician? 98 00:04:04,930 --> 00:04:05,430 No? 99 00:04:05,430 --> 00:04:07,040 OK, well you're all going to be able to have 100 00:04:07,040 --> 00:04:08,740 some good material for cocktail parties 101 00:04:08,740 --> 00:04:10,320 with your doctor friends. 102 00:04:10,320 --> 00:04:11,210 We're going to talk a little bit about 103 00:04:11,210 --> 00:04:12,500 implantable medical devices. 104 00:04:12,500 --> 00:04:14,221 Actually I'll pass this guy around. 105 00:04:14,221 --> 00:04:15,470 You can feel free to touch it. 106 00:04:15,470 --> 00:04:16,386 It's been de-dangered. 107 00:04:16,386 --> 00:04:17,779 Just don't lick it. 108 00:04:17,779 --> 00:04:21,790 This is a defibrillator from a former patient. 109 00:04:21,790 --> 00:04:25,241 And actually this is a device here-- about 50 years ago, 110 00:04:25,241 --> 00:04:27,740 some of the first pacemakers started to appear on the scene. 111 00:04:27,740 --> 00:04:28,531 They were external. 112 00:04:28,531 --> 00:04:31,420 You had to have a burly nurse to cart it around. 113 00:04:31,420 --> 00:04:34,440 And then as the decades wore on, they 114 00:04:34,440 --> 00:04:36,160 became small enough to be implanted, 115 00:04:36,160 --> 00:04:37,790 completely implanted in the body. 116 00:04:37,790 --> 00:04:39,290 And here you see a picture of what's 117 00:04:39,290 --> 00:04:42,060 called a wand that's using inductive coupling. 118 00:04:42,060 --> 00:04:43,300 It's technically wireless. 119 00:04:43,300 --> 00:04:44,091 There are no wires. 120 00:04:44,091 --> 00:04:47,634 To wirelessly program the device to be 60 beats per minute. 121 00:04:47,634 --> 00:04:49,550 But interesting to me as a security researcher 122 00:04:49,550 --> 00:04:51,720 was that in around 2003 or so, we 123 00:04:51,720 --> 00:04:53,870 began to see defibrillators, such as the one I'm 124 00:04:53,870 --> 00:04:58,890 passing around, that started to embrace wireless technologies 125 00:04:58,890 --> 00:05:00,950 and networking that you'd be more used to 126 00:05:00,950 --> 00:05:03,440 as sort of general computation. 127 00:05:03,440 --> 00:05:06,470 And I was thinking what could possibly go wrong? 128 00:05:06,470 --> 00:05:08,650 Luckily there are a lot of engineers also thinking 129 00:05:08,650 --> 00:05:12,480 that same question in companies, but security, it 130 00:05:12,480 --> 00:05:13,564 takes a different mindset. 131 00:05:13,564 --> 00:05:15,563 And I'm going to tell you a little bit about how 132 00:05:15,563 --> 00:05:16,774 that mindset is changing. 133 00:05:16,774 --> 00:05:18,940 So if you were to open up one of those devices, what 134 00:05:18,940 --> 00:05:21,716 you find inside are vast resource constraints. 135 00:05:21,716 --> 00:05:23,340 If you want a hard engineering problem, 136 00:05:23,340 --> 00:05:25,630 pop open one of these devices. 137 00:05:25,630 --> 00:05:28,070 So about half of the device is just a battery. 138 00:05:28,070 --> 00:05:29,500 A very high quality battery. 139 00:05:29,500 --> 00:05:33,330 These cost about $40,000 a pop on the market. 140 00:05:33,330 --> 00:05:34,530 Silver vanadium oxide. 141 00:05:34,530 --> 00:05:36,613 And you've got little microcontrollers at the top. 142 00:05:36,613 --> 00:05:38,270 Typically you have some antennas where 143 00:05:38,270 --> 00:05:40,769 you can do your communication for your control of the device 144 00:05:40,769 --> 00:05:41,760 as well. 145 00:05:41,760 --> 00:05:44,917 This is all hermetically sealed, implanted in your body. 146 00:05:44,917 --> 00:05:47,250 We're talking one of the harshest environments possible. 147 00:05:47,250 --> 00:05:49,541 You want to recharge a battery in your body, good luck. 148 00:05:49,541 --> 00:05:52,230 Did you know that batteries give off heat and gas? 149 00:05:52,230 --> 00:05:54,745 So there are very challenging constraints 150 00:05:54,745 --> 00:05:56,330 to engineering the device. 151 00:05:56,330 --> 00:06:00,000 When you want to add security, it gets just a little bit hard. 152 00:06:00,000 --> 00:06:02,260 So there is, however, a very good reason 153 00:06:02,260 --> 00:06:06,000 for having a wirelessly controlled medical device. 154 00:06:06,000 --> 00:06:08,390 There are good reasons, but there are these subtle risks. 155 00:06:08,390 --> 00:06:10,600 So to illustrate that, I want you 156 00:06:10,600 --> 00:06:13,440 to see what pacemakers used to look like. 157 00:06:13,440 --> 00:06:15,630 So this is a pacemaker from the Medtronic Museum 158 00:06:15,630 --> 00:06:17,000 up in Minneapolis. 159 00:06:17,000 --> 00:06:19,590 And can anyone guess what that little piece of metal 160 00:06:19,590 --> 00:06:21,760 is on the right hand side? 161 00:06:21,760 --> 00:06:24,630 What its function is? 162 00:06:24,630 --> 00:06:25,300 Antenna? 163 00:06:25,300 --> 00:06:26,870 Control? 164 00:06:26,870 --> 00:06:27,936 Control is very close. 165 00:06:27,936 --> 00:06:28,685 Any other guesses? 166 00:06:31,650 --> 00:06:34,730 So this is a device before there was wireless communication 167 00:06:34,730 --> 00:06:35,772 to control a pacemaker. 168 00:06:35,772 --> 00:06:37,980 In the old days, when you want to change the settings 169 00:06:37,980 --> 00:06:40,320 on your device, the physician says, "Patient, 170 00:06:40,320 --> 00:06:41,470 please lift up your arm. 171 00:06:41,470 --> 00:06:43,720 I'm going to put a needle through your armpit to twist 172 00:06:43,720 --> 00:06:45,890 the dial to change your heart rate. " 173 00:06:45,890 --> 00:06:48,300 So one of the great reasons for wireless 174 00:06:48,300 --> 00:06:50,260 is that it actually reduces infection rates, 175 00:06:50,260 --> 00:06:53,350 because the more you put foreign objects in your body, 176 00:06:53,350 --> 00:06:56,040 the more likely you are to contract an infection. 177 00:06:56,040 --> 00:06:57,350 It is a serious risk. 178 00:06:57,350 --> 00:07:01,840 Actually, 1% of implantations have major complications, 179 00:07:01,840 --> 00:07:03,870 and of those, about 1% are fatal. 180 00:07:03,870 --> 00:07:06,370 So controlling infection is one of the most important things 181 00:07:06,370 --> 00:07:10,440 you can do in the implantation and changing of the device. 182 00:07:10,440 --> 00:07:13,140 Of course, if you go the other extreme and just say, 183 00:07:13,140 --> 00:07:14,740 I want to put wireless everywhere, 184 00:07:14,740 --> 00:07:16,601 you'll get different kinds of risks. 185 00:07:16,601 --> 00:07:18,975 So I've sort of dubbed this the bacon theory of wireless. 186 00:07:21,725 --> 00:07:23,100 Now my mother's from the Midwest, 187 00:07:23,100 --> 00:07:25,920 so she used to say bacon makes everything better. 188 00:07:25,920 --> 00:07:28,390 And I've noticed there are some device manufacturers who 189 00:07:28,390 --> 00:07:30,460 seem to be putting wireless everywhere without necessarily 190 00:07:30,460 --> 00:07:31,751 thinking through all the risks. 191 00:07:31,751 --> 00:07:33,970 It does have its benefits, but you 192 00:07:33,970 --> 00:07:36,290 need to very strategically think before you add this 193 00:07:36,290 --> 00:07:37,732 to a safety critical device. 194 00:07:37,732 --> 00:07:39,606 What are the security risks for instance that 195 00:07:39,606 --> 00:07:41,580 are going to be opening up? 196 00:07:41,580 --> 00:07:43,820 Oops, I had one misplaced slide, but I 197 00:07:43,820 --> 00:07:45,410 guess I'll just say it anyway. 198 00:07:45,410 --> 00:07:47,534 I'm not going to talk a whole lot about networking, 199 00:07:47,534 --> 00:07:50,740 but I thought this quote was just too good not to mention. 200 00:07:50,740 --> 00:07:53,230 Does anyone remember the ship off the coast of Italy? 201 00:07:53,230 --> 00:07:55,020 The captain says, "These days, everything 202 00:07:55,020 --> 00:07:58,980 is much safer, thanks to modern instruments and the internet." 203 00:07:58,980 --> 00:08:02,830 And there's his ship that turned over there. 204 00:08:02,830 --> 00:08:04,887 So you add internet connectivity and wireless 205 00:08:04,887 --> 00:08:07,220 to your medical device, there are going to be new risks. 206 00:08:07,220 --> 00:08:08,720 And you don't need to be afraid of them, 207 00:08:08,720 --> 00:08:10,770 but you just need to have appropriate mitigating 208 00:08:10,770 --> 00:08:12,796 controls. 209 00:08:12,796 --> 00:08:13,920 So I'm flying through this. 210 00:08:13,920 --> 00:08:15,730 But what I want to give you is paint 211 00:08:15,730 --> 00:08:19,920 a picture of what's a typical day in a medical device, 212 00:08:19,920 --> 00:08:22,140 and how it's used in clinical care, 213 00:08:22,140 --> 00:08:23,740 and how that might change your mindset 214 00:08:23,740 --> 00:08:25,420 if you come from a security background, 215 00:08:25,420 --> 00:08:27,360 and how you think about risk. 216 00:08:27,360 --> 00:08:29,620 So first going to talk about the world 217 00:08:29,620 --> 00:08:34,000 where there aren't real threats, just unsafe practices and some 218 00:08:34,000 --> 00:08:35,490 carelessness. 219 00:08:35,490 --> 00:08:39,470 So the FDA maintains a database of near misses, malfunctions, 220 00:08:39,470 --> 00:08:40,539 injuries, and deaths. 221 00:08:40,539 --> 00:08:41,330 This is all public. 222 00:08:41,330 --> 00:08:42,705 You can go look this up yourself. 223 00:08:42,705 --> 00:08:43,820 It's called MAUDE. 224 00:08:43,820 --> 00:08:47,630 And one of the devices was called this volumetric infusion 225 00:08:47,630 --> 00:08:48,130 pump. 226 00:08:48,130 --> 00:08:51,660 This is a device that infuses drugs into your body 227 00:08:51,660 --> 00:08:53,970 through an IV mechanically. 228 00:08:53,970 --> 00:08:55,900 And this patient died. 229 00:08:55,900 --> 00:08:59,030 And if you look carefully, it says one of the causes 230 00:08:59,030 --> 00:09:01,356 was a buffer overflow. 231 00:09:01,356 --> 00:09:03,105 I think you learned about buffer overflows 232 00:09:03,105 --> 00:09:04,490 in your first lecture. 233 00:09:04,490 --> 00:09:07,950 So they are very real and they happen and in every sector. 234 00:09:07,950 --> 00:09:11,270 So in this particular case when the buffer overflow occurred, 235 00:09:11,270 --> 00:09:14,880 it was actually caught in their error checking in the software, 236 00:09:14,880 --> 00:09:17,450 but the action it took was to shut the pump down. 237 00:09:17,450 --> 00:09:19,630 To bring it down to a safe mode. 238 00:09:19,630 --> 00:09:22,080 What they didn't realize was that for some patients, 239 00:09:22,080 --> 00:09:24,440 shutting down the pump is basically a death sentence. 240 00:09:24,440 --> 00:09:28,030 So this patient died after the increase 241 00:09:28,030 --> 00:09:32,740 in intracranial pressure, followed by brain death because 242 00:09:32,740 --> 00:09:35,750 of the buffer overflow. 243 00:09:35,750 --> 00:09:38,730 So there's nothing really complicated here, right? 244 00:09:38,730 --> 00:09:40,595 You all know you don't want to have buffer 245 00:09:40,595 --> 00:09:41,720 overflows in your software. 246 00:09:41,720 --> 00:09:43,670 There's no adversary at this point. 247 00:09:43,670 --> 00:09:47,600 So this kind of illustrates the state of software, at least 248 00:09:47,600 --> 00:09:49,195 for this particular device. 249 00:09:49,195 --> 00:09:51,700 It's very challenging. 250 00:09:51,700 --> 00:09:53,940 The other challenging part that doesn't come up 251 00:09:53,940 --> 00:09:56,520 a whole lot in a security course is the human side. 252 00:09:56,520 --> 00:09:59,150 So there are few universities that 253 00:09:59,150 --> 00:10:02,600 focus on the human element, but I think there ought to be more. 254 00:10:02,600 --> 00:10:05,240 So I set out on some life experience of my own. 255 00:10:05,240 --> 00:10:07,290 My wife asked to remain anonymous, 256 00:10:07,290 --> 00:10:10,460 so she said as long as I don't reveal her name. 257 00:10:10,460 --> 00:10:13,530 So that's me, that's our infusion pump in the back, 258 00:10:13,530 --> 00:10:15,600 and that's our baby in there. 259 00:10:15,600 --> 00:10:18,920 And for us luckily the pump worked just fine. 260 00:10:18,920 --> 00:10:23,080 But pumps are great for delivering medical care, 261 00:10:23,080 --> 00:10:28,250 but they have resulted in over 500 deaths due to various forms 262 00:10:28,250 --> 00:10:29,930 of malfunctions. 263 00:10:29,930 --> 00:10:34,010 So I'm going to tell you about one more malfunction. 264 00:10:34,010 --> 00:10:35,990 There's also an implantable kind of pump. 265 00:10:35,990 --> 00:10:37,770 They're not just bedside pumps, the kind 266 00:10:37,770 --> 00:10:41,090 you see on daytime hospital dramas. 267 00:10:41,090 --> 00:10:43,330 But here's an implantable pump, and it's 268 00:10:43,330 --> 00:10:45,080 got this semipermeable membrane where 269 00:10:45,080 --> 00:10:46,890 you can replenish the drugs. 270 00:10:46,890 --> 00:10:49,610 And this is a user interface that the nurse or the clinician 271 00:10:49,610 --> 00:10:52,070 uses to change the dosage rate. 272 00:10:52,070 --> 00:10:55,670 So does anyone see where you type in the quantity of drug? 273 00:10:58,660 --> 00:11:00,246 You've got to kind of squint, right? 274 00:11:00,246 --> 00:11:02,310 So you squint really closely. 275 00:11:02,310 --> 00:11:04,600 And one thing you'll notice is here by number six 276 00:11:04,600 --> 00:11:07,060 it says we're going to dose this bolus-- bolus 277 00:11:07,060 --> 00:11:11,061 is a quantum of drug-- over 20 minutes and 12 seconds. 278 00:11:11,061 --> 00:11:12,810 We're going to dose this into the patient. 279 00:11:12,810 --> 00:11:14,643 And this is implanted, so you don't feel it. 280 00:11:14,643 --> 00:11:16,450 There's no nerve. 281 00:11:16,450 --> 00:11:18,860 And this user interface is actually 282 00:11:18,860 --> 00:11:21,830 after an FDA recall went into effect 283 00:11:21,830 --> 00:11:23,720 for the software quality. 284 00:11:23,720 --> 00:11:28,960 So what was missing before the recall were eight key elements. 285 00:11:28,960 --> 00:11:34,442 In particular HH:MM:SS. 286 00:11:34,442 --> 00:11:38,650 So what do you think happens, or what you think could happen, 287 00:11:38,650 --> 00:11:41,690 if that label were missing? 288 00:11:41,690 --> 00:11:46,120 It's really easy to get the units wrong. 289 00:11:46,120 --> 00:11:48,410 Make an order of magnitude error. 290 00:11:48,410 --> 00:11:52,390 So unfortunately for this patient, who later expired, 291 00:11:52,390 --> 00:11:56,654 he or she had his or her pump reprogrammed, 292 00:11:56,654 --> 00:11:58,320 and the health care professional noticed 293 00:11:58,320 --> 00:12:01,370 that the bolus was given over 20 minutes instead of 20 hours 294 00:12:01,370 --> 00:12:02,670 after the fact. 295 00:12:02,670 --> 00:12:05,710 Unfortunately the patient left the facility, 296 00:12:05,710 --> 00:12:07,650 got into a motor vehicle accident, 297 00:12:07,650 --> 00:12:10,870 and then later died after the family removed life support. 298 00:12:10,870 --> 00:12:14,920 But if you look at this from a technical perspective, 299 00:12:14,920 --> 00:12:16,810 the problem is pretty simple, right? 300 00:12:16,810 --> 00:12:19,050 In terms of you didn't have the label there. 301 00:12:19,050 --> 00:12:21,670 But human factors is very easy to overlook. 302 00:12:21,670 --> 00:12:23,590 It's not always right there, front and center, 303 00:12:23,590 --> 00:12:24,395 in the engineering process. 304 00:12:24,395 --> 00:12:26,580 Do you have a human factors part in this lecture? 305 00:12:26,580 --> 00:12:27,480 See what I mean? 306 00:12:27,480 --> 00:12:29,730 Blame Nickolai. 307 00:12:29,730 --> 00:12:30,940 No, Nickolai is great. 308 00:12:30,940 --> 00:12:33,620 But it's a very important element 309 00:12:33,620 --> 00:12:36,350 of improving the trustworthiness of devices 310 00:12:36,350 --> 00:12:38,330 that rely on software. 311 00:12:38,330 --> 00:12:41,170 So I encourage you to think about better human elements 312 00:12:41,170 --> 00:12:43,440 and human factors for your software, 313 00:12:43,440 --> 00:12:46,760 even if it's on something non-critical. 