Mike talks to the authors of the book, Practical IoT Hacking Fotios Chantzis, and Beau Woods. Woods and Chantzis share their thoughts behind creating a safe and lawful guide to the ins and outs of hacking medical IoT devices covering everything from the software layer to the hardware layer and everything in between.
0:00:02.7 Speaker 1: Welcome to In Scope, The Healthcare Security Podcast. Each episode, we bring you interviews, technical tips and a unique point of view on the challenges facing the ever-changing healthcare ecosystem. Here’s your host, Mike Murray.
0:00:18.4 Mike Murray: Alright, and with me this week, I’m really excited about this conversation ’cause it’s not very often that there is relevant books in the space that I get to talk to the authors super quickly, but we have today with us, Fotios Chantzis and Beau Woods who have just written along with a bunch of other really awesome folks, a book on practical IoT hacking, which especially has a lot of context and a lot of relevance to medical devices and clinical technologies and the like, so everybody who listens to this knows that’s a favorite topic of mine. But with that, I’d love to have the two authors introduce themselves ’cause they’ve done some incredible stuff in their careers other than write a book, and I would love to hear that. So maybe Fotios you wanna start us off?
0:01:04.5 Fotios Chantzis: Yeah, hi, this is Fotios Chantzis. I’m a security researcher. I’ve been working in information security for many years now, and yeah, the book has been one of my recent projects. I’m really excited that it’s out. Have also worked on the healthcare industry in the past, specifically at the Mayo Clinic, and this is actually one of the back story that we’re probably gonna go over later, is related to my experience there while hacking medical devices and how we ended up doing basically what is a superset of medical devices, IoT. And throughout this book, along with Beau Woods, Ioannis Stais, Paulino Calderon, and Evangelos Deirmentzoglou.
0:01:53.5 MM: It’s a great roster. Beau, do you wanna introduce yourself for those who don’t know you already?
0:01:58.5 Beau Woods: Yeah, my name is Beau Woods. I, kind of like Fotios, I wear a lot of hats. Some of my past highlights… I’ll do the Troy McClure intro… You may know me from such places as I Am The Calvary. I’m one of the folks who helps to run that and build it up. I have a small consulting firm. I do a bunch of The Villages at DEF CON, like Aerospace Village and Hacktasy. I started the bio-hacking village device lab, which I think Mike might be how I met you or maybe even before. I worked at the FDA for a little bit for a year, doing a stented US Cybersecurity and Infrastructure Security Agency, now CISA, and just always try and keep myself overwhelmed with projects and tasks, ’cause if you can try to do a 150%, if you end up doing a 100, then you’re good.
0:02:48.5 MM: Yeah, it’s the old shoot for the moon, and if you miss, you’re still out in space somewhere.
0:02:52.7 BW: There you go, there you go. Like Elon Musk.
0:02:54.9 MM: Yeah, exactly, exactly. So guys, how did you end up writing this book, where did the book come from? Give us the origin story.
0:03:03.5 FC: Yeah, so the origin story is that, initially, I was working, I was… I have been a contributor to the Nmap project, the network security scanner that we all love and use, and that started back in Google Summer of Code 2009 and 2010 when I wrote to the Ncrack Network Authentication Cracking Tool of the nmap project. And while I was maintaining that for a bunch of years, at some point I realized that there was a lot of work on network security protocols. A lot of research that I had to do while developing the modules for Ncrack, and I thought it might be a good idea to write something about analyzing these protocols and how this could potentially be attacked from their authentication standpoint, and the original idea was actually to write something about that because of… I thought that it might be great to cross-promote Ncrack and also to basically compile all these research notes into something that is more coherent and structured, something like a book.
0:04:14.7 FC: So I sent the proposal to Bill Pollock, the founder of No Starch Press, which is our book publisher, and his original reply was that this subject might be too much of a niche, so it might be better off to write something else. So he basically told us that this might be better suited as a series of blog posts instead of something like a book, which made sense after hindsight. And so after that, because of my then work at my then job at Mayo Clinic, while I was basically conducting security assessments of all sorts of medical devices from implantable pacemakers to infusion pumps, to surgical robots, and I was doing these assessments, like every two or three weeks. Had seen a lot of different devices, and I thought, “This is another cool subject that might be worthwhile writing something about because it might be a great way to realize our own gaps in our knowledge.”
