Hardwear.io Security Trainings and Conference USA 2026

  • 26th – 30th May 2026
  • Santa Clara Marriott, USA
Share:
Intermediate

Medical Device Hacking and Defending Training

Training Objectives

The goal of this training is to give participants the skills necessary to identify critical medical device vulnerabilities, exploit medical vulnerabilities and implement software or hardware fixes. The training will have a hands-on approach and CTF style format where the skills learned will be applied on hardware, software, firmware and wireless targets.

Key Learning Objectives

Participants will be given the tools and training necessary to identify vulnerabilities in medical devices (hardware, firmware, mobile, web and wireless) and the practical knowledge to fix these vulnerabilities.

Detailed Description

Day 1:
    • US Food Drug Administration Cybersecurity Premarket Guidance and approval process (medical device security requirements)
    • Common medical device architectures
      • BTLE
      • Wireless
      • Cellular
      • Custom Radio
    • Common medical device networks and risks
    • Historical attacks against medical devices and hospital networks
    • Common medical device security testing approaches and vulnerability identification
    • Medical device teardown, anti-tamper, depotting techniques and hardware photography
      • Medical device disassembly
      • Identifying and defeating anti-tamper
      • Hot air depotting
      • Chemical depotting
      • PCB photography, PCB delayering techniques and PCB layer stitching
    • PCB and medical device hardware reverse engineering
      • Integrated circuit (IC) component identification and datasheet analysis
      • PCB photography reverse engineering
      • Multimeter contract tracing
      • Patient peripheral and drug distribution mechanism reverse engineering
      • Identification of debugging interfaces (UART, JTAG, SWD, USB)
      • Identification of flash, persistent storage and potential firmware extraction techniques
    • Signal Analysis
      • SPI
      • UART
      • I2C
    • Firmware extraction
      • SPI flash
      • UART
      • Uboot
      • Over the air (OTA)
      • JTAG/SWD
Day 2:
      • Cryptology basics
        • Cryptography
        • Cryptanalysis
        • FDA and NIST medical device requirements
      • Wireless analysis and Attacks
        • Bluetooth low energy (BLE)
        • WiFi
        • Cellular
        • Custom radio frequencies
      • Mobile application analysis
      • Web application and cloud analysis
      • Medical device kiosk modes and kiosk escapes
      • Source code vulnerability analysis techniques
        • Sinks, sources, intersection graphs, filters, transformations
        • Manual vulnerability analysis
      • Common vulnerabilities
        • Buffer overflow
        • Heap overflow
        • Use after free (UAF)
        • Double free
        • Null pointer dereference
        • Command injection
        • Authentication bypass
        • Authorization issues
        • Weak or insufficient cryptography
        • Hard coded credentials/secrets
        • Exposed logging or debugging
        • Timing attacks
        • Misconfigurations
        • Outdated dependencies
        • etc.
      • Automated vulnerability analysis
        • Semgrep usage and custom rule writing
        • Cppcheck/Cppcheck-gui
        • Bandit
Day 3:
    • Firmware analysis
    • Binary analysis
    • Fuzzing and crash triage
    • Exploit, proof of vulnerability (PoV) and proof of concept (PoC) development
    • Medical device supply chain security
      • PCB fabrication security
      • Assembly and firmware flashing security
      • Anti-counterfeiting measures and hostile supply chain considerations
    • Medical device defensive hardware design considerations
    • Defensive coding and fixing security issues
    • Bug bounty and security reporting tips

Who Should Attend?

Hardware engineers, firmware engineers, software engineers, medical device manufacturers, IoT or medical device penetration testers, hardware hackers, wireless hackers, and folks interested in learning more about hacking or defending medical devices.

Prerequisites

Some computer programming experience (e.g. C or Python) and basic Linux experience would be helpful.

Software & Hardware Requirements

Laptop with x86_64 processor and at least 16GB of ram. Ability to run Ubuntu Linux operating system from USB.

What You Get

Medical device hardware and firmware training attack target.

Training Details

  • Date: 26th to 28th May 2026
  • Time: 9:00am to 5:00pm PDT
  • Venue: Santa Clara Marriott
  • Level: Intermediate
Register Now

About Trainer

Marcus Richerson

Marcus Richerson has 17 years experience hacking software, wireless and embedded systems. He worked on contract at the Department of Veteran Affairs assessing medical devices, patient applications and medical networks. At Somerset Recon Marcus has performed security assessments of many medical devices and medical technologies. He is an avid CTF player and has spoken at a variety of conferences such as LayerOne, Toorcon, BSides-SD, BSides-Portland and RSA Conference.