314 00:12:46,760 --> 00:12:49,260 So that should begin to paint a picture 315 00:12:49,260 --> 00:12:53,710 of the typical problems in medical device failures 316 00:12:53,710 --> 00:12:55,710 post [INAUDIBLE] 25. 317 00:12:55,710 --> 00:12:57,640 And the other thing I want to talk about 318 00:12:57,640 --> 00:12:59,840 is the exciting world of management. 319 00:12:59,840 --> 00:13:02,320 Management, exciting. 320 00:13:02,320 --> 00:13:05,634 I used to collect all these little dialogue boxes whenever 321 00:13:05,634 --> 00:13:07,300 my computer would get a software update, 322 00:13:07,300 --> 00:13:09,520 but this all happens in the background now. 323 00:13:09,520 --> 00:13:11,390 Like my iPhone's constantly getting updates 324 00:13:11,390 --> 00:13:13,530 and drawing more power. 325 00:13:13,530 --> 00:13:15,990 But now it just sort of happens. 326 00:13:15,990 --> 00:13:20,160 But medical devices also take software updates. 327 00:13:20,160 --> 00:13:23,540 They're not really fundamentally different from 328 00:13:23,540 --> 00:13:25,430 traditional computing devices. 329 00:13:25,430 --> 00:13:28,869 They just happen to control vital functions of your body. 330 00:13:28,869 --> 00:13:30,160 So there's an interesting case. 331 00:13:30,160 --> 00:13:31,920 It's now been about four years. 332 00:13:31,920 --> 00:13:35,010 So McAfee-- there are a number of antivirus companies 333 00:13:35,010 --> 00:13:37,210 that produce products that hospitals use-- 334 00:13:37,210 --> 00:13:40,040 and in this particular case, McAfee had this software 335 00:13:40,040 --> 00:13:42,350 update that actually misclassified 336 00:13:42,350 --> 00:13:44,266 a critical Windows DL as malicious, 337 00:13:44,266 --> 00:13:46,015 and then decided to quarantine the system. 338 00:13:49,280 --> 00:13:52,947 So when it quarantined, let's see. 339 00:13:56,617 --> 00:14:00,370 [COMPUTER SOUND] 340 00:14:00,370 --> 00:14:01,980 That always happens, right? 341 00:14:01,980 --> 00:14:02,480 OK. 342 00:14:02,480 --> 00:14:05,650 So, ha ha ha. 343 00:14:05,650 --> 00:14:08,030 In this particular case with McAfee, 344 00:14:08,030 --> 00:14:10,770 when they quarantined this critical Windows DL 345 00:14:10,770 --> 00:14:14,690 as malicious, the machine just started rebooting. 346 00:14:14,690 --> 00:14:16,430 Blue Screen of Death and cycling. 347 00:14:16,430 --> 00:14:17,969 And in Rhode Island, they basically 348 00:14:17,969 --> 00:14:19,760 stopped admitting patients at one hospital, 349 00:14:19,760 --> 00:14:22,200 except for severe cases like gunshot wounds, 350 00:14:22,200 --> 00:14:24,800 because their admission systems weren't working properly. 351 00:14:24,800 --> 00:14:30,270 So clinical care depends heavily on the function of software, 352 00:14:30,270 --> 00:14:34,650 and we sometimes forget about the role of security. 353 00:14:34,650 --> 00:14:38,990 On the topic of depending on other people's software, 354 00:14:38,990 --> 00:14:42,275 Microsoft has one of the largest footprint of operating systems. 355 00:14:42,275 --> 00:14:44,650 And believe it or not, there are a lot of medical devices 356 00:14:44,650 --> 00:14:46,730 that run on Windows XP. 357 00:14:46,730 --> 00:14:48,230 Windows XP, in case you didn't hear, 358 00:14:48,230 --> 00:14:51,694 went out of service half a year ago. 359 00:14:51,694 --> 00:14:53,610 So you should not be using this, because there 360 00:14:53,610 --> 00:14:56,680 are no more updates, security updates, function updates. 361 00:14:56,680 --> 00:14:58,340 It's antiquated software. 362 00:14:58,340 --> 00:15:00,660 But there are still medical devices today being shipped 363 00:15:00,660 --> 00:15:03,140 brand new with Windows XP. 364 00:15:03,140 --> 00:15:06,424 The software life cycles are a little bit misaligned. 365 00:15:06,424 --> 00:15:08,840 If you're used to downloading updates for your open source 366 00:15:08,840 --> 00:15:12,100 software on a daily basis, well, think about medical devices. 367 00:15:12,100 --> 00:15:14,760 You might not be able to get to it, say, for a year. 368 00:15:14,760 --> 00:15:16,860 It might be in the field for 20 years. 369 00:15:16,860 --> 00:15:18,970 So it's very difficult to locate software 370 00:15:18,970 --> 00:15:21,420 that's appropriate for a 20-year life cycle. 371 00:15:21,420 --> 00:15:24,280 It's basically flying in space. 372 00:15:24,280 --> 00:15:26,210 So the Food and Drug Administration 373 00:15:26,210 --> 00:15:29,190 has now released some guidance-- actually, 374 00:15:29,190 --> 00:15:33,120 this was just exactly a month ago-- 375 00:15:33,120 --> 00:15:35,666 on what they expect to see from manufacturers. 376 00:15:39,060 --> 00:15:40,590 Think of it as a design project. 377 00:15:40,590 --> 00:15:43,100 As you're writing down all the requirements 378 00:15:43,100 --> 00:15:45,640 of your medical device, they're asking manufacturers 379 00:15:45,640 --> 00:15:48,082 how have they thought through the security problems. 380 00:15:48,082 --> 00:15:50,290 How have they thought through all the security risks? 381 00:15:50,290 --> 00:15:51,760 How are they mitigating it? 382 00:15:51,760 --> 00:15:53,850 What risks are they accepting as what 383 00:15:53,850 --> 00:15:56,630 they call residual risk, things that they don't solve? 384 00:15:56,630 --> 00:15:59,590 But they expect them to least be aware of all the risks 385 00:15:59,590 --> 00:16:02,080 and ideally mitigate them. 386 00:16:02,080 --> 00:16:04,230 So with the management of software, 387 00:16:04,230 --> 00:16:06,430 when no one person is accountable, 388 00:16:06,430 --> 00:16:08,400 all sorts of crazy things happen. 389 00:16:08,400 --> 00:16:11,280 But there is some guidance now that's 390 00:16:11,280 --> 00:16:14,570 beginning to emerge to help the manufacturing community 391 00:16:14,570 --> 00:16:18,740 to better integrate security into their products. 392 00:16:18,740 --> 00:16:21,480 So I think we're making some pretty good time. 393 00:16:21,480 --> 00:16:22,170 All right. 394 00:16:22,170 --> 00:16:25,050 So now we're going to be able to go into the security side. 395 00:16:25,050 --> 00:16:26,840 I wanted to get the non-security stuff out 396 00:16:26,840 --> 00:16:29,040 of the way for the context. 397 00:16:29,040 --> 00:16:33,770 So let's put on our gray hats and black hats. 398 00:16:33,770 --> 00:16:36,200 Before I begin this, though, I guess 399 00:16:36,200 --> 00:16:39,280 what I want to say is this is a very challenging area 400 00:16:39,280 --> 00:16:42,240 to do research, because there are patients. 401 00:16:42,240 --> 00:16:48,140 And if I were given a medical device, for instance, today, 402 00:16:48,140 --> 00:16:50,480 I'd still take it even if the security problems weren't 403 00:16:50,480 --> 00:16:52,560 all worked out, because I know I'm much better 404 00:16:52,560 --> 00:16:54,690 off with that medical device. 405 00:16:54,690 --> 00:16:56,500 But that said, of course, I'd prefer 406 00:16:56,500 --> 00:16:58,920 to have medical devices that are more secure. 407 00:16:58,920 --> 00:17:02,610 So there is the emergence of more and more secure devices, 408 00:17:02,610 --> 00:17:05,750 but today, if you have to choose between a device and no device, 409 00:17:05,750 --> 00:17:07,500 I'd strongly recommend taking it, 410 00:17:07,500 --> 00:17:10,069 because you're going to be in a much better position. 411 00:17:10,069 --> 00:17:12,460 But that said, let's take a look now. 412 00:17:12,460 --> 00:17:15,220 If we consider the adversary, and if the adversary 413 00:17:15,220 --> 00:17:17,790 wants to cause problems to a medical device. 414 00:17:17,790 --> 00:17:21,578 So who's got the defibrillator at the moment? 415 00:17:21,578 --> 00:17:22,619 Oh, it's right over here. 416 00:17:22,619 --> 00:17:24,413 Good. 417 00:17:24,413 --> 00:17:26,329 So I'd like to tell you a little bit about how 418 00:17:26,329 --> 00:17:28,380 these defibrillators are implanted. 419 00:17:28,380 --> 00:17:31,130 This is a very special device because, well, number one, 420 00:17:31,130 --> 00:17:33,930 it's implanted, therefore it's very high risk. 421 00:17:33,930 --> 00:17:36,310 It's life sustaining. 422 00:17:36,310 --> 00:17:38,660 If it's pacing your heart, for instance, and it fails, 423 00:17:38,660 --> 00:17:40,110 the results can be catastrophic. 424 00:17:40,110 --> 00:17:42,485 So it's very interesting from an engineering perspective. 425 00:17:42,485 --> 00:17:45,680 It needs to work 24/7 for many years. 426 00:17:45,680 --> 00:17:48,635 So this is a programmer. 427 00:17:48,635 --> 00:17:49,780 Not a person, but a device. 428 00:17:49,780 --> 00:17:52,230 It's basically a ruggedized computer, and attached to it 429 00:17:52,230 --> 00:17:53,320 is a little wand. 430 00:17:53,320 --> 00:17:54,340 That's not a mouse. 431 00:17:54,340 --> 00:18:00,040 That's a transmitter/receiver speaking a proprietary wireless 432 00:18:00,040 --> 00:18:02,210 signal over a licensed spectrum. 433 00:18:02,210 --> 00:18:04,220 We're not talking 802.11, we're talking 434 00:18:04,220 --> 00:18:06,640 specially-licensed spectrum there. 435 00:18:06,640 --> 00:18:09,630 And what happens is it takes about 90 minutes. 436 00:18:09,630 --> 00:18:11,510 The patient is awake, just slightly 437 00:18:11,510 --> 00:18:14,540 sedated to remain calm, and there's a local anesthetic. 438 00:18:14,540 --> 00:18:17,640 A small incision is made beneath the clavicle. 439 00:18:17,640 --> 00:18:19,560 And then the team-- typically it's 440 00:18:19,560 --> 00:18:24,930 a team of about six people-- will weave electrodes 441 00:18:24,930 --> 00:18:27,420 through a sacrificed blood vessel that then 442 00:18:27,420 --> 00:18:28,760 terminates inside the heart. 443 00:18:28,760 --> 00:18:31,150 And actually I have one of them right here. 444 00:18:31,150 --> 00:18:34,550 This was not previously used. 445 00:18:34,550 --> 00:18:35,750 You can pass this around. 446 00:18:35,750 --> 00:18:37,960 You see the little tines on the end. 447 00:18:37,960 --> 00:18:41,650 And on some of the devices there's both a sensor, 448 00:18:41,650 --> 00:18:43,215 so it can sense your cardiac rhythm, 449 00:18:43,215 --> 00:18:44,340 and there's also actuation. 450 00:18:44,340 --> 00:18:47,410 You can send shocks, both small and large, 451 00:18:47,410 --> 00:18:51,430 to either pace the heart or to basically reboot the heart 452 00:18:51,430 --> 00:18:53,100 if there's a chaotic rhythm. 453 00:18:53,100 --> 00:18:54,740 It's a very highly advanced device. 454 00:18:54,740 --> 00:18:57,100 It's a steroid-tipped piece of metal on the end, 455 00:18:57,100 --> 00:18:59,200 so it doesn't bind to the tissue. 456 00:18:59,200 --> 00:19:02,390 You can pass that around. 457 00:19:02,390 --> 00:19:05,870 It's basically a USB cable, right? 458 00:19:05,870 --> 00:19:10,090 So after that's implanted into the body, 459 00:19:10,090 --> 00:19:11,660 the patient is sewn up. 460 00:19:11,660 --> 00:19:12,617 They do some testing. 461 00:19:12,617 --> 00:19:14,200 And typically the patient will receive 462 00:19:14,200 --> 00:19:16,710 what looks like a little base station. 463 00:19:16,710 --> 00:19:18,380 Like a little access point. 464 00:19:18,380 --> 00:19:20,410 It's very proprietary. 465 00:19:20,410 --> 00:19:23,725 Typically they speak a proprietary RF to the implant 466 00:19:23,725 --> 00:19:25,700 so it can gather all the telemetry, 467 00:19:25,700 --> 00:19:29,320 so that it can send it back up through the cloud-- typically 468 00:19:29,320 --> 00:19:31,825 through a private cloud, for whatever private means-- 469 00:19:31,825 --> 00:19:34,182 so that the health care professionals can keep tabs 470 00:19:34,182 --> 00:19:34,890 on their patient. 471 00:19:34,890 --> 00:19:36,830 So for instance, if you notice that there's 472 00:19:36,830 --> 00:19:40,060 some odd measurement coming from patient Mary, 473 00:19:40,060 --> 00:19:41,620 you might call up Mary and say, "You 474 00:19:41,620 --> 00:19:42,540 should really make an appointment 475 00:19:42,540 --> 00:19:44,706 and come in, because I'd like to see what's going on 476 00:19:44,706 --> 00:19:45,770 with your defibrillator." 477 00:19:45,770 --> 00:19:47,603 So one of the nice things about the wireless 478 00:19:47,603 --> 00:19:49,670 is they're able to have more continuous care 479 00:19:49,670 --> 00:19:51,580 rather than come back in a year. 480 00:19:54,280 --> 00:19:56,440 We had a team of students at several universities 481 00:19:56,440 --> 00:19:59,490 get together, and I gave them one of these defibrillators 482 00:19:59,490 --> 00:20:01,080 and an oscilloscope, and they went off 483 00:20:01,080 --> 00:20:02,895 into a cave for about nine months. 484 00:20:02,895 --> 00:20:06,390 And they came back and said, "Look what we found!" 485 00:20:06,390 --> 00:20:11,640 So this is a screenshot of the communication between a device 486 00:20:11,640 --> 00:20:12,860 and the programmer. 487 00:20:12,860 --> 00:20:15,890 And what you can see is first of all, it's in the clear. 488 00:20:15,890 --> 00:20:18,500 There's no cryptography, at least none that we could find. 489 00:20:18,500 --> 00:20:21,190 You'll find inside here the name of the implanting physician, 490 00:20:21,190 --> 00:20:23,210 the diagnosis, the hospital. 491 00:20:23,210 --> 00:20:25,380 Basically a complete electronic health record. 492 00:20:25,380 --> 00:20:28,585 This is an older device, from about 10 years ago. 493 00:20:28,585 --> 00:20:31,080 But that was the state of the art about 10 years ago. 494 00:20:31,080 --> 00:20:33,170 There didn't appear to be any use of encryption, 495 00:20:33,170 --> 00:20:36,550 at least for the privacy of the health information. 496 00:20:36,550 --> 00:20:38,430 So when we noticed this, we thought, 497 00:20:38,430 --> 00:20:41,110 well then, we definitely need to look at the security side 498 00:20:41,110 --> 00:20:42,670 about how the device is controlled. 499 00:20:42,670 --> 00:20:44,980 How do they ensure the authenticity of the control? 500 00:20:44,980 --> 00:20:46,780 The integrity? 501 00:20:46,780 --> 00:20:50,180 And that's when we decided to do the following experiment. 502 00:20:50,180 --> 00:20:53,060 So we started learning how to use something called a software 503 00:20:53,060 --> 00:20:53,610 radio. 504 00:20:53,610 --> 00:20:55,735 Probably some of you have played around with these. 505 00:20:55,735 --> 00:20:57,130 There are a bunch of them now. 506 00:20:57,130 --> 00:20:59,330 About 10 years ago, the most popular one 507 00:20:59,330 --> 00:21:02,740 was the USRP and GNU radio software. 508 00:21:02,740 --> 00:21:08,050 So we took an antenna from a pacemaker that we didn't need, 509 00:21:08,050 --> 00:21:12,150 created a little antenna, and we recorded the RF communication 510 00:21:12,150 --> 00:21:14,700 of inducing a fatal heart rhythm. 511 00:21:14,700 --> 00:21:17,640 And then we replayed that communication back. 512 00:21:17,640 --> 00:21:19,810 And then the device happily emitted 513 00:21:19,810 --> 00:21:23,160 a large-- something on the order of a 500-volt shock. 514 00:21:23,160 --> 00:21:27,270 On the order of about 32 joules in one millisecond, which 515 00:21:27,270 --> 00:21:30,062 I'm told if you were to get that on you, 516 00:21:30,062 --> 00:21:32,020 it's like being kicked in the chest by a horse. 517 00:21:32,020 --> 00:21:36,090 So it's a rather powerful shock. 518 00:21:36,090 --> 00:21:38,840 And the interesting thing was how we discovered this. 519 00:21:38,840 --> 00:21:41,500 So I was in the operating room, and recall back, 520 00:21:41,500 --> 00:21:43,880 I said that when you're a patient 521 00:21:43,880 --> 00:21:47,240 and the procedure is ending, the health care 522 00:21:47,240 --> 00:21:51,030 team tests if the defibrillator is working properly. 523 00:21:51,030 --> 00:21:55,830 So how do you end-to-end test if a defibrillator's 524 00:21:55,830 --> 00:21:59,860 working properly if the heart is beating normally? 525 00:21:59,860 --> 00:22:00,590 Right? 