by Ashini K Ekanayake

Deep in Las Vegas, in the middle of a workshop on cryptography in the Planet Hollywood Resort and Casino convention hall, a hospital will be up and running – or at least that’s what it looks like on the surface. Visitors to this workshop will wander through the various departments of the hospital, chock full of medical devices meant to be hacked by the guests.

The previous iteration of the Medical Device Village contained a small table where a few devices lay for the guests to hack. However, this casual approach proved insufficient due to persistent stories surrounding the hacking of pacemakers and insulin pumps, as well as the pervasive threat of malware worming its way into vulnerable hospital records. Hence, they decided that the 2019 version of the village would go all out to simulate the likeness of a functional hospital. This development of allowing hackers only came recently, where medical devices only won a Digital Millennium Copyright Act exemption in 2016, which allowed researchers to hack these devices without breaking the law.

Past instances of the Medical Device Village had led to some important conversations, as well as security findings, and this year’s version aimed to beat that by also including a formal “capture the flag” hacking competition, which involved a heavier focus on hands-on hacking. It also demonstrates that there is much more at risk than just pacemakers and insulin pumps, due to the presence of sensors, scanners and PCs which are rife with sensitive data. This venture was funded by medical device makers such as Philips health and Medtronic. The village takes the form of an immersive hospital setting complete with hospital rooms and a full complement of medical gadgets as you walk through.

The organizers of the village state that medical device security has improved greatly over the past decade due to the minute amount of research allowed on their reliability. The village will provide these hackers with both new and old devices to work with and tear down. It was discovered that one of the main mistakes which leads to the downfall of some medical devices in the past was that after the set up or maintenance of the medical device, the device was left in the configuration mode rather than locking it down in “clinical mode”. This makes it even easier for hackers to access the vulnerable information. Hence, manufacturers have learnt to design both systems to make them both more secure.

Through this medical village, numerous medical devices, never before evaluated by security researchers, were looked into and analyzed. The main aim of this village was to build an interest in the hacking community towards aiding research and educate researchers that these resources are available for disclosure.