0:05:16.8 FC: And writing a book is the perfect way to… When you try to simplify a subject and make this as easily understood by your readers as possible, you also learn a lot about what you don’t understand and what you… All the gaps in your mental models about the assessments you’re conducting and all the different vulnerabilities that are out there. So that was one of the reasons. The other reason was that the medical device security, as you are probably fully aware has been lacking in security awareness. It has been better the past years, but back then it was slightly worse and with our docs with vendors, we realized that, yes, security wasn’t really their priority. So by writing a book that showed and demonstrated how some of these devices are prone to simple things such as hard code and encryption keys that can be reused to attack the whole ecosystem of the medical devices, it would be a great way to teach people about that and to also motivate researchers to contribute to this kind of research.
0:06:33.9 FC: So we went… We sent that new proposal to Bill Pollack and he was really excited this time like writing about medical device security. But he then counter-proposed that we should expand our subject to include the whole supersets of IoT. Of course, medical devices would be included, but let’s also write about, you know, smart home devices, smart treadmills, routers, IP cameras, and it was also exciting for me because I also realized that by doing that, we also can analyze a lot of those networks security protocols that I had been delving into in the past. So basically, we combined the best of both worlds and worked on this book for the next two years, that is now over 450 pages and encompasses this wide spectrum of subjects on everything IoT security.
0:07:39.5 MM: And you’re not kidding. For those who haven’t read the book yet, it covers everything from threat modeling, to gaining entry to buildings, to analyzing network protocols, to hacking mobile devices. To me, it’s what hacking exposed was 20 years ago in terms of sort of a soup to nuts manual for all the things you might have to do. This strikes me as, you guys tried to basically do something similar, except for what to do when hacking devices. Did I get that right?
0:08:08.2 FC: Yeah, yeah, exactly. That’s the cool thing about IoT, that you basically have to analyze the whole [0:08:16.8] ____, and we do describe that in chapter three, the security testing methodology, where we examine… We break down the different layers into the physical or hardware layer, and then the network layer, a radio layer for those radio frequency protocols such as RFID, NFC, and LoRa and so on, and also the cloud components that usually have an API, and then the mobile device is… Because many of those smart home devices also have an application component, like an app on IOS or Android that can be also oftentimes be abused by finding a bunch of vulnerabilities there, to also attack the device itself and the cloud components. So we break down all these into these different layers and then we go in… We structure the book in these different layers and we go and analyze each of these subtopics that belong to them. So for hardware hacking, for example, we do analyze some of the most common debugging protocols like JTAG, the serial wire debug protocol, SPI, and I-squared-C. You are… Also show people how to do a basic firmware hacking, how to extract it and analyze the file system contents, and all that.
0:09:39.3 FC: So yeah, I think this is also what is really interesting about that, if you’re interested in one particular area, only you want to focus on hardware hacking, you can just skip the rest of the chapters and go back to them at a later point and focus on how to… Focus on the subject that you really want. And we do provide exercises in all of these chapters that basically walk you through step by step on how you can, in your own home lab that you can set up with pretty cheap tools that you can buy off of the internet. Also provide you with some good target devices that are also cheap and easy to find and are popular enough that they are not going to be out of the market for the foreseeable future. And basically, the exercises, I think are what make this book being about practical IoT hacking.
0:10:36.1 MM: Absolutely, so let me get something out of the way, let me ask the… You gotta know, there’s somebody out there listening to us right now thinking, “Man, these guys just made a road map for how to hack every medical device on the planet pretty much, and they provided exercises so that you’re good at it before you do it.” You both know me well enough I think to know that I’m not espousing that view, but what do you guys say to somebody who says that? And Beau, I see you’re smiling over there.
0:11:04.9 BW: Yeah, we took great pains in going through the process of making this book in such a way that we teach people to… We teach people skills that they can employ safely and lawfully. So the whole first chapter or two of the book, depending on how you count the chapters, is dedicated to helping people understand some of the trade-offs that exist in IoT, helping people understand some of the things that they have to keep in mind. We had guest piece written by Dr. Marie Moe, who I know you know. She is both a security researcher herself and struggles with issues of legality and dilemmas on how to disclose findings, but she’s also a pace-maker patient who does research on the same types of devices that literally keep her alive.