526 00:22:00,590 --> 00:22:03,580 So what's built into the defibrillator 527 00:22:03,580 --> 00:22:06,160 is a command to induce the very fatal heart 528 00:22:06,160 --> 00:22:10,200 rhythm that the defibrillator is designed to restore you from. 529 00:22:10,200 --> 00:22:12,890 It's called a command shock. 530 00:22:12,890 --> 00:22:15,130 So when I asked the physicians about that, 531 00:22:15,130 --> 00:22:18,047 they didn't seem to understand the concept of authentication. 532 00:22:18,047 --> 00:22:19,630 And that's when we decided we'd really 533 00:22:19,630 --> 00:22:22,672 need to look more deeply into how to solve these problems. 534 00:22:22,672 --> 00:22:24,130 So in this particular case, we were 535 00:22:24,130 --> 00:22:25,980 able to send the command to the device, 536 00:22:25,980 --> 00:22:32,130 and we weren't authenticated, and we could induce that shock. 537 00:22:32,130 --> 00:22:35,810 The good news is these devices have 538 00:22:35,810 --> 00:22:38,450 been able to solve these problems through some software 539 00:22:38,450 --> 00:22:39,010 updates. 540 00:22:39,010 --> 00:22:40,968 And they've been aware of it for quite a while, 541 00:22:40,968 --> 00:22:42,660 so they're able to spin out devices 542 00:22:42,660 --> 00:22:44,600 that now take into account some of these more 543 00:22:44,600 --> 00:22:47,010 adversarial conditions. 544 00:22:47,010 --> 00:22:48,510 Where are those tines going around? 545 00:22:48,510 --> 00:22:49,300 Over there? 546 00:22:49,300 --> 00:22:52,000 OK, great. 547 00:22:52,000 --> 00:22:53,357 So that's the implant side. 548 00:22:53,357 --> 00:22:55,190 There's a huge amount of innovation going on 549 00:22:55,190 --> 00:22:56,680 with implants. 550 00:22:56,680 --> 00:22:59,070 It's not really science fiction anymore, 551 00:22:59,070 --> 00:23:01,660 but there are real people and patients behind it. 552 00:23:01,660 --> 00:23:05,340 And most people care deeply about delivering quality health 553 00:23:05,340 --> 00:23:07,080 care. 554 00:23:07,080 --> 00:23:11,030 But sometimes they just don't realize how to fit security 555 00:23:11,030 --> 00:23:13,060 into their designing process. 556 00:23:13,060 --> 00:23:16,760 So it's a challenge culturally. 557 00:23:16,760 --> 00:23:18,540 Another stakeholder are the people 558 00:23:18,540 --> 00:23:20,380 who provide health care in the first place. 559 00:23:20,380 --> 00:23:22,560 Hospitals, primarily, or small clinics. 560 00:23:22,560 --> 00:23:24,620 If you want to find malware, go to a hospital. 561 00:23:24,620 --> 00:23:27,090 You're going to find some interesting malware. 562 00:23:27,090 --> 00:23:28,350 And here's why. 563 00:23:28,350 --> 00:23:32,550 So here's a screenshot from a colleague who 564 00:23:32,550 --> 00:23:34,850 used to work at Beth Israel Deaconess Medical Center 565 00:23:34,850 --> 00:23:36,040 here in Boston. 566 00:23:36,040 --> 00:23:38,440 And he gave a map of his network architecture. 567 00:23:38,440 --> 00:23:40,610 There's nothing particularly earth-shattering 568 00:23:40,610 --> 00:23:41,770 about the architecture. 569 00:23:41,770 --> 00:23:43,490 What was interesting, though, was 570 00:23:43,490 --> 00:23:46,030 he listed the number of operating 571 00:23:46,030 --> 00:23:48,530 systems in his hospital on what were 572 00:23:48,530 --> 00:23:50,710 considered medical devices. 573 00:23:50,710 --> 00:23:53,490 And I looked at him-- I like to add up numbers and insanity 574 00:23:53,490 --> 00:23:55,880 check things-- and I said, "Well, you've 575 00:23:55,880 --> 00:23:58,720 got Service Pack one, two, three of Windows XP, zero 576 00:23:58,720 --> 00:24:00,310 15 plus one. 577 00:24:00,310 --> 00:24:01,460 That equals 16. 578 00:24:01,460 --> 00:24:02,630 That doesn't equal 600. 579 00:24:02,630 --> 00:24:04,580 Your addition's wrong." 580 00:24:04,580 --> 00:24:06,910 And he looked at me and he said, "No, Kevin, that's 581 00:24:06,910 --> 00:24:11,020 600 Service Pack zero machines in the hospital." 582 00:24:11,020 --> 00:24:12,580 So these are medical devices where 583 00:24:12,580 --> 00:24:14,880 they've been unable to get the manufacturer 584 00:24:14,880 --> 00:24:17,910 to provide patches and update it to the modern software. 585 00:24:17,910 --> 00:24:20,202 Which means it's that old software, 586 00:24:20,202 --> 00:24:22,410 vulnerable to all the old malware that's been hitting 587 00:24:22,410 --> 00:24:26,140 Windows XP for 15 years. 588 00:24:26,140 --> 00:24:29,260 So it's very difficult in the clinical setting 589 00:24:29,260 --> 00:24:32,197 to keep yourself protected, because the product life cycles 590 00:24:32,197 --> 00:24:33,530 are just completely out of sync. 591 00:24:33,530 --> 00:24:36,350 They think in terms of decades in health care, 592 00:24:36,350 --> 00:24:39,350 but in the fast hockey stick world of Silicon Valley, 593 00:24:39,350 --> 00:24:43,110 we think about days, weeks, or months for software updates. 594 00:24:43,110 --> 00:24:45,700 You can see down here in their clinical systems, 595 00:24:45,700 --> 00:24:47,830 average time to infection is about 12 days 596 00:24:47,830 --> 00:24:51,020 when they don't have any kind of protection against malware. 597 00:24:51,020 --> 00:24:52,762 And they can get almost up to a year 598 00:24:52,762 --> 00:24:54,970 if they're able to get an antivirus product on there. 599 00:24:54,970 --> 00:24:56,510 But even that's not perfect. 600 00:24:59,422 --> 00:25:01,380 And feel free to ask questions too, by the way, 601 00:25:01,380 --> 00:25:02,421 if you want to know more. 602 00:25:02,421 --> 00:25:04,180 Go deeper dive on any of these incidents. 603 00:25:04,180 --> 00:25:06,900 But one of the interesting things I found 604 00:25:06,900 --> 00:25:11,030 was that one relatively common source of infection 605 00:25:11,030 --> 00:25:12,209 is the vendor themselves. 606 00:25:12,209 --> 00:25:13,750 Sometimes they don't even realize it. 607 00:25:13,750 --> 00:25:15,208 So I'm going to go over a few cases 608 00:25:15,208 --> 00:25:18,240 where the vendor has sort of accidentally 609 00:25:18,240 --> 00:25:20,145 been the carrier of the malware. 610 00:25:20,145 --> 00:25:23,420 I was talking with the chief field security 611 00:25:23,420 --> 00:25:26,330 officer for the Veterans Administration, the VA. 612 00:25:26,330 --> 00:25:29,790 They have about 153 clinics in the United States. 613 00:25:29,790 --> 00:25:32,750 And one day there was a vendor showing up 614 00:25:32,750 --> 00:25:35,540 to do software updates on some of their clinical medical 615 00:25:35,540 --> 00:25:36,660 devices. 616 00:25:36,660 --> 00:25:38,390 And her intrusion detection software 617 00:25:38,390 --> 00:25:39,870 was just chirping away everywhere-- 618 00:25:39,870 --> 00:25:41,411 I think his name was Bob-- everywhere 619 00:25:41,411 --> 00:25:43,790 Bob was walking and plugging in his USB drive 620 00:25:43,790 --> 00:25:45,050 to update the software. 621 00:25:45,050 --> 00:25:47,410 He was infecting the machines with malware by accident, 622 00:25:47,410 --> 00:25:50,380 because somehow malware got onto his USB drive. 623 00:25:50,380 --> 00:25:52,660 So there's a perception out there 624 00:25:52,660 --> 00:25:54,619 that if you're not networked, you're safe. 625 00:25:54,619 --> 00:25:56,160 But if you think about it for moment, 626 00:25:56,160 --> 00:25:58,220 very few people used the internet 20 years ago 627 00:25:58,220 --> 00:25:59,940 and there were still computer viruses. 628 00:25:59,940 --> 00:26:02,520 So in a hospital, a common infection vector 629 00:26:02,520 --> 00:26:04,290 is the USB drive. 630 00:26:04,290 --> 00:26:06,410 I'm even aware of two manufacturers-- 631 00:26:06,410 --> 00:26:11,360 I can't tell you their names-- but they almost 632 00:26:11,360 --> 00:26:13,480 shipped malware-infected medical devices. 633 00:26:13,480 --> 00:26:15,900 And they caught it by chance, by luck, 634 00:26:15,900 --> 00:26:18,440 before it went out into the product line. 635 00:26:21,440 --> 00:26:23,730 Who's done any work on the programming 636 00:26:23,730 --> 00:26:26,980 with the cloud or software distribution? 637 00:26:26,980 --> 00:26:28,180 A few of you. 638 00:26:28,180 --> 00:26:33,050 So the medical community is also embracing the cloud. 639 00:26:33,050 --> 00:26:35,420 It gives them more distributive control. 640 00:26:35,420 --> 00:26:37,020 But it also comes with risks that 641 00:26:37,020 --> 00:26:40,300 are qualitatively different from your typical software. 642 00:26:40,300 --> 00:26:44,100 If you want to get the newest word processor, 643 00:26:44,100 --> 00:26:45,450 that's one thing. 644 00:26:45,450 --> 00:26:47,680 But if you want to get an update for your ventilator, 645 00:26:47,680 --> 00:26:49,070 completely different. 646 00:26:49,070 --> 00:26:51,560 So I noticed there was a recall on the firmware 647 00:26:51,560 --> 00:26:52,600 for a ventilator. 648 00:26:52,600 --> 00:26:56,410 And the manufacture sent out a handy dandy website where 649 00:26:56,410 --> 00:26:58,729 you could download an update. 650 00:26:58,729 --> 00:27:00,770 Now I was going to go check their PGP signatures. 651 00:27:00,770 --> 00:27:02,670 Couldn't find those, but what I did find 652 00:27:02,670 --> 00:27:04,000 was a little link down here. 653 00:27:04,000 --> 00:27:06,180 It says, "Click here for your software update." 654 00:27:06,180 --> 00:27:09,590 I thought, oh, goody, let's go do that. 655 00:27:09,590 --> 00:27:13,050 So I did that and up popped this dialogue box. 656 00:27:13,050 --> 00:27:14,960 It says, "Warning-- Visiting this site may 657 00:27:14,960 --> 00:27:16,130 harm your computer. 658 00:27:16,130 --> 00:27:20,710 This website you are visiting appears to contain malware." 659 00:27:20,710 --> 00:27:24,290 Has anyone seen this before? 660 00:27:24,290 --> 00:27:26,390 Do you know what it was what it is? 661 00:27:26,390 --> 00:27:27,478 What's going on? 662 00:27:27,478 --> 00:27:30,894 AUDIENCE: So that's probably your antivirus software, 663 00:27:30,894 --> 00:27:31,870 correct? 664 00:27:31,870 --> 00:27:32,980 PROFESSOR: Close. 665 00:27:32,980 --> 00:27:35,140 It's not my antivirus software, but it's 666 00:27:35,140 --> 00:27:36,755 sort of a similar concept. 667 00:27:36,755 --> 00:27:37,630 In the back, I heard. 668 00:27:37,630 --> 00:27:39,270 AUDIENCE: I would bet this is Chrome. 669 00:27:39,270 --> 00:27:41,020 PROFESSOR: Chrome. 670 00:27:41,020 --> 00:27:43,500 Yeah, so in this case I believe I was using Chrome. 671 00:27:43,500 --> 00:27:45,690 But effectively what's going on is 672 00:27:45,690 --> 00:27:50,640 Google has something they call the Safe Web Browsing service. 673 00:27:50,640 --> 00:27:53,440 So actually, the guy who did this is Neil [INAUDIBLE]. 674 00:27:53,440 --> 00:27:56,100 He's one of the lead programmers for, I believe, OpenSSH. 675 00:27:56,100 --> 00:27:58,060 He's actually from Michigan. 676 00:27:58,060 --> 00:27:59,820 But he created this service at Google 677 00:27:59,820 --> 00:28:01,380 that goes around the internet just 678 00:28:01,380 --> 00:28:05,400 downloading random executables and then running them. 679 00:28:05,400 --> 00:28:07,550 And what's interesting is they create a whole bunch 680 00:28:07,550 --> 00:28:08,540 of virtual machines. 681 00:28:08,540 --> 00:28:09,609 This is my understanding. 682 00:28:09,609 --> 00:28:11,650 I may be misrepresenting it, but my understanding 683 00:28:11,650 --> 00:28:13,691 is they create a whole bunch of virtual machines, 684 00:28:13,691 --> 00:28:15,540 download those executables, and just run it 685 00:28:15,540 --> 00:28:17,680 and then see if the virtual machine gets infected. 686 00:28:17,680 --> 00:28:19,470 And if the virtual machine gets infected, 687 00:28:19,470 --> 00:28:22,509 you flag that website as distributing malware. 688 00:28:22,509 --> 00:28:24,300 They don't know the intentions necessarily, 689 00:28:24,300 --> 00:28:26,535 but it's a participant in the malware distribution. 690 00:28:29,552 --> 00:28:31,510 This is what you might call drive-by downloads. 691 00:28:31,510 --> 00:28:33,860 It's a very common way of getting malware 692 00:28:33,860 --> 00:28:37,190 to you on the internet, especially with the spammers, 693 00:28:37,190 --> 00:28:40,164 and some of the organized crime. 694 00:28:40,164 --> 00:28:42,705 But in this case their website appears have been infiltrated, 695 00:28:42,705 --> 00:28:45,195 and instead of sending me the ventilator software update, 696 00:28:45,195 --> 00:28:46,850 they were giving me malware. 697 00:28:46,850 --> 00:28:50,270 And at least according to the Google website, 698 00:28:50,270 --> 00:28:54,310 it says that over the past 90 days, 699 00:28:54,310 --> 00:28:56,570 that's what the website was resulting in. 700 00:28:56,570 --> 00:28:58,610 So all I could think was, all right, 701 00:28:58,610 --> 00:29:00,365 so if there's an FDA recall, and you're 702 00:29:00,365 --> 00:29:02,920 a biomedical engineer working for a hospital, 703 00:29:02,920 --> 00:29:04,820 and your job is to keep your hospital 704 00:29:04,820 --> 00:29:06,760 medical devices safe and effective. 705 00:29:06,760 --> 00:29:08,510 You're going to go download that software. 706 00:29:08,510 --> 00:29:11,770 So which box do you think they clicked? 707 00:29:11,770 --> 00:29:17,680 Do you think they clicked close or ignore? 708 00:29:17,680 --> 00:29:18,180 Right? 709 00:29:18,180 --> 00:29:22,770 I am sure, I would bet you dollars to donuts, 99% of them 710 00:29:22,770 --> 00:29:23,820 clicked ignore. 711 00:29:23,820 --> 00:29:24,320 Right? 712 00:29:24,320 --> 00:29:26,200 And so all I'm imagining now is we've 713 00:29:26,200 --> 00:29:28,074 got thousands of clinical engineers 714 00:29:28,074 --> 00:29:30,240 and biomedical engineers walking around with malware 715 00:29:30,240 --> 00:29:32,710 on their laptops in hospitals. 716 00:29:32,710 --> 00:29:35,320 Hopefully not on the ventilator, but most likely 717 00:29:35,320 --> 00:29:36,490 on their local computer. 718 00:29:39,490 --> 00:29:42,310 So other fun things you can do is 719 00:29:42,310 --> 00:29:45,330 you can go search the MAUDE database for keywords 720 00:29:45,330 --> 00:29:48,010 like computer virus and see what's in there. 721 00:29:48,010 --> 00:29:49,990 And these are all narratives submitted 722 00:29:49,990 --> 00:29:51,350 by hospitals and manufacturers. 723 00:29:51,350 --> 00:29:53,440 One of the more interesting ones is 724 00:29:53,440 --> 00:29:55,670 something called a compounder. 725 00:29:55,670 --> 00:29:57,210 So I have one of these in my lab. 726 00:29:57,210 --> 00:29:58,920 It's kind of hard to get. 727 00:29:58,920 --> 00:30:00,550 But it makes liquid drugs. 728 00:30:00,550 --> 00:30:04,560 So it has I think on the order of 16 ports on the top, 729 00:30:04,560 --> 00:30:06,450 where you can have the little serums, 730 00:30:06,450 --> 00:30:09,689 and then it deposits it into a saline bag. 731 00:30:09,689 --> 00:30:11,980 And then you can use IV delivery to deliver it directly 732 00:30:11,980 --> 00:30:13,210 to your veins. 733 00:30:13,210 --> 00:30:16,750 So many hospitals will have these for custom, just 734 00:30:16,750 --> 00:30:19,290 in time drug delivery, special cocktails of drugs 735 00:30:19,290 --> 00:30:20,660 for patients. 736 00:30:20,660 --> 00:30:22,200 And what was interesting is here, 737 00:30:22,200 --> 00:30:23,783 there was a report that the compounder 738 00:30:23,783 --> 00:30:25,440 was infected with a virus. 739 00:30:25,440 --> 00:30:26,140 OK? 740 00:30:26,140 --> 00:30:28,650 So we bought that compounder, and we found 741 00:30:28,650 --> 00:30:30,640 it runs Windows XP embedded. 742 00:30:30,640 --> 00:30:31,880 Surprise. 743 00:30:31,880 --> 00:30:34,282 And so it was vulnerable to malware, 744 00:30:34,282 --> 00:30:35,990 all the malware that any other Windows XP 745 00:30:35,990 --> 00:30:37,700 box would be vulnerable to. 746 00:30:37,700 --> 00:30:39,450 But what was a little bit surprising to me 747 00:30:39,450 --> 00:30:41,522 was manufacturer response at the time. 748 00:30:41,522 --> 00:30:43,480 I hope they changed their tune, but at the time 749 00:30:43,480 --> 00:30:45,810 they said, "Well, we do not regularly 750 00:30:45,810 --> 00:30:49,100 install operating system updates or patches." 