The Biohacking Village, in collaboration with I Am The Cavalry, runs a Medical Device Lab at DEF CON to improve trust and trustworthiness of the public health system. The Lab is a high-trust, high-collaboration environment where security researchers can learn and build their skills alongside patients, medical device makers, hospitals, the FDA, and others. We welcome participants who will act in good faith, in the best interest of patients, when researching, disclosing, and addressing security issues.
Medical Device Makers at the Biohacking Village
As part of their product security programs, their proactive initiatives to test their products, and to enhance the cybersecurity of their medical technologies, select medical device makers are teaming up with the Biohacking Village. These manufacturers are inviting security researchers to learn and to test their products in dedicated spaces set aside for them. Their staff will answer questions, educate researchers, and triage any potential security issues. Researchers who perform testing should expect to follow the manufacturers’ published coordinated vulnerability disclosure policy and report any potential issues found so they can be addressed.
Bring Your Own Medical Device
Security researchers and others are also bringing devices, and there should be enough to go around. Some of these will require special tools and knowledge, so bring software defined radios, device manuals, and whatever else you think might help you research them. We expect researchers who perform testing on any devices in the lab will follow the manufacturers’ coordinated vulnerability disclosure policy and report issues found, where possible.
Medical Device Capture the Flag (MedCTF)
Hackers work to defend a hospital under siege, racing against the clock. The team from the Mayo Clinic who built our learning CTF last year are back with much, much more. The California Cybersecurity Institute at Cal Poly is bringing their expertise in stage design and CTFs to the mix. The immersive, “learn by doing” environment will challenge hackers to use their skills to anticipate, defend, and recover, as their adversary escalates their attacks throughout the DEF CON weekend. More details will follow, closer to the event.
Coordinated Vulnerability Disclosure
We believe that the Biohacking Village can save lives through security research. To do so, security researchers and medical device makers must be mindful of that vulnerability discovery, disclosure, and remediation in public safety contexts must be handled with both due haste and due care. We have volunteers from CERT/CC, the US DHS, MITRE, and the US FDA on hand to facilitate disclosures, and provide other resources as well. Security researchers who take the Device Lab pledge to act in the best interest of patients, and to disclose potential vulnerabilities to the manufacturer in good faith are welcome to participate in our Open Security Testing.
We’re building out other resources that will be available for researchers to get started testing medical devices. We’ll have some tools, information, education, and training available to help you get started. If you have any to add, hit us up on Twitter or in the lab.
Government Security Documentation and Guidance
Industry and Civil Society Documents
OWASP Secure Medical Device Deployment Standard - v1 (v2 posts on the 8th)
The Device Lab’s 2,600 square feet will become a replica hospital filled with real and simulated medical devices. Thousands of hackers and dozens of representatives from the healthcare ecosystem will pass through our doors over the weekend of August 8-11, 2019. We hope to catalyze awareness and understanding of the complex healthcare cybersecurity landscape, as well as educate and train more people who can save lives through security research.
Lab Hours and Layout
Fri & Sat 10:00am - 6:00pm
Sun 10:00am - 12:00pm
The Lab space will be laid out to resemble a hospital, with walls made to look like the rooms we are portraying. The Cal Poly set design team is creating an immersive environment, with separate rooms for Radiology/PACS, Pharmacy, Laboratory, Surgical, and Patient/ICU/Neonatal.
Devices will be placed in a room appropriate for their function. We will hold both Open Security Testing and Capture the Flag (CTF) in the same space, with labels on each device clearly distinguishing which is which. We emphasize Our Values, heavily emphasizing coordinated disclosure.
The Admitting/Registration area will be the first point of entry for the Village and will serve as an information desk, to show the researchers around, answer questions (technical, disclosure, etc.), and spot issues early.
On January 29, 2019, the FDA and the Biohacking Village launched the #wehearthackers initiative. The goal is to encourage healthcare ecosystem stakeholders to work collaboratively with security researchers at DEF CON. On the day the initiative launched, five device makers pledged to do just that - BD, Medtronic, Philips Health, Abbott, and Thermo Fisher. You can view our current list of medical device makers and others at wehearthackers.org.