THE KEY

LAS VEGAS — Ten of the nation’s top medical device companies will give hundreds of ethical hackers free rein this weekend to poke and prod their pacemakers, drug infusion pumps and other devices — and look for bugs that could hurt people or even end their lives if they're exploited by criminals. 

And the hacks will take place out in the open — in a realistic hospital replica here at the Planet Hollywood Casino that includes hospital rooms, a lab for bloodwork, and neonatal and intensive care units. 

“Medical devices are lifesaving and life preserving, but they also can have flaws that could put someone’s life at risk,” Beau Woods, who organized the Medical Device Lab at this year’s Def Con cybersecurity conference, told me. “So, we’re trying to create a safe space to bring security researchers and medical device manufacturers together.” 

That marks a massive shift since 2011, when cybersecurity researcher Jay Radcliffe first demonstrated how he could hack his own implantable insulin pump at Def Con's sister conference Black Hat.

Back then, Radcliffe got fierce blowback from the insulin pump maker Medtronic and from the broader device industry. Most medical device companies viewed hackers who tried to point out digital bugs in their products with a mix of suspicion and hostility — and worried that they were either exaggerating dangers or giving malicious hackers a road map to hurt patients.

Now, the medical device event is among Def Con’s biggest live hacking events. And medical device makers are engaging far more with the hackers than other industries are willing to help similar efforts to test their products at the conference. This year, vendors have submitted 40 medical devices for hackers to test, compared with about 10 last year.

And the U.S. government is on board, too. “In 2011, researchers felt they had no other recourse than getting onstage at Black Hat and doing a live demo of a potential hack to grab the industry’s attention,” Suzanne Schwartz, leader of a Food and Drug Administration division that focuses on medical device cybersecurity, told me. “After that, we really saw the need to bring everyone to the table.”

Since 2011 the FDA has released a series of rules urging device makers to vet their own products for digital vulnerabilities and to have a formal process for dealing with bugs found by outside researchers.

At a conference in January, the FDA urged companies to bring their medical devices to Def Con to face hackers in an effort Schwartz compared to the viral “ice bucket challenge” aimed at funding research to combat ALS disease. The agency also launched a webpage titled “Wehearthackers” where it publicized the companies that agreed to bring their products to Def Con.

“There have been some real growing pains in the process and we wanted the industry to see that FDA really values working together with [cybersecurity] researchers,” Schwartz told me.

Among the device makers that are participating this year is Medtronic, which is bringing a newer generation of its insulin pump for hackers to examine for bugs.

“There’s been a shift, not only at Medtronic, but industrywide,” Erika Winkels, a Medtronic spokeswoman, told me. “Security’s evolved … Medtronic has really made a concerted effort to embrace this community and we recognize the value they bring.”

Def Con's medical device “village,” as hacking efforts are called at the conference, is also trying to bring in other groups that deal with medical devices. 

The medical device company Abbott, which funded the mock hospital built by California Polytechnic State University’s California Cybersecurity Institute, is bringing a team of doctors to pair up with cybersecurity researchers doing the hacking.

“It really helps to create that hospital environment for the [cybersecurity] researchers to work,” Chris Tyberg, vice president of Abbott’s product security division, told me. “It will help them understand how these devices are really used, how they fit into the clinical setting, how a patient really uses this.”

The FDA has also invited patients with implanted medical devices to weigh in at the village, some of whom are also cybersecurity researchers, Schwartz told me.

“There is no intent toward making [patients] into subject matter experts, but certainly they need to speak the same language,” she told me, “to be able to have significant enough understanding that they can make that benefit-risk calculus so we can have an informed dialogue with patients around what those cybersecurity risks are.”

This is the last Cybersecurity 202 newsletter this week, due to the congressional recess schedule. Stand by for more news on the collaboration between the government nad ethical hackers in Las Vegas in next week's editions.

PINGED, PATCHED, PWNED

PINGED: An infiltration by suspected Iranian hackers into Bahraini government computer networks has raised fears that the Iranian government may be ramping up cyberattacks in the region — and that the United States could be next, Bradley Hope, Warren P. Strobel and Dustin Volz at the Wall Street Journal report. The attacks follow warnings from U.S. officials that Iranian hackers could target the U.S. private sector after tensions between the countries escalated last month over Iran’s nuclear program.