751 00:30:49,100 --> 00:30:51,320 This struck me as whoa, what? 752 00:30:51,320 --> 00:30:52,720 What do you mean? 753 00:30:52,720 --> 00:30:55,260 I said maybe they had a bit flip. 754 00:30:55,260 --> 00:30:58,850 But there's a huge misunderstanding 755 00:30:58,850 --> 00:31:01,474 about expectations of software updates. 756 00:31:01,474 --> 00:31:02,140 Let me be clear. 757 00:31:02,140 --> 00:31:07,240 FDA expects manufacturers to keep the software up to date. 758 00:31:07,240 --> 00:31:09,990 But many manufacturers will claim 759 00:31:09,990 --> 00:31:13,090 that they are not able to do updates because of some FDA 760 00:31:13,090 --> 00:31:14,680 nonexistent rules. 761 00:31:14,680 --> 00:31:16,930 So if you ever run into a medical device manufacturer, 762 00:31:16,930 --> 00:31:19,260 and they claim that the FDA rules prevent them 763 00:31:19,260 --> 00:31:20,860 from doing software updates, just 764 00:31:20,860 --> 00:31:23,180 tell them, no, actually that's untrue. 765 00:31:23,180 --> 00:31:26,360 And Professor Freeman created a poster for this. 766 00:31:26,360 --> 00:31:27,370 So here we go. 767 00:31:27,370 --> 00:31:29,560 "Homework prevents me from passing class, 768 00:31:29,560 --> 00:31:31,490 eHarmony prevents me from getting dates, 769 00:31:31,490 --> 00:31:33,760 and yes, FDA rules prevent software updates. 770 00:31:33,760 --> 00:31:34,550 Yeah, right. 771 00:31:34,550 --> 00:31:36,260 Bull." 772 00:31:36,260 --> 00:31:40,310 So it is true that issuing a software update takes effort. 773 00:31:40,310 --> 00:31:41,670 It takes engineering time. 774 00:31:41,670 --> 00:31:43,090 It's not a simple process. 775 00:31:43,090 --> 00:31:45,790 It's not like-- I don't know what course it's called these 776 00:31:45,790 --> 00:31:49,300 days, 6.170, what it's become-- but it's not as simple 777 00:31:49,300 --> 00:31:52,540 as typing "make" and then submit to the auto-grader. 778 00:31:52,540 --> 00:31:54,940 There's a huge amount of verification and validation 779 00:31:54,940 --> 00:31:55,890 that goes on. 780 00:31:55,890 --> 00:31:57,660 But that's what you're expected to do 781 00:31:57,660 --> 00:31:59,800 if you're in the medical device manufacturing game. 782 00:31:59,800 --> 00:32:01,925 If you're in that industry, that's the expectation. 783 00:32:05,240 --> 00:32:07,890 So a question that often comes up 784 00:32:07,890 --> 00:32:10,160 is, do we need to worry about this? 785 00:32:10,160 --> 00:32:12,750 And are there any intentional malicious malfunctions? 786 00:32:12,750 --> 00:32:14,720 How significant are these? 787 00:32:14,720 --> 00:32:18,020 And the good news is, I'm not aware of any specific instance 788 00:32:18,020 --> 00:32:19,970 where there's been a targeted attack, 789 00:32:19,970 --> 00:32:21,940 and I hope none ever happens. 790 00:32:21,940 --> 00:32:23,500 But I think it'd be foolish to assume 791 00:32:23,500 --> 00:32:26,040 that bad people don't exist. 792 00:32:26,040 --> 00:32:29,070 So if you look back in history, in 1982, actually, 793 00:32:29,070 --> 00:32:31,730 there was an incident in Chicago where somebody 794 00:32:31,730 --> 00:32:34,020 deliberately tampered with extra-strength Tylenol 795 00:32:34,020 --> 00:32:38,020 on the shelves of pharmacies and inserted cyanide. 796 00:32:38,020 --> 00:32:41,340 A number of people ingested it and died. 797 00:32:41,340 --> 00:32:42,902 A short time later, at the funeral, 798 00:32:42,902 --> 00:32:44,985 additional members of family used the same bottle. 799 00:32:44,985 --> 00:32:46,560 They also died. 800 00:32:46,560 --> 00:32:50,710 Within days, the US had pulled Tylenol 801 00:32:50,710 --> 00:32:52,460 from all the shelves in the United States. 802 00:32:52,460 --> 00:32:55,650 You could not find Tylenol in the United States. 803 00:32:55,650 --> 00:32:58,270 And within one year, Congress had passed new legislation 804 00:32:58,270 --> 00:33:01,295 requiring tamper-evident packaging and physical security 805 00:33:01,295 --> 00:33:03,020 of over-the-counter drugs. 806 00:33:03,020 --> 00:33:05,530 This incident is the reason when you open up your medicine, 807 00:33:05,530 --> 00:33:07,610 you see a little metal foil. 808 00:33:07,610 --> 00:33:10,790 So we know bad people exist. 809 00:33:10,790 --> 00:33:14,620 The cases that we are aware of are more about tomfoolery, 810 00:33:14,620 --> 00:33:15,950 but still dangerous. 811 00:33:15,950 --> 00:33:18,590 So this woman said she had one of the worst seizure she's 812 00:33:18,590 --> 00:33:20,210 ever experienced when somebody decided 813 00:33:20,210 --> 00:33:22,900 to post flashing animations on an epilepsy support group 814 00:33:22,900 --> 00:33:24,090 website. 815 00:33:24,090 --> 00:33:25,497 So quite malicious. 816 00:33:25,497 --> 00:33:27,955 It was probably someone who didn't realize the ramification 817 00:33:27,955 --> 00:33:30,410 of their actions, because you can actually 818 00:33:30,410 --> 00:33:34,140 severely harm a patient who's sensitive to those kinds 819 00:33:34,140 --> 00:33:35,180 of things. 820 00:33:35,180 --> 00:33:37,900 But again, bad people do exist. 821 00:33:37,900 --> 00:33:41,150 So one of the problems with the culture gap 822 00:33:41,150 --> 00:33:43,600 is that much of medical device manufacturing 823 00:33:43,600 --> 00:33:46,150 thinks statistically, and they think 824 00:33:46,150 --> 00:33:48,960 about past performance of a device predicting 825 00:33:48,960 --> 00:33:50,430 future performance. 826 00:33:50,430 --> 00:33:52,610 So in the security world, we know that actually, 827 00:33:52,610 --> 00:33:55,110 if you see no security problems, that might be because there 828 00:33:55,110 --> 00:33:56,780 are a bunch more to come soon. 829 00:33:56,780 --> 00:33:59,030 So if you take a look at the Mac, for instance, right? 830 00:33:59,030 --> 00:34:03,030 Before two years ago, basically no malware was on the Mac. 831 00:34:03,030 --> 00:34:05,400 But then one night over half a million Macs 832 00:34:05,400 --> 00:34:07,840 got infected by Flashback. 833 00:34:07,840 --> 00:34:10,840 So one of the problems is bridging that culture gap. 834 00:34:10,840 --> 00:34:12,299 To move from, well, there haven't 835 00:34:12,299 --> 00:34:13,840 been any reported problems yet, so we 836 00:34:13,840 --> 00:34:17,010 don't need to worry about it, to explaining more about how 837 00:34:17,010 --> 00:34:19,170 to fit security into the risk management 838 00:34:19,170 --> 00:34:22,380 thinking of medical device manufacturing. 839 00:34:22,380 --> 00:34:24,520 So hopefully we can avoid this, and keep 840 00:34:24,520 --> 00:34:29,980 that to be on the Weekly World News, but it could happen. 841 00:34:29,980 --> 00:34:32,620 So trying to bring that analogy home now. 842 00:34:32,620 --> 00:34:35,909 Before we get into a little bit more on the solutions here, 843 00:34:35,909 --> 00:34:39,060 is that way back when, there was a lot of denial 844 00:34:39,060 --> 00:34:40,690 that hand washing was a problem. 845 00:34:40,690 --> 00:34:42,840 But there was a real reason for that. 846 00:34:42,840 --> 00:34:45,699 In the 1800s, running water was not exactly 847 00:34:45,699 --> 00:34:47,710 common in hospitals. 848 00:34:47,710 --> 00:34:49,449 Latex gloves did not exist yet. 849 00:34:49,449 --> 00:34:53,110 So to ask someone to merely wash their hands for each procedure 850 00:34:53,110 --> 00:34:55,389 was actually a pretty tall order. 851 00:34:55,389 --> 00:34:57,990 And the same thing can be said of security today, 852 00:34:57,990 --> 00:34:59,290 in almost any context. 853 00:34:59,290 --> 00:35:01,970 There's no magic pixie dust you can sprinkle. 854 00:35:01,970 --> 00:35:05,150 There are no magic latex gloves you can put to somehow 855 00:35:05,150 --> 00:35:06,870 magically add security. 856 00:35:06,870 --> 00:35:09,710 So when you ask a manufacturer or clinician 857 00:35:09,710 --> 00:35:11,580 to, say, keep your device secure, 858 00:35:11,580 --> 00:35:12,700 it's a pretty tall order. 859 00:35:12,700 --> 00:35:14,534 So it's going to take some time, I think. 860 00:35:14,534 --> 00:35:15,950 But if they were alive today, they 861 00:35:15,950 --> 00:35:17,840 might be saying medical devices should be secure, 862 00:35:17,840 --> 00:35:20,131 and doctors are gentleman and therefore their computers 863 00:35:20,131 --> 00:35:21,550 are secure. 864 00:35:21,550 --> 00:35:24,810 But I'm optimistic we're going to get there, 865 00:35:24,810 --> 00:35:27,430 because most manufacturers I talk to now realize it's 866 00:35:27,430 --> 00:35:28,772 a real problem. 867 00:35:28,772 --> 00:35:30,980 They're just not necessarily sure on what to do next. 868 00:35:30,980 --> 00:35:33,730 So maybe they'll be hiring you people for the future, 869 00:35:33,730 --> 00:35:36,250 to help them solve these security problems. 870 00:35:36,250 --> 00:35:38,340 But what it all boils down to is it's 871 00:35:38,340 --> 00:35:40,460 very difficult to add security on after the fact. 872 00:35:40,460 --> 00:35:42,330 Bolting it on is very challenging. 873 00:35:42,330 --> 00:35:45,070 It's possible in some cases, but it's really hard, 874 00:35:45,070 --> 00:35:46,620 and often very expensive. 875 00:35:46,620 --> 00:35:48,953 And you've really got to design it in from the beginning 876 00:35:48,953 --> 00:35:49,760 to get it right. 877 00:35:49,760 --> 00:35:51,774 So FDA is expecting manufacturers 878 00:35:51,774 --> 00:35:53,190 to get it right when they're still 879 00:35:53,190 --> 00:35:55,160 working with pen and paper, on whiteboards, 880 00:35:55,160 --> 00:35:56,660 before they've actually manufactured 881 00:35:56,660 --> 00:35:59,950 the medical device. 882 00:35:59,950 --> 00:36:04,570 So how are we doing on time? 883 00:36:04,570 --> 00:36:06,400 Oh, quite a bit? 884 00:36:06,400 --> 00:36:07,690 40 minutes, awesome. 885 00:36:07,690 --> 00:36:09,187 OK. 886 00:36:09,187 --> 00:36:10,520 I'm going faster than I thought. 887 00:36:10,520 --> 00:36:12,871 Sorry if you're taking notes. 888 00:36:12,871 --> 00:36:16,211 I'll talk slower now. 889 00:36:16,211 --> 00:36:18,730 I want to talk a little bit about technology 890 00:36:18,730 --> 00:36:22,010 to make a medical devices actually more trustworthy. 891 00:36:22,010 --> 00:36:25,380 So I'm going to try to blow your mind, all right? 892 00:36:25,380 --> 00:36:32,450 So why do you trust the sensor on, let's say, your smartphone? 893 00:36:32,450 --> 00:36:33,782 You've got a smartphone there. 894 00:36:33,782 --> 00:36:35,781 Do you know what sensors are on that smartphone? 895 00:36:38,547 --> 00:36:39,340 AUDIENCE: GPS. 896 00:36:39,340 --> 00:36:40,298 PROFESSOR: There's GPS? 897 00:36:42,510 --> 00:36:44,339 Accelerometer, I heard. 898 00:36:44,339 --> 00:36:45,130 Any other thoughts? 899 00:36:45,130 --> 00:36:47,380 What else would we find on a phone? 900 00:36:47,380 --> 00:36:48,350 AUDIENCE: Compass. 901 00:36:48,350 --> 00:36:49,280 PROFESSOR: Compass? 902 00:36:49,280 --> 00:36:50,111 Light? 903 00:36:50,111 --> 00:36:51,955 AUDIENCE: [INAUDIBLE]. 904 00:36:51,955 --> 00:36:54,737 PROFESSOR: Electromagnetic field? 905 00:36:54,737 --> 00:36:56,195 Everything's temperature-sensitive. 906 00:36:59,000 --> 00:37:01,197 Camera's technically got a CCD sensor. 907 00:37:01,197 --> 00:37:02,780 So there's sensors all over the place. 908 00:37:02,780 --> 00:37:04,380 Medical devices have sensors, too. 909 00:37:04,380 --> 00:37:06,170 Now, why do you trust what the sensor's 910 00:37:06,170 --> 00:37:07,140 telling your processor? 911 00:37:07,140 --> 00:37:10,180 If you write software and your sensor 912 00:37:10,180 --> 00:37:15,210 tells you it's 77 degrees today, or 25 Celsius, 913 00:37:15,210 --> 00:37:17,960 why do you believe that? 914 00:37:17,960 --> 00:37:20,650 So at least in my lab, we do a lot of work on sensors. 915 00:37:20,650 --> 00:37:22,580 So I try to pass this one around. 916 00:37:22,580 --> 00:37:25,980 This is a batteryless sensor. 917 00:37:25,980 --> 00:37:29,482 It's got an MSP430 microcontroller. 918 00:37:29,482 --> 00:37:30,440 But there's no battery. 919 00:37:30,440 --> 00:37:32,700 It actually runs off a 10 microfarad capacitor, 920 00:37:32,700 --> 00:37:35,876 and it harvests RF energy to power up that microprocessor. 921 00:37:35,876 --> 00:37:39,300 I'll pass it up this side, I guess. 922 00:37:39,300 --> 00:37:41,030 And it's got all the fun little things 923 00:37:41,030 --> 00:37:43,870 like a 3D accelerometer, temperature sensors, light, 924 00:37:43,870 --> 00:37:45,470 all that fun stuff. 925 00:37:45,470 --> 00:37:48,029 But it's really hard to power up. 926 00:37:48,029 --> 00:37:49,820 But again, how do you trust what's actually 927 00:37:49,820 --> 00:37:51,110 coming into that sensor? 928 00:37:51,110 --> 00:37:54,530 Something's translating it from all these physical phenomena 929 00:37:54,530 --> 00:37:56,390 to little electrical pulses. 930 00:37:56,390 --> 00:38:00,534 So one thing I want to highlight is 931 00:38:00,534 --> 00:38:02,117 why you might not want to trust what's 932 00:38:02,117 --> 00:38:03,460 coming out of that sensor. 933 00:38:03,460 --> 00:38:05,890 So this is work from one of my post-docs, Denis Foo Kune 934 00:38:05,890 --> 00:38:08,369 here, who's kiteboarding on Lake Michigan. 935 00:38:08,369 --> 00:38:09,910 But in his other spare time, he likes 936 00:38:09,910 --> 00:38:11,700 to interfere with sensors. 937 00:38:11,700 --> 00:38:14,370 So let me tell you about-- forget security for a moment, 938 00:38:14,370 --> 00:38:17,295 to safety-- there was a gentleman in 2009 who reported 939 00:38:17,295 --> 00:38:19,420 that every time his cell phone rang in his kitchen, 940 00:38:19,420 --> 00:38:21,214 his oven turned on. 941 00:38:21,214 --> 00:38:23,130 So you can go find this in the New York Times. 942 00:38:23,130 --> 00:38:26,460 It just happened to be that that resonant frequency was just 943 00:38:26,460 --> 00:38:30,100 perfect to get that ignition to go off in the over. 944 00:38:30,100 --> 00:38:32,360 So there's interference all over the place. 945 00:38:32,360 --> 00:38:35,950 It's a constant battle, because we have different devices 946 00:38:35,950 --> 00:38:37,720 speaking in the same spectrum. 947 00:38:37,720 --> 00:38:41,090 But there are technologies to reduce that interference. 948 00:38:41,090 --> 00:38:44,260 The problem is, what happens when the interference is 949 00:38:44,260 --> 00:38:45,740 in the baseband? 950 00:38:45,740 --> 00:38:47,990 I'm going to go a little bit analog on you for moment. 951 00:38:47,990 --> 00:38:51,110 So does 6.003 still exist? 952 00:38:51,110 --> 00:38:51,610 It does? 953 00:38:51,610 --> 00:38:52,370 OK, good. 954 00:38:52,370 --> 00:38:54,411 So I encourage you all to take it if you haven't. 955 00:38:54,411 --> 00:38:56,850 It's one of the most awesome courses for a CS person, 956 00:38:56,850 --> 00:39:00,250 because you don't have to go too deep into the circus. 957 00:39:00,250 --> 00:39:02,112 So what was interesting to me was, 958 00:39:02,112 --> 00:39:04,070 I was trying to understand why I should believe 959 00:39:04,070 --> 00:39:05,510 what a sensor's telling me. 960 00:39:05,510 --> 00:39:07,740 And so I started to look at the block diagram. 961 00:39:07,740 --> 00:39:11,154 And so for instance, if you've got a Bluetooth headset, 962 00:39:11,154 --> 00:39:13,570 what you're going to find inside that Bluetooth headset is 963 00:39:13,570 --> 00:39:18,260 a microphone, piece of wire, an amplifier-- right, 003-- 964 00:39:18,260 --> 00:39:21,335 some more wire, or some traces on a PCB. 965 00:39:21,335 --> 00:39:22,960 It goes to an analog/digital converter. 966 00:39:22,960 --> 00:39:24,750 There might be some filtering. 967 00:39:24,750 --> 00:39:27,000 And then it goes to your microprocessor. 968 00:39:27,000 --> 00:39:29,590 But there's all this other stuff that gets in the way 969 00:39:29,590 --> 00:39:31,320 before it gets to your software. 