When it comes to the safety and security of medical devices, you need the best hands (and minds) on the task. This past August in Las Vegas several brave medical device manufacturers put their technology to the test of ethical hackers and pentesters at Defcon’s prestigious Biohacking Village competition, all with the goal of making their devices more secure. Each year, the Secureworks® Adversarial Testing team is lucky enough to participate in this event, and this year, our team has once again proven that it's home to some of the world's finest biohackers helping to uncover a range of security vulnerabilities in medical devices, that otherwise wouldn’t be detected.
This year, the Secureworks team not only won DEFCON's prestigious Biohacking Village[1] CTF competition but also managed to almost double the score of the second-place team. This achievement not only is a testament to the skill, dedication, and expertise that our team brings to the world of biohacking, but also underscores the biomedical industry’s commitment to cybersecurity. It is at events like these where security practitioners and technology developers come together to work on the same goal of creating safer connected medical devices and development practices. There is nowhere better to see this live in action other than at Defcon.
Here are some of the learnings from this year’s Biohacking Village and Competition:
A Display of Unparalleled Skill
The Biohacking Village and Capture-the-Flag (CTF) Competition is intended for people of all skillsets to come together in a forum to learn and practice things that pertain to medical device security and security in relation to patient care. This year, the biohacking CTF, held during Defcon 31 (August 10-13, 2023) was a “Jeopardy” style CTF, with challenges ranging from general medical terminology questions to analysis of HL7/DICOM/other medical device related transmissions and binary analysis. Bonus points were added for locating vulnerabilities in live medical devices brought by multiple vendors within the medical device manufacturing sphere. In total, the CTF competition had over 692 total players with a total of 597 different solvable challenges. Bonus points were awarded to teams that were able to find actual flaws within the devices presented by various manufacturers.
Just like previous years, Secureworks’ team tackled testing each device for flaws with finesse, technical skill, and determination. The Secureworks team's achievements were quantified in a record-breaking score of over 10,000 points. This score represents the skill and expertise our team displayed throughout the competition. The second and third place teams in the competition averaged nearly 6,500 points in comparison.
In total, our team found 14 critical vulnerabilities in active medical products, ranging from DNA sequencers to patient health monitors and patient record databases to various cardiology related systems. These vulnerabilities, if left unchecked, could lead to dire and unexpected consequences. The importance of such a discovery cannot be stressed enough, especially when it comes to medical devices and patient safety. Kudos to these manufacturers who volunteered to test their devices by skilled hackers to ensure the safety of their products. Not only does this demonstrate their commitment to patient safety but it also demonstrates their desire to proactively address security risks. Without their company providing devices to test against, this type of open forum would not be a possibility.
At Secureworks, our mission is to secure human progress. Our team is now working with these medical device vendors through their coordinated vulnerability disclosure policies to publicly announce the findings located within the Defcon 31 Biohacking Village CTF within the Device Testing Lab. These fixes will be examples of remediations that can be applied to multiple devices in the field to ensure resilience against cyber-attacks and threat actors. This type of cohesive workflow with researchers and medical device manufacturers working together to solve major issues is one example of united work occurring within the infosec ecosystem.
The Future Onwards
Our team’s ability to breach the security of these medical devices shows our expertise and the importance of safeguarding such essential devices. Our team demonstrated that they could compromise such a device, underlining the need for top-notch security for these devices. Security is much easier to apply when it is engrained in the design. Applying security controls after a device is created can cause issues that cannot be undeveloped or patched in some scenarios. We must applaud these device manufacturers who volunteered their devices to be tested for vulnerabilities. At the end of the day, it is a reminder that we are all working together towards the same goal of keeping patients safe and medical devices secure.