The way from App to Brain: attack surfaces of smart medical infrastructure

Abstract

The concept of “SCADA for human” is central in focus of modern medicine. The realization of the systems that collects and proceed information about human body parameters, builds on current infrastructure and technology implementations. In the cases of some treatment procedures, data transferred via vulnerable medical networks and management software could be compromised, which could lead to an attacker being able to tamper with massive groups of patients at the same time. The goal of this talk is to provide the results of offensive research of networks and online-management software that uses in daily medical practice. We show not only typical entry points in medical infrastructure, but also highlight the vulnerabilities in software that popular with surgical teams, also permitted attackers to access sensitive data and even affect treatment procedures.

Outline

  • How to search vulnerabilities and misconfigurations in medical networks
  • What kind of threats you have to find there
  • Methodology of security analysis of corporate perimeter with “medical” specific
  • The kind of technologies that will be useful in battle against medical threats
  • The recommendation for IT-administrator how to protect your medical network”

Denis Makrushin

@difezza

Denis has gained diverse experience while working in the information security area. On the defensive side, as a Security Architect, he is responsible for building a security architecture of distributed IT infrastructure across various international business units for a global Fortune 500 company.
As a security researcher with the Global Research and Analysis Team at Kaspersky Lab, he was focused on vulnerability research and security assessment of emerging technologies. Based on his offensive expertise, he’s been a founder and leading expert in the development of a threat intelligence product.
Having graduated from the Information Security Faculty of the National Research Nuclear University MEPhI (Moscow Engineering Physics Institute), he is continuing his research project related to methods of targeted attack detection as a Ph.D. candidate
Denis has presented at many public international security conferences, including Defcon, RSA Conference, CARO, BSides, Infosecurity, as well as multiple closed-door invite-only security industry events.