970 00:39:31,320 --> 00:39:33,160 And for some reason, your software 971 00:39:33,160 --> 00:39:36,820 just believes anything this wire says. 972 00:39:36,820 --> 00:39:39,247 So what was interesting to me was, well, you know what? 973 00:39:39,247 --> 00:39:41,580 That piece of wire from the microphone to the amplifier, 974 00:39:41,580 --> 00:39:42,350 it has a length. 975 00:39:42,350 --> 00:39:44,750 It also has a resonant frequency. 976 00:39:44,750 --> 00:39:48,650 So what would happen if somebody generates custom electromagnet 977 00:39:48,650 --> 00:39:51,580 interference that's optimized to latch 978 00:39:51,580 --> 00:39:53,820 onto that resonant frequency of that piece of wire? 979 00:39:53,820 --> 00:39:55,319 Well, it would go into the amplifier 980 00:39:55,319 --> 00:39:57,140 and it would get amplified. 981 00:39:57,140 --> 00:39:59,670 And then it would go into that analog/digital converter, 982 00:39:59,670 --> 00:40:02,140 and you'd pass onto the microprocessor. 983 00:40:02,140 --> 00:40:05,280 One of the questions we had was, was this possible at all? 984 00:40:05,280 --> 00:40:07,560 And if so, how hard would it be? 985 00:40:07,560 --> 00:40:10,050 What kind of power would you need to do it? 986 00:40:10,050 --> 00:40:12,840 And what would be the quality of the signal that actually 987 00:40:12,840 --> 00:40:15,020 reaches the microprocessor? 988 00:40:15,020 --> 00:40:18,460 So the fundamental reason why this is even possible 989 00:40:18,460 --> 00:40:21,780 is because we're talking about intentional, as opposed 990 00:40:21,780 --> 00:40:23,520 to accidental interference, we're 991 00:40:23,520 --> 00:40:24,770 throwing it into the baseband. 992 00:40:24,770 --> 00:40:27,320 So here's an example. 993 00:40:27,320 --> 00:40:29,040 Imagine that your medical device is 994 00:40:29,040 --> 00:40:32,140 designed to accept physiologic signals in the low hertz. 995 00:40:32,140 --> 00:40:34,330 Like your heart doesn't beat that fast. 996 00:40:34,330 --> 00:40:37,180 We're talking a few hertz or less. 997 00:40:37,180 --> 00:40:39,712 So if your electrodes were to pick up some high frequency 998 00:40:39,712 --> 00:40:41,670 signals, you'd just put in some analog filters. 999 00:40:41,670 --> 00:40:43,566 You'd say, that cannot be real, right? 1000 00:40:43,566 --> 00:40:44,982 If your heart's beating that fast, 1001 00:40:44,982 --> 00:40:48,370 you're probably just picking up something 1002 00:40:48,370 --> 00:40:52,630 like an electric mixer while you're making your lunch. 1003 00:40:52,630 --> 00:40:55,630 So similarly you can filter out pulses in the high frequency. 1004 00:40:55,630 --> 00:40:58,450 But if you send interference that's in the baseband, 1005 00:40:58,450 --> 00:41:00,520 those filters are going to be meaningless. 1006 00:41:00,520 --> 00:41:02,730 Because those analog filters cannot get rid 1007 00:41:02,730 --> 00:41:08,750 of if it's in the same frequency area as what you're expecting. 1008 00:41:08,750 --> 00:41:11,970 So it's hard to filter in the analog. 1009 00:41:11,970 --> 00:41:13,890 So I'm going to go through a couple examples. 1010 00:41:13,890 --> 00:41:15,806 We're going to start with a Bluetooth headset, 1011 00:41:15,806 --> 00:41:18,440 and then work our way up to a medical device. 1012 00:41:18,440 --> 00:41:21,750 So Denis, he built a bunch of homebrew dipole antennas 1013 00:41:21,750 --> 00:41:23,770 and transmitters and amplifiers. 1014 00:41:23,770 --> 00:41:28,282 Now what he's got up here is you can see he's got a webcam. 1015 00:41:28,282 --> 00:41:30,490 I guess not too many of us need to buy these anymore, 1016 00:41:30,490 --> 00:41:31,820 because they're built in. 1017 00:41:31,820 --> 00:41:36,100 But that webcam has a microphone, 1018 00:41:36,100 --> 00:41:38,060 and then it's got a little USB cable 1019 00:41:38,060 --> 00:41:40,445 to deliver the audio to the computer. 1020 00:41:40,445 --> 00:41:42,320 So what he's done is he's set up the computer 1021 00:41:42,320 --> 00:41:45,790 to record the video and audio and then play it back. 1022 00:41:45,790 --> 00:41:51,230 So what's interesting is-- you'll see this now. 1023 00:41:51,230 --> 00:41:52,750 He was in a completely silent room. 1024 00:41:52,750 --> 00:41:53,958 It sort of sounded like this. 1025 00:41:53,958 --> 00:41:57,260 All you could hear was the ventilation system. 1026 00:41:57,260 --> 00:41:58,230 He's got the camera. 1027 00:41:58,230 --> 00:42:00,021 He removed the housing, just so it's easier 1028 00:42:00,021 --> 00:42:03,630 to tap in and measure the interference. 1029 00:42:03,630 --> 00:42:06,045 And then he's got a software radio about a meter 1030 00:42:06,045 --> 00:42:09,110 away, generating custom electromagnetic interference. 1031 00:42:09,110 --> 00:42:13,950 He writes it in Python, and then sends over his signals. 1032 00:42:13,950 --> 00:42:17,210 So here's what the computer on the left 1033 00:42:17,210 --> 00:42:20,259 thought it heard, even in this silent room. 1034 00:42:20,259 --> 00:42:21,257 [AUDIO PLAYBACK] 1035 00:42:21,257 --> 00:42:22,756 [MUSIC WEEZER, "ISLAND IN THE SUN"] 1036 00:42:30,310 --> 00:42:31,230 [END PLAYBACK] 1037 00:42:31,230 --> 00:42:32,370 PROFESSOR: So yeah. 1038 00:42:32,370 --> 00:42:34,286 The last time I did that, somebody in the back 1039 00:42:34,286 --> 00:42:37,000 actually started dancing. 1040 00:42:37,000 --> 00:42:39,765 So it's actually relatively high fidelity. 1041 00:42:39,765 --> 00:42:43,020 And it actually turns out that in the manufacturing community, 1042 00:42:43,020 --> 00:42:43,990 they're so cheap. 1043 00:42:43,990 --> 00:42:46,880 They use really cheap microphones 1044 00:42:46,880 --> 00:42:48,240 with poor frequency responses. 1045 00:42:48,240 --> 00:42:50,010 So we actually got higher quality audio 1046 00:42:50,010 --> 00:42:53,520 through interference than going to the microphone. 1047 00:42:53,520 --> 00:42:55,520 So if you ever don't like your Bluetooth headset 1048 00:42:55,520 --> 00:42:57,150 and you want to play classical music, 1049 00:42:57,150 --> 00:42:58,500 just do it with interference. 1050 00:42:58,500 --> 00:43:02,010 But don't tell the FCC I told you to do that, 1051 00:43:02,010 --> 00:43:03,370 because you're not supposed to. 1052 00:43:03,370 --> 00:43:06,820 But the point is if you're talking 1053 00:43:06,820 --> 00:43:08,950 intentional magnetic interference, 1054 00:43:08,950 --> 00:43:11,330 it's kind of outside the security model. 1055 00:43:11,330 --> 00:43:13,840 And so your processor just trusts it. 1056 00:43:13,840 --> 00:43:16,160 So some interesting things you can do. 1057 00:43:16,160 --> 00:43:18,510 Let's say your office mate decides to call up 1058 00:43:18,510 --> 00:43:21,135 his bank to make some deposits. 1059 00:43:21,135 --> 00:43:23,170 Well, you can insert DTMF tones. 1060 00:43:23,170 --> 00:43:24,900 That's kind of fun. 1061 00:43:24,900 --> 00:43:26,849 So we were just playing around. 1062 00:43:26,849 --> 00:43:28,640 You can change the language as the person's 1063 00:43:28,640 --> 00:43:31,274 trying to make deposits from account to account. 1064 00:43:31,274 --> 00:43:32,690 But there's all just interference. 1065 00:43:32,690 --> 00:43:35,310 And actually the person on the Bluetooth headset 1066 00:43:35,310 --> 00:43:36,220 didn't hear it. 1067 00:43:36,220 --> 00:43:42,124 Because remember it's coming from the person, 1068 00:43:42,124 --> 00:43:44,290 so that it doesn't actually get echoed back to them. 1069 00:43:44,290 --> 00:43:48,250 But the bank heard it and made all the transactions. 1070 00:43:48,250 --> 00:43:51,020 So there are ways to do this. 1071 00:43:51,020 --> 00:43:54,070 It doesn't take a whole bunch of analog skills. 1072 00:43:54,070 --> 00:43:55,800 We're mostly computer scientists. 1073 00:43:55,800 --> 00:43:59,140 But you do need to somehow convert 1074 00:43:59,140 --> 00:44:01,505 the signal you want to have appear at the microprocessor 1075 00:44:01,505 --> 00:44:04,980 into something else that's easier to transmit. 1076 00:44:04,980 --> 00:44:08,240 So the first thing you can do is think 1077 00:44:08,240 --> 00:44:09,727 about just overwhelming the thing 1078 00:44:09,727 --> 00:44:10,810 with a very strong signal. 1079 00:44:10,810 --> 00:44:12,150 That's the brute force approach. 1080 00:44:12,150 --> 00:44:14,922 It doesn't work so well, but it works a little bit. 1081 00:44:14,922 --> 00:44:16,630 So if you send something out that matches 1082 00:44:16,630 --> 00:44:18,950 the resonant frequency of that little piece of wire, 1083 00:44:18,950 --> 00:44:22,110 yeah, that'll get the job done to some extent. 1084 00:44:22,110 --> 00:44:26,010 The problem is a lot of these signals are low frequency, 1085 00:44:26,010 --> 00:44:28,880 and it's more difficult to transmit. 1086 00:44:28,880 --> 00:44:30,172 It's got less power, basically. 1087 00:44:30,172 --> 00:44:32,088 So it's going to be harder to send the signal. 1088 00:44:32,088 --> 00:44:35,170 So what you really want to do is send a higher frequency signal, 1089 00:44:35,170 --> 00:44:37,620 and it's going to be easier to deliver the power. 1090 00:44:37,620 --> 00:44:40,280 But if you send a really high frequency signal, that's 1091 00:44:40,280 --> 00:44:42,065 going to be outside the baseband, 1092 00:44:42,065 --> 00:44:44,270 so all the filters are going to go at it. 1093 00:44:44,270 --> 00:44:47,130 So here's what you do instead. 1094 00:44:47,130 --> 00:44:51,840 You treat this circuit as an unintentional demodulator. 1095 00:44:51,840 --> 00:44:54,554 So what you do is, we had that original sine wave 1096 00:44:54,554 --> 00:44:55,470 we wanted to transmit. 1097 00:44:55,470 --> 00:44:58,995 Instead we modulate it onto a higher frequency sine wave. 1098 00:44:58,995 --> 00:45:02,160 And we send it in to the amplifier, 1099 00:45:02,160 --> 00:45:04,520 and eventually it's going to work its way in because 1100 00:45:04,520 --> 00:45:05,530 of sampling theory. 1101 00:45:05,530 --> 00:45:07,960 You can think about Nyquist and all that. 1102 00:45:07,960 --> 00:45:12,370 So up on the top is the interfering signal 1103 00:45:12,370 --> 00:45:14,580 we're actually sending, and then on the bottom 1104 00:45:14,580 --> 00:45:16,240 is what the microprocessor sees. 1105 00:45:16,240 --> 00:45:18,370 Because remember the analog-to-digital converter 1106 00:45:18,370 --> 00:45:20,390 is not continuously sampling. 1107 00:45:20,390 --> 00:45:22,020 There's an interrupt on the processor. 1108 00:45:22,020 --> 00:45:24,560 Wake up, take a reading, wake up, take a reading. 1109 00:45:24,560 --> 00:45:25,935 So it's actually going to sample, 1110 00:45:25,935 --> 00:45:27,812 and then try to infer the signal. 1111 00:45:27,812 --> 00:45:29,770 So as we're sending out our really fast signal, 1112 00:45:29,770 --> 00:45:32,170 it takes a sample, it takes a sample, 1113 00:45:32,170 --> 00:45:35,180 it takes a sample, et cetera, et cetera. 1114 00:45:35,180 --> 00:45:37,750 Your microprocessor thinks it got this nice low frequency 1115 00:45:37,750 --> 00:45:40,180 sine wave, but we actually used a high frequency one, 1116 00:45:40,180 --> 00:45:44,151 because that allowed us to transmit more easily. 1117 00:45:44,151 --> 00:45:46,400 So I'm not going to go through all the nitty-gritties, 1118 00:45:46,400 --> 00:45:49,250 but one another kind of cool way to do 1119 00:45:49,250 --> 00:45:54,320 this is to muck around with the non-linear components 1120 00:45:54,320 --> 00:45:55,590 of the circuit. 1121 00:45:55,590 --> 00:45:58,160 But this is all about violating security models, right? 1122 00:45:58,160 --> 00:46:00,860 So we're completely violating what the circuit designer 1123 00:46:00,860 --> 00:46:02,760 had intended. 1124 00:46:02,760 --> 00:46:06,650 It turns out that if you send in, say, 1125 00:46:06,650 --> 00:46:09,440 in this case you're sending in 826 megahertz 1126 00:46:09,440 --> 00:46:12,540 is the resonant frequency of our wire. 1127 00:46:12,540 --> 00:46:15,780 But I can't speak that fast. 1128 00:46:15,780 --> 00:46:21,220 So what we do is we modulate our voice on an 826 megahertz 1129 00:46:21,220 --> 00:46:22,130 carrier. 1130 00:46:22,130 --> 00:46:24,690 Problem is it's going to get, for instance, all 1131 00:46:24,690 --> 00:46:27,294 this replication of the signal. 1132 00:46:27,294 --> 00:46:28,710 You're going to see the frequency. 1133 00:46:28,710 --> 00:46:30,334 Here we're looking at frequency domain. 1134 00:46:30,334 --> 00:46:31,590 It gets repeated. 1135 00:46:31,590 --> 00:46:33,490 But it turns out because of the filters built 1136 00:46:33,490 --> 00:46:35,240 into most of these devices, it's actually 1137 00:46:35,240 --> 00:46:37,531 going to chop off the repeated copies. 1138 00:46:37,531 --> 00:46:39,655 So the end of the day, what the microprocessor sees 1139 00:46:39,655 --> 00:46:41,900 is our original 1 kilohertz signal 1140 00:46:41,900 --> 00:46:43,070 we were trying to send in. 1141 00:46:43,070 --> 00:46:47,800 It's been unintentionally demodulated. 1142 00:46:47,800 --> 00:46:49,530 So that's the easiest example that I've 1143 00:46:49,530 --> 00:46:51,030 been able to come up with to explain 1144 00:46:51,030 --> 00:46:54,370 the idea of this intentional interference. 1145 00:46:54,370 --> 00:46:56,950 And now we're going to try to apply it to defibrillators 1146 00:46:56,950 --> 00:46:58,680 and medical devices. 1147 00:46:58,680 --> 00:47:02,090 So again, the defibrillator's implanted into the clavicle. 1148 00:47:02,090 --> 00:47:05,520 And it has these electrodes-- you can kind of see them here-- 1149 00:47:05,520 --> 00:47:07,640 that go into the chambers of the heart, 1150 00:47:07,640 --> 00:47:11,190 and it's used for both sensing and actuation. 1151 00:47:11,190 --> 00:47:13,190 So it's just a signal. 1152 00:47:13,190 --> 00:47:18,310 So this is the time domain, and this is the Fourier transform, 1153 00:47:18,310 --> 00:47:19,750 effectively. 1154 00:47:19,750 --> 00:47:23,780 So this is a single heartbeat, and the heartbeat 1155 00:47:23,780 --> 00:47:26,110 is actually quite intricate. 1156 00:47:26,110 --> 00:47:27,860 The physicians have actually labeled 1157 00:47:27,860 --> 00:47:29,660 the different components of the heart rate. 1158 00:47:29,660 --> 00:47:31,560 You've got the QRS complex, which 1159 00:47:31,560 --> 00:47:33,990 is typically what you would think of as the heartbeat. 1160 00:47:33,990 --> 00:47:36,970 The actual beat is this giant R here. 1161 00:47:36,970 --> 00:47:38,890 That's the one you'll feel. 1162 00:47:38,890 --> 00:47:41,370 But there are also these other smaller waves, 1163 00:47:41,370 --> 00:47:46,110 as your tissue is energizing and relaxing. 1164 00:47:46,110 --> 00:47:49,030 So if do a Fourier transform on your cardiac rhythm, 1165 00:47:49,030 --> 00:47:51,060 you're going to end up with most of the signal 1166 00:47:51,060 --> 00:47:53,890 in the tens of hertz. 1167 00:47:53,890 --> 00:47:55,680 You're not going to see things a whole lot 1168 00:47:55,680 --> 00:47:59,120 beyond 100 hertz in a typical cardiac signal. 1169 00:47:59,120 --> 00:48:01,531 So most of these devices are designed 1170 00:48:01,531 --> 00:48:04,030 to filter out things that are really low frequency or really 1171 00:48:04,030 --> 00:48:05,340 high frequency. 1172 00:48:05,340 --> 00:48:07,865 But if you choose to insert intentional electromagnetic 1173 00:48:07,865 --> 00:48:09,940 interference on the baseband, then it 1174 00:48:09,940 --> 00:48:12,840 gets through all the analog circuit filters. 1175 00:48:12,840 --> 00:48:14,580 And now the only approach to [INAUDIBLE] 1176 00:48:14,580 --> 00:48:18,010 that would be things more on the computer science side. 1177 00:48:18,010 --> 00:48:20,270 So this is where my students began 1178 00:48:20,270 --> 00:48:22,890 to have a little bit of fun. 1179 00:48:22,890 --> 00:48:27,075 So we wanted to test this in as realistic a situation 1180 00:48:27,075 --> 00:48:27,790 as we could. 1181 00:48:27,790 --> 00:48:30,290 We couldn't get volunteers. 1182 00:48:30,290 --> 00:48:34,030 So instead we discovered there's actually a national standard. 