0:11:57.9 BW: So she gave her perspective. We had Jay Radcliff, who’s a diabetic patient and security researcher give his perspective. We had Harley Geiger who has… He’s former congressional staffer, who now works for a highly sophisticated tech company, write about some of the legal impacts and how to stay safe when you’re doing this type of research. We… This is one of the reasons why we talk about threat modeling quite a lot right up front, is because we want people to think about, “What are the consequences of the things that I could do? And how do I make sure that I do them in a safe manner and do them in a way that is lawful?” And I think we did a really good job about it, but I’m biased. I’d actually be really curious to hear what some of your listeners think when they read through it. And so, I’d love to have some feedback ’cause we do have the opportunity to go back for a 2.0 for this book since it’s been really, really successful so far, to be able to update some things and maybe add some edits or drop some more content in, and we can keep some things fresh on the website or whatever. So that was definitely top of mind for us when we were writing this.
0:13:09.9 MM: And I don’t think that… We’ve been in industry long enough that I think that there’s gonna be enough good use of this book that ultimately raises the level of discourse in a positive way, that I think that will outweigh the negatives, but… Actually, a question that I’ve wanted to ask you guys since I knew that you wrote the book, because I think it’s such an interesting topic.
0:13:28.8 MM: And Beau, you hit on this a little bit about how you do some of this research legally, and especially if you’re talking about medical devices. The common way that we all do sort of medical device security research, unless we have a job doing it, is you go on eBay and you buy something off of eBay and you do all the things that you guys write about in your book to that thing. How do you handle that with FDA regulated devices? And especially you’re dealing with something that’s in the market, and so theoretically you could be causing a recall for the vendor by reporting these things. How do you guys see that set of challenges and do you have any thoughts on it? I know you both worked in the medical device space over the years. And Fotios, I got the benefit of some of your reports, even though we didn’t know each other when I was at GE. I’m certain that some of the things that came to us from your previous employer, you had your name on them somewhere, but how do you guys see that process, and what advice do you have for the people out there who might wanna start thinking about this and go buy something off of eBay and start dealing with that?
0:14:34.0 BW: Yeah, I think one of the things that really informed my philosophy in this is I Am The Cavalry, which I mentioned earlier, has a position on disclosure, and the first line of that is those who want to do good should not inadvertently do harm, something like that. So we really thought about that quite a lot when we were writing this, and I think we’ve got a section in there, a piece in there, about how to think about doing the types of disclosures. How to go through the process. We don’t wanna write a disclosure manual because there’s plenty of those out there, but just understanding the consequences and then trusting that good people will do good things.
0:15:15.3 BW: When it comes to regulated medical devices, the FDA in the past few years is, Mike, I know you know, and Fotios and I know, but some of the listeners may not know, has come a long way in terms of creating a safe space for medical device makers, security researchers, the regulator, healthcare providers, doctors, patients to come together and have conversations. To stimulate those conversations, and when there are issues or potential issues for people to be able to report them in a way that allows them to collaborate in that kind of safe environment so that ultimately the information can be made available to the right people to make the best decision in consideration of all of the other topics. And again, I’ll go back to Jay and Marie. They’re having conversations with their physicians that are much different than the conversations that most people will have. In these cases, Jay and Marie are more informed about some of the cyber side effects than the doctors will be.
0:16:21.6 BW: And then the medical device makers may even be… Depending on who you’re talking to at the medical device maker. So we wanna be able to facilitate that ability to share information to the right places so that people can make the right decisions. And just one anecdote. As a part of this, when we looked at doing some disclosures with some of the companies that we did testing with, not all of them were willing to issue patches or they were devices that were so far out of date that they couldn’t be updated. So we actually just created our own IoT device. We got together with some other people through OWASP, through Google Summer of Code, and we created something called the IoTGoat, which is the OWASP’s training lab for this based on some IoT standard software that runs on standardized hardware, but is virtualizable and that has known vulnerabilities, so that people can go poke and prod and test. And for anybody who’s interested in learning more, I think we may open that project up a little bit more and look to extend it, improve it, build on it a little bit. So maybe check back with us and see if there’s opportunities to do that.
