Upload File

def con 24: reverse engineering biomedical equipment for fun and open science

47
Reverse engineering biomedical equipment for fun and open science Charles Fracchia & Joel Dapello BioBright DEFCON BioHacking Village - Aug 6 2016

Upload: ryan-m-harrison

Post on 09-Apr-2017

194 views

Category:

Devices & Hardware


2 download

Report

TRANSCRIPT

Page 1: DEF CON 24: Reverse engineering biomedical equipment for fun and open science

Reverse engineering biomedical equipment for fun and open science

Charles Fracchia & Joel DapelloBioBright

DEFCON BioHacking Village - Aug 6 2016

Page 2: DEF CON 24: Reverse engineering biomedical equipment for fun and open science

What to expect from this talk

1. What is a biolab & its equipment

2. How we reverse engineered two pieces of equipment

3. Call to arms: how YOU can help

Page 3: DEF CON 24: Reverse engineering biomedical equipment for fun and open science

The Bio Lab

Page 4: DEF CON 24: Reverse engineering biomedical equipment for fun and open science

The Bio Lab

Page 5: DEF CON 24: Reverse engineering biomedical equipment for fun and open science

“This is my [pipette]. There are many like it, but this one is mine.” - Rifleman’s Creed, adapted by Prof. John Castorino

Page 6: DEF CON 24: Reverse engineering biomedical equipment for fun and open science
Page 7: DEF CON 24: Reverse engineering biomedical equipment for fun and open science
Page 8: DEF CON 24: Reverse engineering biomedical equipment for fun and open science
Page 9: DEF CON 24: Reverse engineering biomedical equipment for fun and open science
Page 10: DEF CON 24: Reverse engineering biomedical equipment for fun and open science
Page 11: DEF CON 24: Reverse engineering biomedical equipment for fun and open science

What should have happened

≠What actually happened

Page 12: DEF CON 24: Reverse engineering biomedical equipment for fun and open science

But Wait!

Page 13: DEF CON 24: Reverse engineering biomedical equipment for fun and open science

Reverse engineering a pipette

Page 14: DEF CON 24: Reverse engineering biomedical equipment for fun and open science

What is a pipette?

The equivalent of the computer mouse for biological research

Single-channel Multi-channel

Page 15: DEF CON 24: Reverse engineering biomedical equipment for fun and open science

How does a pipette work?

Page 16: DEF CON 24: Reverse engineering biomedical equipment for fun and open science

Electronic pipettes

Page 17: DEF CON 24: Reverse engineering biomedical equipment for fun and open science

Toys

Logic analyzerOscilloscope

Page 18: DEF CON 24: Reverse engineering biomedical equipment for fun and open science

Step 1: choose target carefully

Criteria:

● Easy to obtain● Made by a leading brand (aka trusted)● Elegant hack:

○ One that could be used by anyone○ No irreversible modifications

Page 19: DEF CON 24: Reverse engineering biomedical equipment for fun and open science

Step 1: choose target carefully

Mettler Toledo / Rainin EDP3 Plus

✔ Purchasable on eBay

● around $50

? Remote control

● mentioned on product sheet, but no details

Page 20: DEF CON 24: Reverse engineering biomedical equipment for fun and open science

Step 2: hunt for more documentation

Page 21: DEF CON 24: Reverse engineering biomedical equipment for fun and open science

Step 2: hunt for more documentation

Page 22: DEF CON 24: Reverse engineering biomedical equipment for fun and open science

Step 2: REMOTE CONTROL !!!

Page 23: DEF CON 24: Reverse engineering biomedical equipment for fun and open science

But... Heu, can I haz remote

control softwarez

plz?

No.Discontinued

product...

Page 24: DEF CON 24: Reverse engineering biomedical equipment for fun and open science

Heu, can I haz remote

control softwarez

plz?

“I think I have one in

a secret stash in the

factory”

Step 3: find an engineer

Page 25: DEF CON 24: Reverse engineering biomedical equipment for fun and open science

Step 4: find remote control port

Oh hi there :)

Page 26: DEF CON 24: Reverse engineering biomedical equipment for fun and open science

Step 4: figure out pinout

Page 27: DEF CON 24: Reverse engineering biomedical equipment for fun and open science

Step 4: figure out pinout

Try pressing a button while sniffing

but nothing...

Page 28: DEF CON 24: Reverse engineering biomedical equipment for fun and open science

Step 4: figure out pinout

How about using the software?