1183 00:48:34,030 --> 00:48:34,850 This is a body. 1184 00:48:34,850 --> 00:48:35,835 This is you. 1185 00:48:35,835 --> 00:48:38,279 It turns out that we're all just bags of saline solution. 1186 00:48:38,279 --> 00:48:40,570 And so if you have a highly calibrated saline solution, 1187 00:48:40,570 --> 00:48:44,740 that's the best way to simulate human tissue. 1188 00:48:44,740 --> 00:48:48,360 The other thing we've done is we used the synthetic cadaver. 1189 00:48:48,360 --> 00:48:50,900 She's actually anatomically correct. 1190 00:48:50,900 --> 00:48:52,400 She's got all the same vital organs 1191 00:48:52,400 --> 00:48:53,930 as anyone else would have inside, 1192 00:48:53,930 --> 00:48:55,630 and a working circulatory system. 1193 00:48:55,630 --> 00:48:57,880 So it has all the surface properties of the RF. 1194 00:48:57,880 --> 00:49:01,730 So here we're doing radiation fluoroscopy 1195 00:49:01,730 --> 00:49:04,890 to do 3D imaging-- 4D. 1196 00:49:04,890 --> 00:49:07,716 We see light imaging as we're implanting the electrodes 1197 00:49:07,716 --> 00:49:08,840 into our synthetic cadaver. 1198 00:49:12,062 --> 00:49:13,770 So what we're going to do now is generate 1199 00:49:13,770 --> 00:49:15,145 some electromagnetic interference 1200 00:49:15,145 --> 00:49:17,520 and then try to see what the device is perceiving 1201 00:49:17,520 --> 00:49:19,610 as a trustworthy signal. 1202 00:49:19,610 --> 00:49:21,010 So a couple ways we did this. 1203 00:49:21,010 --> 00:49:25,710 In the saline solution, we used just a spool of magnet wire. 1204 00:49:25,710 --> 00:49:28,815 Here we have the wand that's reading out the telemetry 1205 00:49:28,815 --> 00:49:30,565 to see what the device thinks it's seeing, 1206 00:49:30,565 --> 00:49:32,240 and then another experimental case. 1207 00:49:32,240 --> 00:49:34,660 So I had some leftover pipes from plumbing, 1208 00:49:34,660 --> 00:49:36,760 so we created a dipole antenna. 1209 00:49:36,760 --> 00:49:39,080 And on the back there on that poster board, 1210 00:49:39,080 --> 00:49:41,190 we created a 2D version of a patient. 1211 00:49:41,190 --> 00:49:43,890 You can see that's the curvature of the electrode, that's 1212 00:49:43,890 --> 00:49:46,000 the electrode, and then the pacemaker 1213 00:49:46,000 --> 00:49:48,300 is right underneath the tape. 1214 00:49:48,300 --> 00:49:50,700 And we're transferring to it. 1215 00:49:50,700 --> 00:49:52,457 So here's what the device thought it saw, 1216 00:49:52,457 --> 00:49:53,790 even though it wasn't happening. 1217 00:49:53,790 --> 00:49:56,460 So keep in mind this should have been a flat line, because there 1218 00:49:56,460 --> 00:49:57,100 is no patient. 1219 00:49:57,100 --> 00:49:58,600 There is no heart beating. 1220 00:49:58,600 --> 00:50:01,970 So we tried a couple different signals of interest are we 1221 00:50:01,970 --> 00:50:03,680 pulsed a sinusoid. 1222 00:50:03,680 --> 00:50:06,020 So that's really a sine wave, but it's 1223 00:50:06,020 --> 00:50:07,295 so fast you can't quite tell. 1224 00:50:07,295 --> 00:50:09,670 But we pulsed it like a heart beat. 1225 00:50:09,670 --> 00:50:12,470 So every one second we sent out a pulse. 1226 00:50:12,470 --> 00:50:15,380 And then we also did one that's modulated. 1227 00:50:15,380 --> 00:50:17,430 That's a little bit noisier. 1228 00:50:17,430 --> 00:50:21,020 So this is a screenshot of the pacemaker programmer 1229 00:50:21,020 --> 00:50:24,100 which tells us live what telemetry is going out. 1230 00:50:24,100 --> 00:50:27,220 And it's hard to read, but the little green up there, 1231 00:50:27,220 --> 00:50:30,870 VP, says that the device sent out the ventricular pace. 1232 00:50:30,870 --> 00:50:33,520 This is the pacemaker sending an artificial heartbeat, 1233 00:50:33,520 --> 00:50:36,449 basically, to make the tissue contract. 1234 00:50:36,449 --> 00:50:37,990 What's interesting is when we started 1235 00:50:37,990 --> 00:50:40,320 sending our interference, it got what's 1236 00:50:40,320 --> 00:50:42,330 called a VS, a ventricular sense. 1237 00:50:42,330 --> 00:50:44,520 The little purple VS, there's three of them. 1238 00:50:44,520 --> 00:50:46,400 So the pacemaker thought that the heart was 1239 00:50:46,400 --> 00:50:48,710 beating on its own, so it chose to inhibit the pacing 1240 00:50:48,710 --> 00:50:50,446 to save power. 1241 00:50:50,446 --> 00:50:52,320 And then when we turned off the interference, 1242 00:50:52,320 --> 00:50:54,240 the pacing began again. 1243 00:50:54,240 --> 00:50:57,840 Similarly over here you see where the interference starts, 1244 00:50:57,840 --> 00:51:00,130 and it's sensing ventricular sense. 1245 00:51:00,130 --> 00:51:03,140 It says, oh, the body's pacing itself naturally. 1246 00:51:03,140 --> 00:51:05,840 I don't need to waste my energy pacing the heart. 1247 00:51:05,840 --> 00:51:08,070 So we're able to induce that interference, 1248 00:51:08,070 --> 00:51:09,910 and then trick the microprocessor 1249 00:51:09,910 --> 00:51:13,560 into believing the long state. 1250 00:51:13,560 --> 00:51:15,030 There is a silver lining, though. 1251 00:51:15,030 --> 00:51:18,900 The good news is, that only works in vitro. 1252 00:51:18,900 --> 00:51:21,800 Whenever we would do this in saline solution 1253 00:51:21,800 --> 00:51:23,920 or in anything that approximated the body, 1254 00:51:23,920 --> 00:51:25,400 it basically didn't work. 1255 00:51:25,400 --> 00:51:26,900 And that's because your body absorbs 1256 00:51:26,900 --> 00:51:30,800 a lot of that RF energy, and it doesn't actually 1257 00:51:30,800 --> 00:51:31,750 get to the sensor. 1258 00:51:31,750 --> 00:51:34,010 So the closest we were able to get this to work 1259 00:51:34,010 --> 00:51:39,180 was, with the saline, like three centimeters. 1260 00:51:39,180 --> 00:51:41,540 So that basically means there's no worry 1261 00:51:41,540 --> 00:51:44,370 for this particular kind of interference from an implant. 1262 00:51:44,370 --> 00:51:47,610 However, an externally worn device, we don't know. 1263 00:51:47,610 --> 00:51:50,600 We hadn't done any tests on insulin pumps yet. 1264 00:51:50,600 --> 00:51:52,100 There are plenty of different kinds. 1265 00:51:52,100 --> 00:51:53,683 There's glucose sensors, for instance, 1266 00:51:53,683 --> 00:51:57,970 that are percutaneous. 1267 00:51:57,970 --> 00:52:00,010 I wouldn't be surprised if someone here has one. 1268 00:52:00,010 --> 00:52:01,610 They're pretty common. 1269 00:52:01,610 --> 00:52:04,540 But we just don't know yet. 1270 00:52:04,540 --> 00:52:10,210 But one of the approaches we're taking to solve this 1271 00:52:10,210 --> 00:52:12,630 follows the end-to-end principle to some extent. 1272 00:52:12,630 --> 00:52:14,607 A lot of these, I just don't think 1273 00:52:14,607 --> 00:52:16,190 the analog is able to distinguish good 1274 00:52:16,190 --> 00:52:17,520 from bad signal. 1275 00:52:17,520 --> 00:52:20,340 And so you have to do it closer to the application layer. 1276 00:52:20,340 --> 00:52:27,440 So one of the defenses that we tried out was the following. 1277 00:52:27,440 --> 00:52:30,694 It has its own limitations, but here's the basic idea. 1278 00:52:30,694 --> 00:52:32,860 So imagine you're a pacemaker, and you want to know, 1279 00:52:32,860 --> 00:52:35,000 are you getting a trustworthy signal? 1280 00:52:35,000 --> 00:52:37,370 So what you do is you selectively 1281 00:52:37,370 --> 00:52:41,930 choose to send test pulses every now and then, to basically keep 1282 00:52:41,930 --> 00:52:43,100 the adversary in check. 1283 00:52:43,100 --> 00:52:45,890 So here's the interesting thing we discovered when we worked 1284 00:52:45,890 --> 00:52:47,440 with electrophysiologists. 1285 00:52:47,440 --> 00:52:49,340 We learned that if you send a pacing pulse 1286 00:52:49,340 --> 00:52:52,830 to a heart that recently was beating, within about 200 1287 00:52:52,830 --> 00:52:55,750 milliseconds, that cardiac tissue is physically 1288 00:52:55,750 --> 00:52:57,360 incapable of beating again. 1289 00:52:57,360 --> 00:53:00,110 It's also physically incapable of sending out 1290 00:53:00,110 --> 00:53:01,800 an electrical response, just because 1291 00:53:01,800 --> 00:53:05,300 of the polarization-- the way that cardiac tissue works. 1292 00:53:05,300 --> 00:53:08,360 So we said, so what would happen if we send an extra pacing 1293 00:53:08,360 --> 00:53:11,230 pulse right after a ventricular sense? 1294 00:53:11,230 --> 00:53:14,700 He said, oh, well, if the heart actually 1295 00:53:14,700 --> 00:53:17,310 had beat, as your sensor told you, 1296 00:53:17,310 --> 00:53:18,950 then you should get no response. 1297 00:53:18,950 --> 00:53:21,400 Because it would be incapable of sending a response. 1298 00:53:21,400 --> 00:53:23,860 So therefore, if we saw the heart send us 1299 00:53:23,860 --> 00:53:26,160 an electrical signal back, we knew-- then 1300 00:53:26,160 --> 00:53:28,190 that proves to us that we were fooled 1301 00:53:28,190 --> 00:53:29,720 on the previous heartbeat. 1302 00:53:29,720 --> 00:53:32,910 And there we raise our warning signs 1303 00:53:32,910 --> 00:53:34,450 that it appears to be we're getting 1304 00:53:34,450 --> 00:53:36,550 intentional electromagnetic interference. 1305 00:53:36,550 --> 00:53:38,760 So the basic idea is, again, we probe it, 1306 00:53:38,760 --> 00:53:40,450 and we make use of some of what we 1307 00:53:40,450 --> 00:53:42,740 know about the physiology of the body 1308 00:53:42,740 --> 00:53:45,020 to have better trustworthiness. 1309 00:53:45,020 --> 00:53:48,170 Another approach we didn't look into too deeply 1310 00:53:48,170 --> 00:53:50,223 was looking at propagation delay. 1311 00:53:50,223 --> 00:53:52,440 Because if you have electromagnetic interference 1312 00:53:52,440 --> 00:53:54,620 coming at you, it's basically light, right? 1313 00:53:54,620 --> 00:53:55,810 Speed of light. 1314 00:53:55,810 --> 00:53:59,370 And if it's hitting you all at once, if you have two sensors, 1315 00:53:59,370 --> 00:54:02,240 and you simultaneously see the same cardiac signal 1316 00:54:02,240 --> 00:54:04,890 at the same time, something's wrong. 1317 00:54:04,890 --> 00:54:07,480 Because there's an electrochemical propagation 1318 00:54:07,480 --> 00:54:10,115 delay from your vagus nerve as the electrical signal 1319 00:54:10,115 --> 00:54:12,390 is traveling down through your heart. 1320 00:54:12,390 --> 00:54:14,430 So there are other ways to try to tease out 1321 00:54:14,430 --> 00:54:18,050 whether the physiologic signal is trustworthy, 1322 00:54:18,050 --> 00:54:19,960 but this is new ground. 1323 00:54:19,960 --> 00:54:22,610 There's not a lot going on in this space yet. 1324 00:54:22,610 --> 00:54:25,191 A lot of fun projects for graduate and undergraduate 1325 00:54:25,191 --> 00:54:25,690 research. 1326 00:54:29,300 --> 00:54:33,070 We end at-- oh, 25? 1327 00:54:33,070 --> 00:54:33,830 Oh. 1328 00:54:33,830 --> 00:54:38,095 So I want to tell you about another project, 1329 00:54:38,095 --> 00:54:41,350 and that is detecting malware at power outlets. 1330 00:54:41,350 --> 00:54:47,030 So a few years ago, one of my students, Shane, he said, 1331 00:54:47,030 --> 00:54:50,160 hey, I built this power outlet, and I can tell 1332 00:54:50,160 --> 00:54:52,630 what website you're browsing. 1333 00:54:52,630 --> 00:54:57,530 So he put a little sense resistor in here, 1334 00:54:57,530 --> 00:54:59,810 and he measures what's called the phase 1335 00:54:59,810 --> 00:55:01,850 shift in the reactive power. 1336 00:55:01,850 --> 00:55:05,980 It's basically a proxy for the load on your computer. 1337 00:55:05,980 --> 00:55:08,980 And he can basically tell how your computer-- how 1338 00:55:08,980 --> 00:55:11,670 your processor is changing the load as it's 1339 00:55:11,670 --> 00:55:14,570 going out onto the AC power system. 1340 00:55:14,570 --> 00:55:15,560 This is not new. 1341 00:55:15,560 --> 00:55:17,539 Has anyone heard of Tempest? 1342 00:55:17,539 --> 00:55:18,330 Tempest protection? 1343 00:55:18,330 --> 00:55:19,130 A few of you. 1344 00:55:19,130 --> 00:55:22,230 So Tempest has been around for years. 1345 00:55:22,230 --> 00:55:25,620 Basically signals leak all over the place, 1346 00:55:25,620 --> 00:55:27,750 and so there's a whole fine art to stopping signals 1347 00:55:27,750 --> 00:55:29,730 from leaking. 1348 00:55:29,730 --> 00:55:31,310 What was interesting to me was, I 1349 00:55:31,310 --> 00:55:33,143 like to keep all my old computers-- actually 1350 00:55:33,143 --> 00:55:35,670 I have an exokernel machine. 1351 00:55:35,670 --> 00:55:39,307 And it's an old-- I think it's a Pentium 4. 1352 00:55:39,307 --> 00:55:41,640 And this was before there was advanced power management. 1353 00:55:41,640 --> 00:55:44,139 So if you measured the power coming out of this old Pentium, 1354 00:55:44,139 --> 00:55:44,942 it was constant. 1355 00:55:44,942 --> 00:55:46,900 Just doesn't matter if you were doing anything. 1356 00:55:46,900 --> 00:55:49,950 If you have a spin while loop, doesn't matter. 1357 00:55:49,950 --> 00:55:53,600 It's the same thing as actually doing processing. 1358 00:55:53,600 --> 00:55:56,440 But if you buy a modern computer, whether it be desktop 1359 00:55:56,440 --> 00:56:00,150 or phone, your workload is being revealed over the power 1360 00:56:00,150 --> 00:56:02,240 line in subtle ways. 1361 00:56:02,240 --> 00:56:08,789 And so what he discovered was that what's going on here. 1362 00:56:08,789 --> 00:56:10,330 If you have an embedded system that's 1363 00:56:10,330 --> 00:56:13,740 very difficult to change, and you want to retrofit security 1364 00:56:13,740 --> 00:56:19,560 onto it, what you can do is put in basically a power strip. 1365 00:56:19,560 --> 00:56:21,400 An intelligent power strip. 1366 00:56:21,400 --> 00:56:25,581 And it uses machine learning classification of the frequency 1367 00:56:25,581 --> 00:56:26,080 domain. 1368 00:56:26,080 --> 00:56:27,650 Actually looking at the frequency components 1369 00:56:27,650 --> 00:56:28,733 of your power consumption. 1370 00:56:28,733 --> 00:56:31,010 It's not looking at how much power you consume. 1371 00:56:31,010 --> 00:56:34,530 Instead it's looking at how often do you consume it. 1372 00:56:34,530 --> 00:56:36,960 So let me give you some intuition here. 1373 00:56:36,960 --> 00:56:38,870 So imagine you have a medical device that 1374 00:56:38,870 --> 00:56:41,020 gets infected by malware. 1375 00:56:41,020 --> 00:56:44,960 Let's say this malware is going to wake up every few minutes 1376 00:56:44,960 --> 00:56:46,060 to send out spam. 1377 00:56:46,060 --> 00:56:49,058 How might that change the power consumption? 1378 00:56:54,220 --> 00:56:55,108 Yeah. 1379 00:56:55,108 --> 00:56:56,024 AUDIENCE: [INAUDIBLE]. 1380 00:56:58,535 --> 00:57:00,660 PROFESSOR: Yeah, every few minutes that interrupt's 1381 00:57:00,660 --> 00:57:02,910 going to go off, and the processor's going to wake up. 1382 00:57:02,910 --> 00:57:05,850 It's probably going to power up its memory. 1383 00:57:05,850 --> 00:57:09,400 It's going to do some cycling, or it might actually 1384 00:57:09,400 --> 00:57:11,490 insert a few extra cycles in what 1385 00:57:11,490 --> 00:57:14,540 used to be a very constant set of instructions. 1386 00:57:14,540 --> 00:57:17,527 Medical devices generally do a small set of things, 1387 00:57:17,527 --> 00:57:19,235 as opposed to a general purpose computer. 1388 00:57:19,235 --> 00:57:21,290 So it's a very regular pattern. 1389 00:57:21,290 --> 00:57:23,610 So when you suddenly have malware getting in, 1390 00:57:23,610 --> 00:57:27,510 it just changes the behavior of its power consumption patterns. 1391 00:57:27,510 --> 00:57:28,510 So you can pick that up. 1392 00:57:28,510 --> 00:57:29,635 You do a Fourier transform. 1393 00:57:29,635 --> 00:57:32,640 You do some other magic involving machine learning. 1394 00:57:32,640 --> 00:57:34,080 The devil's in the details. 1395 00:57:34,080 --> 00:57:36,820 But you can basically use the machine learning 1396 00:57:36,820 --> 00:57:40,670 to identify with very high precision, very high accuracy, 1397 00:57:40,670 --> 00:57:42,850 low false positive, low false negative, 1398 00:57:42,850 --> 00:57:45,840 the presence of malware and other anomalies. 