TY - CHAP A1 - Puschner, Endres A1 - Saatjohann, Christoph A1 - Willing, Markus A1 - Dresen, Christian A1 - Köbe, Julia A1 - Rath, Benjamin A1 - Paar, Christof A1 - Eckardt, Lars A1 - Haverkamp, Uwe A1 - Schinzel, Sebastian T1 - Listen to Your Heart: Evaluation of the Cardiologic Ecosystem T2 - ARES 2021: The 16th International Conference on Availability, Reliability and Security N2 - Modern implantable cardiologic devices communicate via radio frequency techniques and nearby gateways to a backend server on the internet. Those implanted devices, gateways, and servers form an ecosystem of proprietary hardware and protocols that process sensitive medical data and is often vital for patients’ health. This paper analyzes the security of this Ecosystem, from technical gateway aspects, via the programmer, to configure the implanted device, up to the processing of personal medical data from large cardiological device producers. Based on a real-world attacker model, we evaluated different devices and found several severe vulnerabilities. Furthermore, we could purchase a fully functional programmer for implantable cardiological devices, allowing us to re-program such devices or even induce electric shocks on untampered implanted devices. Additionally, we sent several Art. 15 and Art. 20 GDPR inquiries to manufacturers of implantable cardiologic devices, revealing non-conforming processes and a lack of awareness about patients’ rights and companies’ obligations. This, and the fact that many vulnerabilities are still to be found after many vulnerability disclosures in recent years, present a worrying security state of the whole ecosystem. Y1 - 2021 U6 - http://nbn-resolving.de/urn/resolver.pl?urn:nbn:de:hbz:836-opus-139012 ER - TY - JOUR A1 - Brinkmann, Marcus A1 - Dresen, Christian A1 - Merget, Robert A1 - Poddebniak, Damian A1 - Müller, Jens A1 - Somorovsky, Juraj A1 - Schwenk, Jörg A1 - Schinzel, Sebastian T1 - ALPACA: Application Layer Protocol Confusion - Analyzing and Mitigating Cracks in TLS Authentication JF - 30th USENIX Security Symposium Y1 - 2021 UR - https://www.usenix.org/conference/usenixsecurity21/presentation/brinkmann ER - TY - JOUR A1 - Willing, Markus A1 - Dresen, Christian A1 - Gerlitz, Eva A1 - Haering, Maximilian A1 - Smith, Matthew A1 - Binnewies, Carmen A1 - Guess, Tim A1 - Haverkamp, Uwe A1 - Schinzel, Sebastian T1 - Behavioral responses to a cyber attack in a hospital environment JF - Nature -- Scientific Reports N2 - Technical and organizational steps are necessary to mitigate cyber threats and reduce risks. Human behavior is the last line of defense for many hospitals and is considered as equally important as technical security. Medical staff must be properly trained to perform such procedures. This paper presents the first qualitative, interdisciplinary research on how members of an intermediate care unit react to a cyberattack against their patient monitoring equipment. We conducted a simulation in a hospital training environment with 20 intensive care nurses. By the end of the experiment, 12 of the 20 participants realized the monitors’ incorrect behavior. We present a qualitative behavior analysis of high performing participants (HPP) and low performing participants (LPP). The HPP showed fewer signs of stress, were easier on their colleagues, and used analog systems more often than the LPP. With 40% of our participants not recognizing the attack, we see room for improvements through the use of proper tools and provision of adequate training to prepare staff for potential attacks in the future. Y1 - 2021 U6 - http://dx.doi.org/10.1038/s41598-021-98576-7 ER -