Success! Here’s the FW version: 1.5

Page 29: DEF CON 24: Reverse engineering biomedical equipment for fun and open science

Step 4: figure out pinout

We have a pinout

Page 30: DEF CON 24: Reverse engineering biomedical equipment for fun and open science

Step 5: make it easy for others to use

This hack enables actual remote control

Use the simple board to relay messages via XBee

You can even use encryption on the XBee link

Page 31: DEF CON 24: Reverse engineering biomedical equipment for fun and open science

Step 6: document the comms

Page 32: DEF CON 24: Reverse engineering biomedical equipment for fun and open science

Other machines?

Page 33: DEF CON 24: Reverse engineering biomedical equipment for fun and open science

Reverse engineering a -80ºC freezer

Page 34: DEF CON 24: Reverse engineering biomedical equipment for fun and open science

Step 1: find documentation

Page 35: DEF CON 24: Reverse engineering biomedical equipment for fun and open science

Step 1: find documentation

Page 36: DEF CON 24: Reverse engineering biomedical equipment for fun and open science

But...

Hmm, more details please?

Page 37: DEF CON 24: Reverse engineering biomedical equipment for fun and open science

Step 2: collect samples from the RS-232 port

Sending random characters through the port yields interesting behavior

● “N” → Dumps NVRAM

● “T” → Temperature packet

Page 38: DEF CON 24: Reverse engineering biomedical equipment for fun and open science

Step 3: reverse temperature encoding

Increase the temperature by known amounts and collect the temperature bytes

Still a bit cryptic, until...

Page 39: DEF CON 24: Reverse engineering biomedical equipment for fun and open science

Step 3: reverse temperature encoding

This is very likely to be linear !

Calculate the slope: m = ( 20221 - 20608 ) / ( -87 + 84 ) = 129

Get the Y-intercept: 31444 → 243.75ºC

Hmm, strange: 0 Kelvin → -243.15 not 243.75ºC

Temp ºC ≈ n/129 - 243.75

Page 40: DEF CON 24: Reverse engineering biomedical equipment for fun and open science

Step 4: make it easy to use for biologists

Complete with alerts & maintenance/downtime prediction algorithms !

Page 41: DEF CON 24: Reverse engineering biomedical equipment for fun and open science

Transform the way biology is done

Page 42: DEF CON 24: Reverse engineering biomedical equipment for fun and open science
Page 43: DEF CON 24: Reverse engineering biomedical equipment for fun and open science

These tools are essential in curing disease, finding new drugs, etc.

Page 44: DEF CON 24: Reverse engineering biomedical equipment for fun and open science

What we need help with

Create a repository of open & interoperable device “drivers”

Create a framework to teach these skills to biologists and doctors

Recruit hackers & reverse engineers to this cause

Page 45: DEF CON 24: Reverse engineering biomedical equipment for fun and open science

We need the Arduino & Redhat for Biology

Page 46: DEF CON 24: Reverse engineering biomedical equipment for fun and open science

open @ biobright.org

Contact us!

Page 47: DEF CON 24: Reverse engineering biomedical equipment for fun and open science

Questions?


DEF CON 23 Presentation CON 23/DEF CON 23... · DEF CON 23 Presentation Keywords: DEF CON Conference, DEF CON, DEFCON, Speeches, Hacking, Hackers, Hacker Conference, Computer Security,

SimBios: NIH Center for Biomedical Computation · [ATP] = 1 mM, forward force 2 pN [ATP] = 1 mM, reverse force 2 pN [ATP] = 10 μ M, forward force 2 pN [ATP] = 10 μ M, reverse force

Ransomware on the Mainframe Checkmate! · –DEF CON, Derbycon, SHARE, RSA 2017, others • Mainframe security consultant • Reverse engineering, networking, forensics, development

Reverse Engineering of Biomedical Elaborated Signal-Introduction

DEF CON 25 Hacker Conference CON 25/DEF CON 25 presentations/DEF CON 25 - 0ctane...reverse engineering Intel ME Technical Overview ... Linux and all programs run on the FPGA, so we

Network Protocol Reverse Engineering - DEF CON CON 24/DEF CON 24 presentations/DEF… · Network Protocol Reverse Engineering ... Linux, Mac •Scapy –Python based, extensible •Fuzzing

REVERSE ENGINEERING BRENT IN UNDER 10 MINUTES STONE CON 27/DEF CON 27 presentations/DEF… · Ducange, G. Mannara, F. Marcelloni, R. Pecori, and M. Vecchio, "A novel approach for

Moura Minor - mourass.eq.edu.au€¦ · Aussies V Red Knights draw R346 def Soy Sauce Wallabies def Jackaroos Parra Eels def Mustangs Jackaroos def Fast N Furious 2 Aussies def Crystals

Mixing Worlds - complang.tuwien.ac.at · { 4 dict begin m2 exch def m1 exch def } aload pop %/3add { add add add } /def load 0 1 3 {/i exch def 0 1 3 {/j exch def 0 1 3 {/e exch def