1399 00:57:45,840 --> 00:57:47,880 And so that's a project he had been working 1400 00:57:47,880 --> 00:57:49,870 on for a number of years. 1401 00:57:49,870 --> 00:57:52,130 He initially created this project, though, 1402 00:57:52,130 --> 00:57:54,819 to identify what website you were browsing. 1403 00:57:54,819 --> 00:57:57,360 And unfortunately, he submitted it to a bunch of conferences, 1404 00:57:57,360 --> 00:58:01,860 and they all said, well, why would you ever want to do that? 1405 00:58:01,860 --> 00:58:04,410 But it's kind of interesting, because he picked the top 50 1406 00:58:04,410 --> 00:58:05,870 Alexa websites. 1407 00:58:05,870 --> 00:58:07,890 And then he profiled his computer, 1408 00:58:07,890 --> 00:58:10,700 used that as a training set for the machine learning, 1409 00:58:10,700 --> 00:58:13,520 and then again, with very high accuracy, very high precision, 1410 00:58:13,520 --> 00:58:16,350 was able to identify which website you were going to. 1411 00:58:16,350 --> 00:58:19,060 And we were really confused why it worked at all. 1412 00:58:19,060 --> 00:58:21,370 And we still don't know exactly why, 1413 00:58:21,370 --> 00:58:22,703 but we have some strong hunches. 1414 00:58:22,703 --> 00:58:26,540 And [INAUDIBLE] Drupal. 1415 00:58:26,540 --> 00:58:29,020 So there's been a movement over the last 10 years 1416 00:58:29,020 --> 00:58:33,396 on websites to move from-- who still writes in Emacs HTML? 1417 00:58:33,396 --> 00:58:35,045 All right, me too. 1418 00:58:35,045 --> 00:58:37,170 That's why I have all these mistakes on my website. 1419 00:58:37,170 --> 00:58:40,190 But there has been a large movement, especially 1420 00:58:40,190 --> 00:58:43,025 in institutions, to have code automatically generate 1421 00:58:43,025 --> 00:58:47,340 a web content file that follows a very regular structure. 1422 00:58:47,340 --> 00:58:49,525 So can you imagine if you go to CNN.com, 1423 00:58:49,525 --> 00:58:52,290 and they always have an ad in the upper right-hand corner, 1424 00:58:52,290 --> 00:58:55,860 with flash animation that lasts exactly 22 seconds? 1425 00:58:55,860 --> 00:58:59,500 So your GPU might kick in at a very regular rate. 1426 00:58:59,500 --> 00:59:01,740 So some very interesting things bleed through 1427 00:59:01,740 --> 00:59:04,790 into the power consumption patterns from the web browser, 1428 00:59:04,790 --> 00:59:06,820 and from other things in your operating system, 1429 00:59:06,820 --> 00:59:09,670 as a result of your activity. 1430 00:59:09,670 --> 00:59:12,726 The only website we couldn't classify too well was GoDaddy. 1431 00:59:12,726 --> 00:59:16,230 We still don't know why, but we don't care. 1432 00:59:21,406 --> 00:59:23,530 So this is going to branch a little bit further out 1433 00:59:23,530 --> 00:59:26,156 from the security side. 1434 00:59:26,156 --> 00:59:27,530 But one of the things you find is 1435 00:59:27,530 --> 00:59:31,500 that when you're helping your colleagues in the hospital 1436 00:59:31,500 --> 00:59:34,002 system, they often ask back for some of your help. 1437 00:59:34,002 --> 00:59:35,460 And one of the interesting projects 1438 00:59:35,460 --> 00:59:37,376 that we got involved with, purely by accident, 1439 00:59:37,376 --> 00:59:40,640 from some of the pacemaker security work 1440 00:59:40,640 --> 00:59:43,800 was in some humanitarian aid in developing countries, 1441 00:59:43,800 --> 00:59:47,010 especially Ghana, to give patients new life. 1442 00:59:47,010 --> 00:59:48,955 Literally new life, because it turns out 1443 00:59:48,955 --> 00:59:50,580 if you don't have a health care system, 1444 00:59:50,580 --> 00:59:52,730 it's very difficult to, say, get a $40,000 1445 00:59:52,730 --> 00:59:54,910 pacemaker plus the surgical team. 1446 00:59:54,910 --> 00:59:56,499 Very challenging. 1447 00:59:56,499 --> 00:59:58,040 So what they've been doing is they've 1448 00:59:58,040 --> 01:00:01,690 been recovering discarded pacemakers and defibrillators, 1449 01:00:01,690 --> 01:00:02,835 and then sterilizing them. 1450 01:00:02,835 --> 01:00:04,210 It's actually pretty interesting. 1451 01:00:04,210 --> 01:00:06,001 You have to use-- well, you don't have to-- 1452 01:00:06,001 --> 01:00:10,260 but what's typically used is ethylene oxide. 1453 01:00:10,260 --> 01:00:12,685 It's a gas chamber to sterilize and remove 1454 01:00:12,685 --> 01:00:15,680 all the pyrogens, things that cause fever. 1455 01:00:15,680 --> 01:00:17,130 But these devices are sterilized, 1456 01:00:17,130 --> 01:00:18,650 and then reimplanted in patients. 1457 01:00:18,650 --> 01:00:19,810 So here's a gentleman. 1458 01:00:19,810 --> 01:00:22,010 I believe he was suffering from a slow heart 1459 01:00:22,010 --> 01:00:25,050 rate, which was basically a death sentence for him. 1460 01:00:25,050 --> 01:00:27,200 But because he was able to get a pacemaker, 1461 01:00:27,200 --> 01:00:29,670 it gave him extra years of life. 1462 01:00:29,670 --> 01:00:32,470 So the problem they came to us with was, 1463 01:00:32,470 --> 01:00:35,100 how do they know if the devices are still safe? 1464 01:00:35,100 --> 01:00:36,990 They weren't even used. 1465 01:00:36,990 --> 01:00:39,370 So obviously you can look at the battery life. 1466 01:00:39,370 --> 01:00:40,620 So that's one thing you do. 1467 01:00:40,620 --> 01:00:42,430 And if the battery is too low, you 1468 01:00:42,430 --> 01:00:46,276 would not reimplant it, because that wouldn't last too long. 1469 01:00:46,276 --> 01:00:48,150 But then what about some of the other things? 1470 01:00:48,150 --> 01:00:49,887 Has some of the metal corroded? 1471 01:00:49,887 --> 01:00:52,220 How do we do an end-to-end check to see if you can still 1472 01:00:52,220 --> 01:00:54,200 detect arrhythmias properly? 1473 01:00:54,200 --> 01:00:58,360 So the students in my lab created a special tester 1474 01:00:58,360 --> 01:01:02,770 that sends out what you would see 1475 01:01:02,770 --> 01:01:08,860 from the electrical components of cardiac arrhythmias. 1476 01:01:08,860 --> 01:01:10,220 Things other than sinusoid. 1477 01:01:10,220 --> 01:01:12,470 Cardiac rhythms that you wouldn't want to have, right? 1478 01:01:12,470 --> 01:01:13,640 So, anomalies. 1479 01:01:13,640 --> 01:01:16,000 And it replays these against the pacemaker leads. 1480 01:01:16,000 --> 01:01:18,590 The pacemaker thinks it's connected to the patient, 1481 01:01:18,590 --> 01:01:19,530 and then it responds. 1482 01:01:19,530 --> 01:01:21,030 And so we check that response to see 1483 01:01:21,030 --> 01:01:23,960 if it's actually diagnosing the cardiac arrhythmias, 1484 01:01:23,960 --> 01:01:26,350 and whether it's actually sending out the lifesaving 1485 01:01:26,350 --> 01:01:28,080 shocks properly. 1486 01:01:28,080 --> 01:01:33,280 So they're now starting to test this through the whole FDA 1487 01:01:33,280 --> 01:01:35,760 process to get their blessing. 1488 01:01:35,760 --> 01:01:37,220 And that's a work in progress. 1489 01:01:37,220 --> 01:01:39,660 But it's called the My Heart Your Heart program. 1490 01:01:39,660 --> 01:01:42,110 You can go look it up if you're curious about it. 1491 01:01:42,110 --> 01:01:45,000 And then we also interact quite a bit 1492 01:01:45,000 --> 01:01:47,060 with the medical device manufacturing community. 1493 01:01:47,060 --> 01:01:50,720 We bring them in each summer out to Ann Arbor, 1494 01:01:50,720 --> 01:01:54,930 and we have the manufacturers sit down, 1495 01:01:54,930 --> 01:01:58,230 while some of the persons who are in charge of running 1496 01:01:58,230 --> 01:01:59,980 hospitals sit down next to them, and they 1497 01:01:59,980 --> 01:02:05,740 start sharing their gripes and problems with medical devices. 1498 01:02:05,740 --> 01:02:09,270 We had one company come in and just reveal all the problems 1499 01:02:09,270 --> 01:02:11,507 that none of the people would respond to 1500 01:02:11,507 --> 01:02:12,965 at the medical device manufacturer. 1501 01:02:12,965 --> 01:02:16,550 And one guy in the corner was like, that's my team. 1502 01:02:16,550 --> 01:02:18,899 And so they decided to go out for lunch, have a beer, 1503 01:02:18,899 --> 01:02:20,190 and just work out the problems. 1504 01:02:20,190 --> 01:02:21,950 So a lot of it is cultural. 1505 01:02:21,950 --> 01:02:26,070 So I don't know if anyone here has done any security analysis 1506 01:02:26,070 --> 01:02:27,890 work, or reverse engineering. 1507 01:02:27,890 --> 01:02:29,618 Anyone here? 1508 01:02:29,618 --> 01:02:30,710 Couple people. 1509 01:02:30,710 --> 01:02:32,610 So it's really delicate. 1510 01:02:32,610 --> 01:02:34,710 It's almost an art, because you're 1511 01:02:34,710 --> 01:02:37,430 dealing with the social elements of the manufacturing side. 1512 01:02:37,430 --> 01:02:39,680 And it's even more so in medical device manufacturing, 1513 01:02:39,680 --> 01:02:41,940 because lives are at stake. 1514 01:02:41,940 --> 01:02:43,900 And so it can be very, very tricky 1515 01:02:43,900 --> 01:02:46,740 to share these kinds of problems with the people who 1516 01:02:46,740 --> 01:02:48,630 are most able to fix it. 1517 01:02:48,630 --> 01:02:51,450 So it often results in in-person meetings 1518 01:02:51,450 --> 01:02:55,810 and actually going to their facilities. 1519 01:02:55,810 --> 01:02:58,010 So I want to save some more time here. 1520 01:02:58,010 --> 01:02:59,510 Hopefully we'll have some questions, 1521 01:02:59,510 --> 01:03:02,930 because I think we have five or 10 minutes. 1522 01:03:02,930 --> 01:03:07,020 But I want to dispel a couple of myths. 1523 01:03:07,020 --> 01:03:10,630 You'll hear a lot of newspaper headlines and TV shows 1524 01:03:10,630 --> 01:03:14,290 talking about hackers breaking into medical devices. 1525 01:03:14,290 --> 01:03:18,037 Let me say it is a problem, but it's not the problem. 1526 01:03:18,037 --> 01:03:19,870 It's not the only problem, and it's probably 1527 01:03:19,870 --> 01:03:22,124 not the most significant problem. 1528 01:03:22,124 --> 01:03:24,040 And it's hard to say that, especially when you 1529 01:03:24,040 --> 01:03:25,952 enjoy doing security analysis. 1530 01:03:25,952 --> 01:03:27,910 It's hard to say that, because there's actually 1531 01:03:27,910 --> 01:03:29,900 two problems that I think are more important. 1532 01:03:29,900 --> 01:03:34,200 One is preventing wide-scale unavailability of patient care. 1533 01:03:34,200 --> 01:03:36,080 Because forget adversaries-- what if you just 1534 01:03:36,080 --> 01:03:37,990 have malware that accidentally breaks 1535 01:03:37,990 --> 01:03:40,254 into a medical device in a monoculture 1536 01:03:40,254 --> 01:03:42,420 where they're all running the same operating system? 1537 01:03:42,420 --> 01:03:44,860 What happens when you lose 50,000 infusion 1538 01:03:44,860 --> 01:03:46,470 pumps all at once? 1539 01:03:46,470 --> 01:03:49,970 It's very difficult to deliver patient care. 1540 01:03:49,970 --> 01:03:55,120 One of my colleagues wrote to me saying that his cath labs were 1541 01:03:55,120 --> 01:03:55,780 shut down. 1542 01:03:55,780 --> 01:03:58,949 Catheterization lab is a relatively new specialization. 1543 01:03:58,949 --> 01:04:00,490 It's a special kind of operating room 1544 01:04:00,490 --> 01:04:02,600 for minimally invasive surgery. 1545 01:04:02,600 --> 01:04:05,620 And at his hospital, they had to shut down 1546 01:04:05,620 --> 01:04:08,060 the cath lab, because turned out a nurse 1547 01:04:08,060 --> 01:04:10,480 had accidentally brought in a USB stick. 1548 01:04:10,480 --> 01:04:12,960 Something about transferring family photos up to Yahoo. 1549 01:04:12,960 --> 01:04:14,770 And somehow malware had gotten in 1550 01:04:14,770 --> 01:04:17,300 and infected their cath labs. 1551 01:04:17,300 --> 01:04:20,360 So they had to shut the thing down. 1552 01:04:20,360 --> 01:04:22,190 So if you're waiting to get an angioplasty, 1553 01:04:22,190 --> 01:04:24,106 that particular center's not available to you. 1554 01:04:24,106 --> 01:04:26,520 You'll have to use one of the backup centers. 1555 01:04:26,520 --> 01:04:29,940 So availability is, I think, one of the key things that is often 1556 01:04:29,940 --> 01:04:32,640 forgotten about in security. 1557 01:04:32,640 --> 01:04:35,820 Second one is the integrity of the sensor. 1558 01:04:35,820 --> 01:04:38,340 So if your medical device gets infected 1559 01:04:38,340 --> 01:04:43,240 by malware, or any kind of malicious software, 1560 01:04:43,240 --> 01:04:44,490 things are going to change. 1561 01:04:44,490 --> 01:04:45,948 Things are going to change in a way 1562 01:04:45,948 --> 01:04:47,980 that the designers didn't anticipate. 1563 01:04:47,980 --> 01:04:50,240 So a very simple example. 1564 01:04:50,240 --> 01:04:53,670 Let's say some malware gets in, and adds a timer 1565 01:04:53,670 --> 01:04:58,440 to every now and then wake up, send some network packets, 1566 01:04:58,440 --> 01:05:00,630 and send out some spam. 1567 01:05:00,630 --> 01:05:01,980 This took some time. 1568 01:05:01,980 --> 01:05:04,697 Well, what happens if your medical device assumed 1569 01:05:04,697 --> 01:05:07,030 that it had complete control over the interrupt handler, 1570 01:05:07,030 --> 01:05:09,700 and suddenly now it's missing interrupts? 1571 01:05:09,700 --> 01:05:12,720 Maybe the sensor has some data to supply 1572 01:05:12,720 --> 01:05:14,940 to the medical device, but because of the malware, 1573 01:05:14,940 --> 01:05:16,990 it missed the interrupt. 1574 01:05:16,990 --> 01:05:19,420 You may actually start misdiagnosing patients now, 1575 01:05:19,420 --> 01:05:22,977 because that device is going to be getting bad data. 1576 01:05:22,977 --> 01:05:24,685 So I'm very concerned about the integrity 1577 01:05:24,685 --> 01:05:25,780 of the medical sensors. 1578 01:05:25,780 --> 01:05:29,210 There was actually a reported case of a high-risk pregnancy 1579 01:05:29,210 --> 01:05:30,900 monitor getting infected with malware 1580 01:05:30,900 --> 01:05:33,400 and giving out incorrect readings. 1581 01:05:33,400 --> 01:05:36,770 The good news is a highly-trained clinician 1582 01:05:36,770 --> 01:05:40,800 can look at the device and say, that makes no sense. 1583 01:05:40,800 --> 01:05:44,300 That's not a sane number coming out of my medical device. 1584 01:05:44,300 --> 01:05:47,990 But we're basically cutting down the safety margins 1585 01:05:47,990 --> 01:05:52,859 when we can't have the integrity of our medical sensors. 1586 01:05:52,859 --> 01:05:54,775 As I mentioned, very difficult to bolt on this 1587 01:05:54,775 --> 01:05:57,570 stuff after the fact. 1588 01:05:57,570 --> 01:06:00,100 You think changing software's hard on an internet scale? 1589 01:06:00,100 --> 01:06:01,690 Try it on a medical device. 1590 01:06:01,690 --> 01:06:06,070 So I met a guy from one hospital where his MRI is still 1591 01:06:06,070 --> 01:06:08,840 running on Windows 95. 1592 01:06:08,840 --> 01:06:14,040 I have a pacemaker programmer that runs on OS/2. 1593 01:06:14,040 --> 01:06:17,440 And they recently upgraded to Windows XP. 1594 01:06:17,440 --> 01:06:21,100 So they have some really old stuff out there, so changing 1595 01:06:21,100 --> 01:06:25,410 things for security after the fact is going to be difficult. 1596 01:06:25,410 --> 01:06:28,700 Not impossible, but difficult. And the other reason 1597 01:06:28,700 --> 01:06:31,380 is the interruption of clinical workflow. 1598 01:06:31,380 --> 01:06:32,880 If you ever go off and want to start 1599 01:06:32,880 --> 01:06:35,585 implementing medical devices or doing something 1600 01:06:35,585 --> 01:06:36,960 security related for health care, 1601 01:06:36,960 --> 01:06:39,050 I encourage you to go off and call up some people, 1602 01:06:39,050 --> 01:06:41,050 and say, hey, can I go into your operating room? 1603 01:06:41,050 --> 01:06:43,630 That's what we did. 1604 01:06:43,630 --> 01:06:45,850 Because you'll see some weird things happen. 1605 01:06:45,850 --> 01:06:49,360 I took all my students to live surgery, pediatric surgery. 