The hackers broke into Bahrain’s National Security Agency, Ministry of Interior and the first deputy prime minister's office, sources told the Journal. Hackers may have first executed a “test run of Iran’s capability to disrupt the country” by hacking into the systems of the Bahrain Electricity and Water Authority and a prominent aluminum company two weeks before.

Two former U.S. government officials confirmed the incidents to the Journal, comparing the intrusions to two hacks against Qatar and Saudi Arabia in 2012 that used a malware potentially tied to Iran. Bahrain has not confirmed Iran's involvement.

“Iran uses targets in the Middle East to sort of test capabilities before bringing them [to the U.S.]” a former senior U.S. intelligence official told the Journal. Iran has targeted the U.S. private sector with cyberattacks before, including a barrage of denial of service attacks against U.S. banks after the Obama administration imposed new economic sanctions against the nation in 2012.

PATCHED: Three Republican senators want answers from Google about a reportedly scrapped project with Huawei to develop a smart speaker that could have accessed the voice recordings of millions of Americans. The letter comes amid widespread conservative criticism of Google's relationship with China, which President Trump has threatened to investigate. 

“ [I]t is hard to interpret your decision to help Huawei place listening devices into millions of American homes as anything other than putting profits before country,” Sens. Marco Rubio (R-Fla.), Josh Hawley (R-Mo.) and Tom Cotton (R-Ark.) wrote in a letter to Google CEO Sundar Pichai. The lawmakers asked the company why it continued working with Huawei even after the Justice Department indicted the company and its chief financial officer for violating sanctions against Iran

Google reportedly suspended its project with Huawei, which intelligence officials worry could assist Chinese government spying, after the Commerce Department barred U.S. companies from supplying parts to Huawei in May, the Information reported. The senators want to know whether Google would resume the project if the ban was lifted and what, if any, national security vulnerabilities the company learned about while pursuing the project.

PWNED: An anti-Trump Republican group is releasing a new television ad encouraging Senate Majority Leader Mitch McConnell (R-Ky.) to stop blocking election security legislation from being considered by the chamber. 

“Our elections are under attack. Every member of Congress took an oath to defend America from all enemies, both foreign and domestic,” Republicans for the Rule of Law spokesman Chris Truax wrote in a statement. “It is time that Congress and Mitch McConnell lived up to that oath.”

The ad features clips of Trump saying he might take foreign intelligence from Russia and dismissing intelligence community warnings that Russia will interfere in the 2020 election. The group slammed McConnell for claiming the election security legislation he’s blocking is partisan, noting that three of the currently stalled bills have Republican co-sponsors.

The group includes Republican lawyers, among them former members of the Bush and Reagan administrations. It previously released ads accusing Trump of obstructing justice and has criticized Republican members of Congress for attempting to discredit the Mueller investigation.

PUBLIC KEY

— Cybersecurity news from the public sector:

Mick Baccio, the Buttigieg pick for CISO, was branch chief of White House Threat Intelligence.
Politico
The inspector general warned exposure could “have a serious negative impact to the Postal Service brand.”
NextGov
The Department of Defense, the General Services Administration and the National Aeronautics and Space Administration issued an interim rule Wednesday banning federal purchases of telecommunications equipment from Huawei and four other Ch
The Hill
Electric utilities are particularly vulnerable to cyber threats, experts say, in part because fixing security flaws can interrupt services and few of their employees have security clearances that let them receive timely government alerts.
Wall Street Journal
PRIVATE KEY

— Cybersecurity news from the private sector:

Why break into a company’s network when you can just walk right in — literally? Gone could be the days of having to find a zero-day vulnerability in a target’s website, or having to scramble for breached usernames and passwords to break through a company’s login pages. And certain…
TechCrunch
Hackers could crack open high-security electronic locks by monitoring their power, allowing thieves to steal cash in automated teller machines, narcotics in pharmacies and government secrets.
Documents, screenshots, and audio obtained by Motherboard show that humans listen to Skype calls made using the app's translation function.
Vice
State Farm suffered a credential stuffing attack in July and is now notifying impacted customers.
ZDNet
THE NEW WILD WEST

— Cybersecurity news from abroad:

In a first for China-based group, FireEye said, the APT hackers are using malware typically reserved for spying for personal gain.
CyberScoop