0:17:40.5 FC: Yeah. IoTGoat is a really cool project that is, at this point, I believe it’s mostly focusing on firmware hacking. So I’d say it’s more geared towards doing some of the software analysis that we also cover in the book, but for hardware hacking specifically, in terms of the chapters that we wrote, we took great care, and like I mentioned before, we actually spent a lot of time brainstorming to find those right devices, both in terms of the attacking tools like the Bus Pirate and the target devices, like the Black Pill, which is like an STM 32 device microcontroller. So that they are both easy to find, easy to purchase, and also at the same time will be available on the market out there in the next few years.
0:18:46.3 MM: So question for you guys, beyond the simple answer of read our book, suppose I’m a… I work at a hospital and I’m a junior security analyst, and I’m curious about how to get into all of this kind of stuff. And this is why I say beyond just read the book, ’cause I obviously read the book is step one. Where do you start, especially you guys came from the same place that I did, we all started at one point not knowing how to do these things. How do you get into it if you are 23 years old and you’ve never hacked anything before, and you pick up your book, like, where do you start? What do you think?
0:19:25.0 BW: I think with IoT, it’s interesting because it’s… The differences in IoT between IoT and an enterprise network or a laptop that you might have hanging out is there expanded capabilities. There’s expanded trade… Very different trade-offs, they live in different environments, but one of the things that’s good about that is that IoT is so broad that there’s an entry point that you’re probably already fairly familiar with. So if you already know how to do some network testing, cool, so maybe start on the network side and then work your way into web and hardware and JTAG and Bus Pirate and radio frequency. If you know one of those other aspects, start there and work your way someplace else.
0:20:07.7 BW: I think a lot of times people get intimidated because it has aspects that they don’t know, rather than focusing on the aspects where they do know and diving in that way. I know for my own personal journey, it was basically like that, it started like that. It was starting on the network side, which I knew well, and the endpoint side, which I knew a little bit, and then building out some other knowledge sets and capabilities until I understood a lot of the concepts for various different things. Even if I couldn’t do the hands-on hardware pieces, I could at least understand how they worked enough to be able to think about how I might go about deconstructing or understanding or interfacing with them.
0:20:53.7 FC: Yeah, and I think the other point to make is that it’s so easy to find any kind of smart device in your home. We already have more devices than we realize that could be great training examples for any researcher. So take for example, you might have an old router that you no longer use, or you might have an IP camera, or you might have your smart TV. You can just buy a simple… You can even do it probably with your existing Wi-Fi chipsets and just start capturing the traffic and see what goes out there, and you could start from there, or like with Bluetooth.
0:21:40.6 FC: Even just start by seeing what your smartphone does, or if you have a Fitbit or some other kind of smart wearable device, same thing. You can just buy a cheap or a Bluetooth low energy device and start capturing the traffic and see how that works, and you’ll be surprised how outdated some of these devices can be in terms of their security posture and how vulnerable they are. One of our co-authors [0:22:11.2] ____ he recently, he did some research on a simple thing like a smart water bottle that apparently… You think when you get a device, that what could go wrong with this, like how could someone abuse that?
0:22:27.2 FC: And apparently there are ways to do that, and one of them is that it was a huge privacy violation because it would expose your location to cloud component, and the cloud component was vulnerable to a bunch of easy SQL injection attacks that can then be accessible by anyone from the internet. So there you go, by a simple thing as a smart water bottle that seems quite benign at first, you could actually give off your location to any adversary out there.
0:23:02.6 BW: Yeah, and, Fotios, you make a great point. There’s a lot of low-hanging fruit in IoT too. So sometimes it comes from novice developers. If I taught myself programming and taught myself how to develop hardware, I can start a Kickstarter size project. It doesn’t meet the level of rigor for which you would want a medical device to be made or a car to be made, for instance. So you have sometimes naive or novice decisions on protocols or security, but also you’ve got… I mentioned trade-offs earlier… If you’re using something that’s battery-powered or that uses a small micro-controller, you don’t have the ability to do strong encryption, for instance, or if you do strong encryption, you’re gonna really drain the battery life really, really quickly, or overheat the device really, really quickly.