1606 01:06:49,360 --> 01:06:52,040 And as they were watching the surgery, 1607 01:06:52,040 --> 01:06:55,626 they were watching one clinician checking Gmail 1608 01:06:55,626 --> 01:06:57,385 on one of the medical devices. 1609 01:06:57,385 --> 01:07:01,780 And they're like, oh OK, so, drive-by downloads, check. 1610 01:07:01,780 --> 01:07:04,940 At the same time, they wanted to calm the patient, 1611 01:07:04,940 --> 01:07:10,290 so they logged into Pandora to play music. 1612 01:07:10,290 --> 01:07:12,290 Actually I was just at my dentist the other day, 1613 01:07:12,290 --> 01:07:13,900 and she was playing Pandora. 1614 01:07:13,900 --> 01:07:18,290 And these ads for various beers started coming up on the screen 1615 01:07:18,290 --> 01:07:19,915 as she was looking at my dental x-rays. 1616 01:07:19,915 --> 01:07:22,825 And I was trying to figure why Dos Equis was on my-- I 1617 01:07:22,825 --> 01:07:26,191 was like, did I drink that much? 1618 01:07:26,191 --> 01:07:27,940 She's like, no, we just play Pandora here. 1619 01:07:27,940 --> 01:07:31,080 It's the same web browser, and just click here. 1620 01:07:31,080 --> 01:07:34,440 So there's a lot of mixing going on. 1621 01:07:34,440 --> 01:07:37,730 Maybe it's not malicious, but it's opening cracks. 1622 01:07:37,730 --> 01:07:39,450 It's out of sight, out of mind. 1623 01:07:39,450 --> 01:07:41,870 The hand washing sterile technique 1624 01:07:41,870 --> 01:07:44,630 is driven into the mindset of anyone who's a clinician. 1625 01:07:44,630 --> 01:07:45,560 Wash your hands. 1626 01:07:45,560 --> 01:07:47,470 Don't touch the gloves after you put them on. 1627 01:07:47,470 --> 01:07:49,170 But when it comes to security hygiene, 1628 01:07:49,170 --> 01:07:51,000 it's really out of sight, out of mind. 1629 01:07:51,000 --> 01:07:52,602 It's not part of the culture yet. 1630 01:07:52,602 --> 01:07:54,060 They don't even realize they should 1631 01:07:54,060 --> 01:07:55,260 be asking these questions. 1632 01:07:55,260 --> 01:07:57,680 Should I be running Pandora on the same device that's 1633 01:07:57,680 --> 01:08:00,657 controlling my x-rays? 1634 01:08:00,657 --> 01:08:02,740 So but the important thing is on the designer side 1635 01:08:02,740 --> 01:08:04,480 is not to interrupt the clinical workflow. 1636 01:08:04,480 --> 01:08:05,920 Because that's when mistakes happen. 1637 01:08:05,920 --> 01:08:07,540 You want to keep the clinical workflow 1638 01:08:07,540 --> 01:08:11,960 regular, predictable, easy for them to make decisions. 1639 01:08:11,960 --> 01:08:16,202 And if you add a new dialogue box to enter a password, what 1640 01:08:16,202 --> 01:08:18,410 do you think a problem could be in the operating room 1641 01:08:18,410 --> 01:08:20,620 if you ask the clinician to enter a password, say, 1642 01:08:20,620 --> 01:08:21,640 every ten minutes? 1643 01:08:28,540 --> 01:08:29,689 Distractions? 1644 01:08:29,689 --> 01:08:31,640 You're sitting there, doing this, right? 1645 01:08:31,640 --> 01:08:32,700 Scalpel. 1646 01:08:32,700 --> 01:08:34,695 Oh, yeah, let me walk over here and type in my 1647 01:08:34,695 --> 01:08:36,250 pass-- oh, no, I got my gloves on. 1648 01:08:36,250 --> 01:08:37,580 Let me take those off. 1649 01:08:37,580 --> 01:08:39,390 Oh, I've got to resterilize now. 1650 01:08:39,390 --> 01:08:40,630 Nurse! 1651 01:08:40,630 --> 01:08:43,050 So if you're a security engineer, 1652 01:08:43,050 --> 01:08:45,020 you have to take into account all the rather 1653 01:08:45,020 --> 01:08:48,380 special conditions of the clinical setting with infection 1654 01:08:48,380 --> 01:08:49,170 control. 1655 01:08:49,170 --> 01:08:51,361 Which, surprisingly, not everybody knows about. 1656 01:08:51,361 --> 01:08:53,569 There are definitely some very talented engineers who 1657 01:08:53,569 --> 01:08:57,826 know about it, but not enough. 1658 01:08:57,826 --> 01:08:59,670 The other big problem is I've noticed 1659 01:08:59,670 --> 01:09:06,689 that security people tend to specialize in the mechanisms 1660 01:09:06,689 --> 01:09:08,130 to control security. 1661 01:09:08,130 --> 01:09:09,330 You can wield crypto. 1662 01:09:09,330 --> 01:09:12,790 I know CBC mode this, and I know public key crypto this. 1663 01:09:12,790 --> 01:09:14,370 That's great. 1664 01:09:14,370 --> 01:09:16,330 And you know how to prevent the problems. 1665 01:09:16,330 --> 01:09:18,609 You know how to detect the problems. 1666 01:09:18,609 --> 01:09:20,240 The issue is from the medical world. 1667 01:09:20,240 --> 01:09:21,740 Most people in the medical world are 1668 01:09:21,740 --> 01:09:23,510 coming from a very different mindset, one 1669 01:09:23,510 --> 01:09:25,720 that's called risk management. 1670 01:09:25,720 --> 01:09:27,580 Let me try to explain it. 1671 01:09:27,580 --> 01:09:29,960 In risk management, you look at risks and benefits, 1672 01:09:29,960 --> 01:09:31,910 and you ask yourself, do they balance? 1673 01:09:31,910 --> 01:09:35,609 If I take an action, does that improve my risk management 1674 01:09:35,609 --> 01:09:36,318 outlook? 1675 01:09:36,318 --> 01:09:38,109 So if you're going to decide, for instance, 1676 01:09:38,109 --> 01:09:41,920 am I going to deploy a password system 1677 01:09:41,920 --> 01:09:43,765 on all my medical devices. 1678 01:09:43,765 --> 01:09:46,259 A security person might say, duh, 1679 01:09:46,259 --> 01:09:48,050 of course you're going to deploy passwords, 1680 01:09:48,050 --> 01:09:49,819 because you need to authenticate. 1681 01:09:49,819 --> 01:09:52,500 The safety person might say, well, wait a minute. 1682 01:09:52,500 --> 01:09:56,310 If I required we have passwords on every system, 1683 01:09:56,310 --> 01:09:58,910 we're going to worry about sterilization. 1684 01:09:58,910 --> 01:10:00,900 How do we know how often to time out? 1685 01:10:00,900 --> 01:10:02,710 And what about emergency access? 1686 01:10:02,710 --> 01:10:04,300 What if we forget the password? 1687 01:10:04,300 --> 01:10:07,459 We want to make sure we can get a response time in 30 seconds. 1688 01:10:07,459 --> 01:10:09,500 So they might actually make a different decision. 1689 01:10:09,500 --> 01:10:12,280 They might actually decide not to have passwords at all. 1690 01:10:12,280 --> 01:10:14,930 Actually many hospitals don't have passwords. 1691 01:10:14,930 --> 01:10:18,190 Excuse me, many hospitals don't have access control 1692 01:10:18,190 --> 01:10:19,030 on medical records. 1693 01:10:19,030 --> 01:10:21,610 Instead they have what's called audit-based access control. 1694 01:10:21,610 --> 01:10:23,860 After the fact, if you look at something you shouldn't 1695 01:10:23,860 --> 01:10:25,860 look at, they come get you. 1696 01:10:25,860 --> 01:10:28,540 Because they know that it's very difficult to predict what 1697 01:10:28,540 --> 01:10:30,040 you're going to need in your routine 1698 01:10:30,040 --> 01:10:32,390 of your clinical workflow. 1699 01:10:32,390 --> 01:10:35,560 So the risk management kind of way 1700 01:10:35,560 --> 01:10:39,120 will depend upon deploying the security controls 1701 01:10:39,120 --> 01:10:40,822 and all the technology learn about. 1702 01:10:40,822 --> 01:10:42,280 But in the risk management picture, 1703 01:10:42,280 --> 01:10:44,530 you might actually decide not to deploy something, 1704 01:10:44,530 --> 01:10:48,120 because it could cause harm somewhere else. 1705 01:10:48,120 --> 01:10:49,770 But trustworthy medical device software 1706 01:10:49,770 --> 01:10:52,880 is going to require both. 1707 01:10:52,880 --> 01:10:54,857 So I'll just finish up here. 1708 01:10:54,857 --> 01:10:56,940 I think there's a lot of interesting things to do. 1709 01:10:56,940 --> 01:10:59,104 So you're taking this cool security course. 1710 01:10:59,104 --> 01:11:01,020 I encourage you to go out and use those tools. 1711 01:11:01,020 --> 01:11:03,280 But as you're thinking about where to go afterwards, 1712 01:11:03,280 --> 01:11:05,060 whether it's industry or graduate school, 1713 01:11:05,060 --> 01:11:07,435 think about medical devices, because they need your help. 1714 01:11:07,435 --> 01:11:09,430 They need a lot of smart people there. 1715 01:11:09,430 --> 01:11:12,080 And so there's just one thing missing-- you are. 1716 01:11:12,080 --> 01:11:14,410 And I think there's a lot of interesting stuff 1717 01:11:14,410 --> 01:11:15,590 still to be done. 1718 01:11:15,590 --> 01:11:17,932 So I think we have five or 10 minutes or so. 1719 01:11:17,932 --> 01:11:19,390 I'd be glad to take some questions. 1720 01:11:19,390 --> 01:11:20,640 Or I could go more into depth. 1721 01:11:20,640 --> 01:11:22,730 I got some fun videos I could show. 1722 01:11:22,730 --> 01:11:25,810 But I think I'll at least take a break for a moment 1723 01:11:25,810 --> 01:11:28,628 to see if you have any questions. 1724 01:11:28,628 --> 01:11:29,128 Yes? 1725 01:11:29,128 --> 01:11:31,096 AUDIENCE: So that pacemaker or whatever 1726 01:11:31,096 --> 01:11:35,086 it was that you were passing around, does that [INAUDIBLE]. 1727 01:11:35,086 --> 01:11:36,460 PROFESSOR: Oh, the defibrillator. 1728 01:11:36,460 --> 01:11:37,085 AUDIENCE: Yeah. 1729 01:11:37,085 --> 01:11:41,448 How does that interact with the fact 1730 01:11:41,448 --> 01:11:44,370 that they are [INAUDIBLE] these kind of things. 1731 01:11:44,370 --> 01:11:46,132 PROFESSOR: OK so a couple things. 1732 01:11:46,132 --> 01:11:48,340 So there are defibrillators and there are pacemakers. 1733 01:11:48,340 --> 01:11:50,650 They're very related. 1734 01:11:50,650 --> 01:11:51,850 This is a defibrillator. 1735 01:11:51,850 --> 01:11:53,320 It sends out large shocks. 1736 01:11:53,320 --> 01:11:55,570 Pacemakers send out small shocks. 1737 01:11:55,570 --> 01:11:59,020 But in the US, it's illegal to reimplant these. 1738 01:11:59,020 --> 01:12:01,110 So it doesn't matter if you can. 1739 01:12:01,110 --> 01:12:02,670 It's just illegal. 1740 01:12:02,670 --> 01:12:05,720 But in many developing countries it's not illegal. 1741 01:12:05,720 --> 01:12:08,150 And if you look from-- let me back up a slide. 1742 01:12:10,730 --> 01:12:14,110 If you look from not the control mechanism, but the risk 1743 01:12:14,110 --> 01:12:16,840 management side of equation, it might actually 1744 01:12:16,840 --> 01:12:19,750 lead to better public health outcomes 1745 01:12:19,750 --> 01:12:22,750 to allow reimplantation and reuse in developing countries 1746 01:12:22,750 --> 01:12:25,646 where they have no other choice. 1747 01:12:25,646 --> 01:12:26,890 And this is not my project. 1748 01:12:26,890 --> 01:12:29,600 This is just a project we're assisting on. 1749 01:12:29,600 --> 01:12:32,280 But in that particular case, the patients really have no choice. 1750 01:12:32,280 --> 01:12:34,670 It's basically a death sentence. 1751 01:12:34,670 --> 01:12:36,804 To sterilize it is pretty tricky. 1752 01:12:36,804 --> 01:12:38,720 There's a whole lot of science and engineering 1753 01:12:38,720 --> 01:12:40,970 that goes into how to properly sterilize 1754 01:12:40,970 --> 01:12:44,020 to get rid of the pathogens. 1755 01:12:44,020 --> 01:12:48,560 Because these were in blood, so first abrasive cleaner, 1756 01:12:48,560 --> 01:12:50,710 but the ethylene oxide is one way 1757 01:12:50,710 --> 01:12:52,974 to destroy most, if not all, of the pathogens. 1758 01:12:52,974 --> 01:12:54,390 There's a whole testing procedure. 1759 01:12:54,390 --> 01:12:58,155 You actually put special little-- I 1760 01:12:58,155 --> 01:12:59,280 forgot what they're called. 1761 01:12:59,280 --> 01:13:02,610 They're little wafers-- with known quantities of pathogens. 1762 01:13:02,610 --> 01:13:05,120 And you put it in alongside some of the devices 1763 01:13:05,120 --> 01:13:08,200 as it's going into the chamber, and when you pull it out, 1764 01:13:08,200 --> 01:13:12,710 you test to see if all those organisms have been killed. 1765 01:13:12,710 --> 01:13:14,220 Did that answer all your questions? 1766 01:13:14,220 --> 01:13:16,610 You had a follow up. 1767 01:13:16,610 --> 01:13:17,180 OK. 1768 01:13:17,180 --> 01:13:17,680 Yes? 1769 01:13:17,680 --> 01:13:20,224 AUDIENCE: So what you're saying, integrity of sensors 1770 01:13:20,224 --> 01:13:22,190 is a bigger risk for hacker attack, 1771 01:13:22,190 --> 01:13:26,776 because most of the examples of sensory interference you showed 1772 01:13:26,776 --> 01:13:28,240 are intentional interference. 1773 01:13:28,240 --> 01:13:29,916 So it's kind of [INAUDIBLE]. 1774 01:13:29,916 --> 01:13:31,290 PROFESSOR: Oh, so the question is 1775 01:13:31,290 --> 01:13:36,070 why focus on integrity of sensors rather than hacking, 1776 01:13:36,070 --> 01:13:38,220 because everything I showed was about hacking? 1777 01:13:38,220 --> 01:13:40,340 That's selection bias. 1778 01:13:40,340 --> 01:13:42,460 I selected those cases, but that doesn't mean 1779 01:13:42,460 --> 01:13:45,300 that's statistically relevant. 1780 01:13:45,300 --> 01:13:48,850 I divided up into two cases-- maybe three. 1781 01:13:48,850 --> 01:13:50,890 The past, the present, and the future. 1782 01:13:50,890 --> 01:13:54,805 So at the present, most of the problems 1783 01:13:54,805 --> 01:13:58,145 we're seeing from malware in our very rudimentary surveillance 1784 01:13:58,145 --> 01:14:01,090 of medical devices has to do with malware that accidentally 1785 01:14:01,090 --> 01:14:05,280 gets in, and then causes near misses and malfunctions. 1786 01:14:05,280 --> 01:14:06,470 But we're no dummies. 1787 01:14:06,470 --> 01:14:08,830 We know that there could be an intentional adversary 1788 01:14:08,830 --> 01:14:09,800 in the future. 1789 01:14:09,800 --> 01:14:11,570 They just haven't materialized yet. 1790 01:14:11,570 --> 01:14:15,480 The closest example would be-- this 1791 01:14:15,480 --> 01:14:16,750 is just from the news reports. 1792 01:14:16,750 --> 01:14:18,125 I don't know if it's true, but it 1793 01:14:18,125 --> 01:14:20,720 was from I believe the New York Times-- 1794 01:14:20,720 --> 01:14:23,150 that there was a hospital. 1795 01:14:23,150 --> 01:14:25,586 CHS, I think, was the hospital, Where 1796 01:14:25,586 --> 01:14:27,460 they brought in a security company, Mandiant. 1797 01:14:27,460 --> 01:14:32,000 And they believe that a nation state had actually come in 1798 01:14:32,000 --> 01:14:33,540 to steal the medical records. 1799 01:14:33,540 --> 01:14:36,710 They don't know exactly why, but nation states. 1800 01:14:36,710 --> 01:14:38,900 And nation states are powerful adversaries, right? 1801 01:14:38,900 --> 01:14:40,441 If you run up against a nation state, 1802 01:14:40,441 --> 01:14:43,995 you might as well just give up, because none of these controls 1803 01:14:43,995 --> 01:14:45,490 are going to help you. 1804 01:14:45,490 --> 01:14:47,024 But here's my concern. 1805 01:14:47,024 --> 01:14:48,440 If the nation state, for instance, 1806 01:14:48,440 --> 01:14:51,350 is very dedicated on getting one piece of information, 1807 01:14:51,350 --> 01:14:53,897 what if they make-- they're human too, right? 1808 01:14:53,897 --> 01:14:55,605 What if they make a mistake along the way 1809 01:14:55,605 --> 01:14:57,146 and accidentally hit a medical device 1810 01:14:57,146 --> 01:15:00,340 as they're trying to extract whatever kind of information 1811 01:15:00,340 --> 01:15:02,210 they're trying to get at? 1812 01:15:02,210 --> 01:15:05,890 And that could affect the integrity. 1813 01:15:05,890 --> 01:15:09,440 In the future, there could be instances of custom malware, 1814 01:15:09,440 --> 01:15:16,050 but I think it takes that one more step of someone 1815 01:15:16,050 --> 01:15:19,952 really wanting to cause harm. 1816 01:15:19,952 --> 01:15:21,660 And I'm hoping that there aren't too many 1817 01:15:21,660 --> 01:15:23,030 of those kinds of people. 1818 01:15:23,030 --> 01:15:24,960 But there are people who write malware 1819 01:15:24,960 --> 01:15:26,600 who don't realize that malware gets 1820 01:15:26,600 --> 01:15:28,216 into medical devices in hospitals, 1821 01:15:28,216 --> 01:15:31,020 and it's still causing problems.