Watch and read the full transcript of computer science professor Avi Rubin’s TEDx Talk: All Your Devices Can Be Hacked at TEDxMidAtlantic 2011 Conference.
Avi Rubin – Computer science professor
Thank you, Dave. Good morning everyone. I’m a computer science professor, and my area of expertise is computer and information security. When I was in graduate school, I had the opportunity to overhear my grandmother describing to one of her fellow senior citizens what I did for a living. Apparently, I was in charge of making sure that no one stole the computers from the university. And you know, that’s a perfectly reasonable thing for her to think, because I told her I was working in computer security, and it was interesting to get her perspective.
But that’s not the most ridiculous thing I’ve ever heard anyone say about my work. The most ridiculous thing I ever heard is, I was at a dinner party, and a woman heard that I worked in computer security, and she asked me if — she said her computer had been infected by a virus, and she was very concerned that she might get sick from it, that she could get this virus. And I’m not a doctor, but I reassured her that it was very, very unlikely that this would happen, but if she felt more comfortable, she could be free to use latex gloves when she was on the computer, and there would be no harm whatsoever in that.
I’m going to get back to this notion of being able to get a virus from your computer, in a serious way. What I’m going to talk to you about today are some hacks, some real world cyber-attacks that people in my community, the academic research community, have performed, which I don’t think most people know about, and I think they’re very interesting and scary. And this talk is kind of the greatest hits of the academic security community’s hacks. None of the work is my work. It’s all work that my colleagues have done, and actually I asked them for their slides and incorporated them into this talk.
So the first one I’m going to talk about are implanted medical devices. Medical devices have come a long way, technologically. You can see in 1926 the first pacemaker was invented. 1960, the first internal pacemaker was implanted — hopefully a little smaller than that one that you see there — and the technology has continued to move forward.
In 2006, we hit an important milestone from the perspective of computer security. And why do I say that? Because that’s when implanted devices inside of people started to have networking capabilities. One thing that brings us close to home is we look at Dick Cheney’s device, he had a device that pumped blood from an aorta to another part of the heart, and as you could see at the bottom there, it was controlled by a computer controller. And if you ever thought that software liability was very important, get one of these inside of you.
Now what a research team did was they got their hands on what’s called an ICD. This is a defibrillator, and this is a device that goes into a person to control their heart rhythm, and these have saved many lives.
Well, in order to not have to open up the person every time you want to reprogram their device or do some diagnostics on it, they made the thing be able to communicate wirelessly. And what this research team did is they reverse engineered the wireless protocol, and they built the device you see pictured here, with a little antenna that could talk the protocol to the device, and thus control it. In order to make their experience real — they were unable to find any volunteers — and so they went and they got some ground beef and some bacon and they wrapped it all up to about the size of a human being’s area where the device would go, and they stuck the device inside it to perform their experiment somewhat realistically.
They launched many, many successful attacks. One that I’ll highlight here is changing the patient’s name. I don’t know why you’d want to do that, but I sure wouldn’t want that done to me. And they were able to change therapies, including disabling the device — and this is with a real, commercial, off-the-shelf device — simply by performing reverse engineering and sending wireless signals to it. There was a piece on NPR that some of these ICDs could actually have their performance disrupted simply by holding a pair of headphones onto them.
Now, wireless and the Internet can improve health care greatly. There are several examples up on the screen of situations where doctors are looking to implant devices inside of people, and all of these devices now, it’s standard that they communicate wirelessly, and I think this is great, but without a full understanding of trustworthy computing, and without understanding what attackers can do and the security risks from the beginning, there’s a lot of danger in this.