0:23:56.0 BW: So there are some, even well-intentioned experienced developers will sometimes make some trade-offs that open things up in more of a plain text and older protocol where it might be easier to start dissecting it than a more modern full TLS stack that’s got pinned certificates like we like to see in our apps and cloud-based environment. You can’t always do that in IoT. And so that’s one of the things that I think makes it challenging to build IoT and fun to pull it apart, ’cause you can also learn stuff. There’s protocols in IoT that you’ll never see anywhere else that somebody dug up from somewhere, or that are really new and really fun to play with, like I think Fotios, isn’t this the first book that we know of that talks about LoRaWAN?
0:24:46.8 FC: Yeah, exactly. LoRa and LoRaWAN, the long range protocol, widely used in farms and containers for smart sensors that need to be low powered and also cover at the same time super long range, so there wasn’t really… So they have to find some balance between saving energy and making these sensors last for maybe five or even 10 years, and at the same time, being able to cover a long distance, so things protocols like WiFi or 4G wouldn’t be up to that because obviously they waste a lot of energy. And then other protocols that are shorter range, like Zigbee, again wouldn’t cut the job. We realize that LoRa hasn’t really been explored yet out there. There was some research, like one or two presentations at DEFCON and a bunch of other security conference, but not really anything structure in terms of analyzing the protocol from scratch, and we dedicated the whole chapter on that to help readers both expose them to something that is new and exciting and I guess less common.
0:26:06.7 FC: At the same time raise awareness about how easy it is to, again, exploit some of the aspects of it that are usually a result of, again, misconfiguration or for example, some of the hard coding encryption keys that are meant to only be used in development or testing environments, and they might use that as a production environment which we’ve also seen in other hardware devices. For example, when you see an infusion pump having a JTAG exposed, which is actually the end product, you ask yourself why didn’t they remove that in… Why do they just keep it for their testing for their test beds? And of course, the obvious reply there from the vendor is that, “Okay, what if something goes wrong and we need to debug that and we have to come on site and do that?” And yeah, that’s a valid answer, but then probably take some extra security measures and not expose it unauthenticated, like if you are… We’ve seen cases where you just connect to the serial interface and you are immediately, you have a root shell on the device, which is ridiculous.
0:27:29.0 MM: I can’t count the number of times I saw that. And then Fotios to your point about wireless protocols, that was always my… When I worked in medical device security, as soon as soon as the development team said, “We’re not using Wi-Fi, we’re using our own radio protocol.” I was like, “Okay, big red flag, like You guys go immediately to the front of the line, we need to send people over there and help you guys out because I’m sure you did something.” Guys, we could do this all day. I love having you both on, we should do this again and get nerdy about other stuff, but I don’t wanna keep everybody forever. So the book’s called Practical IoT Hacking, it’s on Amazon and all the other places, but where can people find you guys? If I want to chat with you, if I want more of you all, where do I see you? Where do I find you to interact online, etcetera, etcetera. Beau?
0:28:19.4 BW: Yeah, I’m just @BeauWoods on Twitter at B-E-A-U-W-O-O-D-S. I’m not clever enough to actually come up with a decent handle, so that’s what I am on most social media platforms.
0:28:31.2 MM: And Fotios?
0:28:32.8 FC: I mean… Yeah, you can find me on Twitter. The handles Ithilgore, I-T-H-I-L-G-O-R-E. I also have my own personal website, sock-raw.org where I post most of my research, and you can also see all the papers and all that that I’ve written. We’re all out there on social media and LinkedIn, and it’s easy to find us with a single Google search.
0:29:02.7 BW: And look for us too at the RSA conference, we’re gonna be doing some things there, also teaming up with the IoT Village for some other events. We’re trying to get out there more, we’re trying to make sure that people know how to, again, safely and lawfully understand how to hack IoT devices.
0:29:19.6 MM: That’s awesome. Alright, Beau and Fotios, thanks again for coming on. This was a blast, and we’ll chat again soon.
0:29:26.3 FC: Thank you for having us.
0:29:29.8 S1: Thanks for joining us for this episode of In Scope. To make sure you never miss an episode, hop on over to www.scopesecurity.com to sign up or you can listen on Apple Podcasts, Spotify or Stitcher. And if you have ideas for topics, guests or technical tips, please contact us at [email protected]
If you have ideas for topics, guests, or technical tips, contact [email protected]