Every August, thousands of cybersecurity professionals and top security minds descend upon Las Vegas to experience what has become one of the biggest weeks in the information security calendar. Dual conferences held back to back, Black Hat and DEFCON, provide a 360 view of today’s security landscape. Tackling the issue of internet security from opposing angles, these two hacker events are among the oldest InfoSec conventions in the United States.

Founded in 1997 by Jeff Moss, Black Hat is a computer security conference that provides security consulting, training and briefings to hackers, corporations and government agencies around the world. Industry professionals share the latest research on vulnerabilities, defensive strategies and newly discovered hacking techniques.

DEFCON, which Moss previously founded in 1993, is typically held immediately after the Black Hat conference. Whereas Black Hat is much more business-orientated and is aimed specifically at CSO’s and InfoSec security professionals, DEFCON is more informal and aimed at the hacker community. Think carnival atmosphere, hacking competitions and live attempted hacking of security systems. For example, at this year’s event, a group of hackers used Netflix accounts to steal banking information, which became a worldwide news story. US government agencies also actively challenged hackers to find weaknesses in their systems. One of the most eye-catching events was a hacking competition based on automotive vulnerabilities. For winners, organisers of the Car Hacking Village offered up an almost new Tesla.

Predicting Future Cybersecurity Trends

This year, Nova Leah teams were present at both Black Hat and DEFCON. Participating in these kinds of events gives members of our teams a better understanding of both defensive and offensive strategies in the cybersecurity space. Discoveries shared by researchers during keynote speeches, training sessions and demonstrations provide a real insight into the next generation of cyber security threats and are often one step ahead of cyber criminals. In this article, we share our insights and key takeaways from both events.

Black Hat Highlights

For Nova Leah, a huge majority of the Black Hat conference was spent interacting with industry colleagues, learning from medical manufacturers and introducing people to SelectEvidence(R), the first risk management tool in the world to deliver medical device compliance across multiple international standards. However, there were two keynote speeches that caught our attention and we wanted to highlight.

Transparency in the Software Supply Chain: Making SBOM a Reality

This 25-minute talk was held by Director of Cybersecurity Initiatives at the US Department of Commerce, NTIA, Allan Friedman. Friedman shared some initial results on a multi-stakeholder initiative launched by the NITA. The Software Bill of Materials (SBOM) promotes transparency of what software components are being used across the entire device supply chain.

The motivation for SBOM is relatively simple. You wouldn’t sell a nutritional product without sharing its ingredients or produce a piece of machinery without accounting for every component within it. So, why is there such limited visibility with regards to coding or impetus on software suppliers to track third party dependencies? With this initiative, NITA is working towards a more uniformed approach to a transparent supply chain management. Industry experts are now convening on the viability of this idea and how it can be implemented without the need for government regulation.

Predictive Vulnerability Scoring System

One of the most fascinating talks of the week was delivered by data scientists Jay Jacobs of Cyentia and Michael Roytman of Kenna Security. The pair discussed the vulnerabilities of using the CVSS model. The Common Vulnerability Scoring System (CVSS) provides a way to capture the principal characteristics of a vulnerability and produce a numerical score. Ordinarily, only vulnerabilities with a score of 7 or above are addressed. By the presenters’ estimation, this solution is only 5-7%  efficient.

Instead, they outlined the merits of an open prioritisation model. During the talk, Jacobs and Roytman showcased findings they gathered from tens of thousands of vulnerabilities, CVSS scores, CVE, NVD, scraping mailing lists and collected data feeds. Their research ultimately delivered a few dozen data points that helped them to understand the probability of a vulnerability being exploited.

There is a whitepaper pending from these speakers which will be of interest to all medical device manufacturers and medical security professionals. Particularly following the January 2019 publication of the Rubric for Applying CVSS to Medical Devices. This report provided guidance for how an analyst can utilise CVSS as part of a risk assessment for a medical device. Slides from this briefing can be found here. Another interesting take on a challenging issue.

DEFCON 2019 Highlights

DEFCON is a different world.  There are still outstanding talks, training sessions, workshops and briefings, however there is a certain quality to DEFCON that aligns with the disruptive nature of a hacker. Take for example, the Wall of Sheep, which displays in real-time, a list of all the people that are currently getting their mobile devices hacked. This is done in a playful manner to showcase the vulnerability of devices and log-ins without any real malicious intent. There are also dozens of hacking villages, where hackers are encouraged to take aim at presenting manufacturers’ products. The event of particular interest to Nova Leah was the ‘Medical Device Village’, housed within the ‘BioHacking Village’.

Positive Signs in the Medical Device Village

2019 was not the first Medical Device Village that Nova Leah experienced but it was definitely the most well attended. There was an estimated tenfold increase in visitors with 10,000 people in attendance. The focal point of the BioHacking Village was the Medical Device Village, a model hospital where hackers attacked real devices.

Representatives from 10 large device medical device makers, including Philips Health, Medtronic and Becton Dickinson took part. What was most encouraging was the number of manufacturers willing to put their products forward. Many medical device manufacturers who didn’t take part stated their intention to participate next year. Until very recently, most of this activity would have been not just infeasible but illegal. Medical devices only won a Digital Millennium Copyright Act exemption in 2016, allowing researchers to hack the devices without breaking the law. The interest in the Medical Device Village is a positive sign as it shows a willingness to move forward and progress medical device security research.

The Big Reveal: The Hard-coded Key to My Heart – Hacking A

Pacemaker Programmer

At each DEFCON there is a ‘big reveal’ or exposure of a news-worthy vulnerability. This year, Marie Moe shared her incredible story. Marie Moe, a SINTEF researcher in cybersecurity, discovered that the pacemaker she wore could be hacked. During a plane journey, Marie, who has a pacemaker, started to feel unwell. She later discovered that a bitflip in the air caused her pacemaker to crash. This caused a dumping of all data back to the programmer and reset the device back to the factory default settings. Fortunately, Marie was unhurt but the incident led to some very concerning findings.

Marie and her team were able to analyse the data sent to the programmer. This data was encrypted, but the means by which it was encrypted was significant. The pacemaker was using Internet Explorer 6 (used in 2003), Acrobat Reader 5.0 (used in 2001) and several other outdated software components. The device was also revealed to be using 256-bit encryption. For those unfamiliar, this implies a low-level of encryption. Finally, the device had a hardcoded password to access the encrypted data. To learn more, see slides here.

While Marie’s findings were fascinating in their own right, it was also interesting to note that the ‘big reveal’ was not related to significant potential patient harm but rather a privacy concern. This is another positive progression. When issues are discovered, it is much better practice for hackers to interact directly with companies rather than waiting until DEFCON for public outings.

This has a lot to do with the FDA’s work with medical device manufacturers to create Coordinated Vulnerability Disclosure programs. Through these programs medical device manufacturers have a way of contacting hackers privately to discuss potential vulnerabilities and fix them before they go public. As Medical Hacking Village continues, we hope to see even fewer incidents where vulnerabilities are debuted in public. This change demonstrates a greater spirit of industry collaboration and prioritisation of patient safety.

We hope you enjoyed our brief reflection on both DEFCON and Black Hat. As one of the most significant conferences of the year it was, as always, informative and innovative. The progress noted at Medical Device Village at DEFCON and the willingness shown by medical manufacturers to bolster security and compliance capabilities continues to encourage.

If you’d like more articles like this one straight to your inbox – email info@novaleah.com with the subject line ‘Stories’.