Hi-Def Jazz HI-DEF MASTER

Presentación3 def

Western GloBal DiESEL FuEL & DEF TANkS · KleerBlue DEF TANkS KleerBlue provides Def tanks of many volume levels for dispensing, storing, or blending Def. Island friendly DEF storage

Introduction to OVAL - NIST · OVAL ID Format Globally unique urn oval : org.mitre.oval : def : 123 four parts prefix ‘oval’ organization DNS name (reverse order) ID type (def,

DEF CON 26 HACKING CONFERENCE CON 26/DEF CON 26 receipt.pdf · Title: DEF CON 26 HACKING CONFERENCE Author: DEF CON 26 Subject: DEF CON 26 RECEIPT Keywords: DEF CON Conference, DEF

Leckey Def

Reverse Engineering CAN Messages on Passenger Automobiles CON 21/DEF CON 21... · –KW2000 –LIN –J1850 (GM/Chrysler) –J1939 (Heavy Trucks) –J1708/J1587 (Being phased out

HOW DEF WORKS Establish Your DEF Needs Ensure DEF …Sheets... · UltraPure Diesel Exhaust Fluid Safety • Quality • Reliability • Efficiency • Integrity Delivering DEF to

New “Extreme IP Backtracing” - DEF CON CON 10/DEF CON 10... · 2020. 5. 16. · whois (IP) If a reverse DNS query on the IP address fails to turn up any results, the next place

A HIgH-Def PIcTure DeMAnDS HIgH-Def SounDimages.klipsch.com/HDTheaterBrochure_635042120087810000.pdf · A HIgH-Def PIcTure DeMAnDS HIgH-Def SounD FIVE SPEAKERS + SUBWOOFER. HD THEATER

Network Protocol Reverse Engineering - DEF CON CON 24/DEF CON 24...Katea Murray –[email protected] 2016-08-05 Estell/Murray Eavesdropping on the Machines 28. Title: DEF CON 24

Reverse-engineering 4G hotspots - media.defcon.org CON 27/DEF CON 27 presentations/DEFCON-27... · ZTE MF910 - System architecture The system itself is really familiar, nothing particularly

Biomedical Research WorkforceResearch Workforce Working Group · • August 5, 2011 –one day meeting of modeling sub‐committee in Cambridge, MA – Def ... (see next slides),

TUNNEL Winterbourne Stoke BYWAY 12 6000 GREEN … · Def CF ED Bdy Def Def ED Bdy Stone ED Bdy Def Long Barrow Tumuli Tumulus Tumuli Tumulus Tumuli Def CF Stonehenge Bottom ED Bdy

Dissecting the Teddy Ruxpin: Reverse Engineering the Smart ... CON 26/DEF CON 26... · Dissecting the Teddy Ruxpin: Reverse Engineering the Smart Bear By: @Zenofex Bio • @Zenofex

Presentation def

DEF CON 25 Hacker Conference CON 25/DEF CON 25 presentations/DEF… · $ python c2960-lanbasek9-m-12.2 ... DEF CON 25 Hacker ... Subject: DEF CON 25 Presentation Keywords: DEF CON

Section 1: DEF 14A (DEF 14A) - Celanese

Gernot Hoffmann Bézier Curves - Albert Einstein.../x0 ci 1 get def /y0 ci 2 get def /x1 ci 4 get def /y1 ci 5 get def /x2 ci 7 get def /y2 ci 8 get def /n1x x2 x0 sub kf mul def /n1y

Detecting Blue Team Recon With Ads - media.defcon.org CON 26/DEF CON 26 presentations/DEF… · Title: DEF CON 26 Hacking Conference Author: DEF CON Speaker Subject: DEF CON 26 Presentation

def def def TERENA AR 04

Having fun with IoT: Reverse Engineering and Hacking of ... CON 26/DEF CON 26... · • ARM Cortex-A • ARM Cortex-M –Marvell 88MW30X (integratedWiFi) –Mediatek MT7687N (integrated

61 T4*h Def ( Def ( ISI 2. Def ) 00 CD CCD (3T4*h Def ( Def ( ISI 2. Def ) 00 CD CCD (3 Author 高橋光成 Created Date 3/22/2012 4:27:23 AM

QUICK START GUIDE - Snap-on · abc def abc def abc def abc def ®® ® ® abc def abc def abc def abc def abc def abc def abc def abc def abc def ghi jkl mno abc def

Base Model Type Inlets Diesel + DEF · 8/7/2015  · Base Model Type Inlets Diesel + DEF Products Dispensed Diesel + DEF Diesel Hoses Per Side + DEF (One Side Only) HS4/V387Dx/(DEF)4R/W3

Catalog Def