Comments on the FDA Postmarket Draft Guidance

On January 15, 2016, The U.S. Food and Drug Administration released Draft Guidance on Postmarket Management of Cybersecurity in Medical Devices. This guidance details and clarifies the FDA’s expectations for managing security vulnerabilities in medical devices currently on the market. It also introduces a new incentive to manufacturers to follow one particular path to vulnerability management that the FDA favors. We think security researchers will too!

The FDA draft guidance states that it expects manufacturers to have a coordinated disclosure program! This statement, while it doesn’t carry the force of law, is still a powerful signal to medical device makers who don’t already have one in place, that they need to get that ball rolling (Philips, Draeger, GE, and Medtronic all have methods to disclose vulnerabilities, by the way).

I Am The Cavalry submitted our comments and they are now publicly posted (PDF).

Hardware.io, BruCON, and Virus Bulletin 2015

If you’re in Europe in late September and early October, there are a handful of conferences for you to check out. Hardwear.io is a first year conference focusing on hardware hacking. The venerable BruCON is back for it’s 0x07th year running. and the Virus Bulletin Conference celebrates its 25th year! This makes for a pretty amazing 10 day tour package. If you couldn’t slip away for the Vegas conferences this year, see if you can make it out for these.

Hardwear.io (September 29-October 2 | The Hague)

Hardware.io has a pretty impressive looking lineup for a first year conference in a specialty area. This one is focused on hardware, with trainings September 29-30, and briefings October 1-2. Here’s a sample of the goodness.

Jon Callas (Silent Circle & Blackphone) will be keynoting, as will Harald Welte (Sysmocom and other Open Source projects). Jon’s talk looks interesting – Everything is broken and always will be, we MUST be able to fix it remotely.

I’ll be moderating a C-level panel discussion with Jaya Baloo (CISO of the Dutch Telecom company KPN), Jasper Woudenberg (CTO Riscure from North America), and Christopher King (CERT/CC).

Other notable talks and trainings:

  • Security of Medical Devices | Florian Gunrow
  • Semantics-aware Intrusion Detection for ICS | Ömer Yüksel
  • Off-the-shelf embedded devices as research platforms | Lucian Cojocar & Herbert Bos
  • Low Level Hardware Reversing | Javier Vazquez Vidal & Henrik Ferdinand Nölscher
  • Integrated Circuit Security 101 | Olivier Thomas & Dmitry Nedospasov

BruCON (October 5-9 | Ghent)

BruCON is one of the premiere security community conferences globally. It’s now back for it’s 7th year and promises to be pretty awesome! They’ll run trainings from October 5-7 and briefings October 8-9. I Am The Cavalry will run a workshop (stay tuned for details). Other noteworthy trainings, talks, and workshops:

  • Offensive IoT Exploitation | Aditya Gupta and Aseem Jakhar
  • Assessing and Exploiting Control Systems | Don C. Weber
  • Brain Waves Surfing – (In)Security in EEG (Electroencephalography) Technologies | Alejandro Hernandez
  • Hacking as Practice for Transplanetary Life in the 21st Century: How Hackers Frame the Pictures in Which Others Live | Richard Thieme
  • A Hands On Introduction To Software Defined Radio | Didier Stevens

The ICS village will be a new addition this year, so if you missed it at DEF CON, come see if you can learn how those control systems work – and how to break them.

This is unrelated to I Am The Cavalry, but really cool is a DJ Workshop by Ocean Lam, Count Ninjula and Keith Myers!

Virus Bulletin Conference (September 29-October 2 | Prague)

Claus Cramon Houmann will be addressing the 25th annual Virus Bulletin Conference (VB2015) in Prague, Czech Republic. His will be a collaborative session, first introducing I Am The Cavalry and then brainstorming how to make an impact in Europe. If you’re going to be there, or nearby, come by and join the conversation!

Hope to see you at one or more of the events!

Monthly Update: April

We had a full track of Cavalry-esque presentations at SOURCE Boston, and all of the keynotes ended up having some overlap. Our workshops at THOTCON and BSides Chicago were great! Thanks to all those who presented and those who participated. Craig Smith of Open Garages did a great introduction to Car Hacking and a hands on demo. Scott Erven presented on research he’s done on medical device security issues and gave an introduction to the issues in the field.