Training Objectives:
The goal of this training is to give participants the skills necessary to identify critical medical device vulnerabilities, exploit medical vulnerabilities and implement software or hardware fixes. The training will have a hands-on approach and CTF style format where the skills learned will be applied on hardware, software, firmware and wireless targets.
What to Expect? | Key Learning Objectives:
Participants will be given the tools and training necessary to identify vulnerabilities in medical devices (hardware, firmware, mobile, web and wireless) and the practical knowledge to fix these vulnerabilities.
Training Detailed Description:
Day 1:
- US Food and Drug Administration Cybersecurity Premarket Guidance and approval process (medical device security requirements)
- Common medical device architectures
- BTLE
- Wireless
- Cellular
- Custom Radio
- Custom Radio
- Common medical device networks and risks
- Historical attacks against medical devices and hospital networks
- Common medical device security testing approaches and vulnerability identification
- Medical device teardown, anti-tamper, depotting techniques and hardware photography
- Medical device disassembly
- Identifying and defeating anti-tamper
- Hot air depotting
- Chemical depotting
- PCB photography, PCB delayering techniques and PCB layer stitching
- PCB and medical device hardware reverse engineering
- Integrated circuit (IC) component identification and datasheet analysis
- PCB photography reverse engineering
- Multimeter contract tracing
- Patient peripheral and drug distribution mechanism reverse engineering
- Identification of debugging interfaces (UART, JTAG, SWD, USB)
- Identification of flash, persistent storage and potential firmware extraction techniques
- Signal Analysis
- Firmware extraction
- SPI flash
- UART
- Uboot
- Over the air (OTA)
- JTAG/SWD
Day 2:
- Cryptology basics
- Cryptography
- Cryptanalysis
- FDA and NIST medical device requirements
- Wireless analysis and Attacks
- Bluetooth low energy (BLE)
- WiFi
- Cellular
- Custom radio frequencies
- Mobile application analysis
- Web application and cloud analysis
- Medical device kiosk modes and kiosk escapes
- Source code vulnerability analysis techniques
- Sinks, sources, intersection graphs, filters, transformations
- Manual vulnerability analysis
- Common vulnerabilities
- Buffer overflow
- Heap overflow
- Use after free (UAF)
- Double free
- Null pointer dereference
- Command injection
- Authentication bypass
- Authorization issues
- Weak or insufficient cryptography
- Hard coded credentials/secrets
- Exposed logging or debugging
- Timing attacks
- Misconfigurations
- Outdated dependencies
- etc.
- Automated vulnerability analysis
- Semgrep usage and custom rule writing
- Cppcheck/Cppcheck-gui
- Bandit
Day 3:
- Firmware analysis
- Binary analysis
- Fuzzing and crash triage
- Exploit, proof of vulnerability (PoV) and proof of concept (PoC) development
- Medical device supply chain security
- PCB fabrication security
- Assembly and firmware flashing security
- Anti-counterfeiting measures and hostile supply chain considerations
- Medical device defensive hardware design considerations
- Defensive coding and fixing security issues
- Bug bounty and security reporting tips
Who Should Attend? | Target Audience:
Hardware engineers, firmware engineers, software engineers, medical device manufacturers, IoT or medical device penetration testers, hardware hackers, wireless hackers, and folks interested in learning more about hacking or defending medical devices.
What to Bring? | Software and Hardware Requirements:
Laptop with x86_64 processor and at least 16GB of ram. Ability to run Ubuntu Linux operating system from USB.
What to Bring? | Prerequisite Knowledge and Skills:
Some computer programming experience (e.g. C or Python) and basic Linux experience would be helpful.
Resources Provided at the Training | Deliverables:
Medical device hardware and firmware training attack target.
ABOUT THE TRAINERS
Marcus Richerson 16 years experience hacking software, wireless and embedded systems. He worked on contract at the Department of Veteran Affairs assessing medical devices, patient applications and medical networks. At Somerset Recon Marcus has performed security assessments of many medical devices and medical technologies. He is an avid CTF player and has spoken at a variety of conferences such as LayerOne, Toorcon, Bsides-SD, Bsides-Portland and RSA Conference.
Jason Richard is a hardware hacker and hardware reverse engineer. At Somerset Recon he has performed several security assessments on medical devices. He loves tinkering with low level systems and signals. In Jason's free time he enjoys solving escape rooms.