Coming to DEF CON? Here’s What to Expect—and How to Prepare for Next Year’s Biohacking Village

By Scott Hanson, MedSec

DEF CON 29 (2021) is coming up August 5-8, and medical device manufacturers should be there. Not sure what to expect? Read on. We’ve got tips to help you get the most out of this year’s event and start preparing for the Biohacking Village at DEF CON 2022.

A Safe Place to Engage with the Hacking Community

DEF CON is the one of the largest and longest-running hacker conferences in the world, attracting everyone from underground hackers to cybersecurity professionals to government and corporate representatives. A lot of the action at DEF CON centers around themed “Villages” for different interests. For medical device manufacturers, the Biohacking Village is the place to be. The Biohacking Village brings together researchers, device manufacturers, hacktivists and others with an interest in healthcare cybersecurity into a shared space that includes workshops, meet-and-greet opportunities, a healthcare-focused “Capture the Flag” contest, and of course, the Device Lab.

DEF CON takes place in early August in Las Vegas each year, usually right after the annual Black Hat and BSides cybersecurity conferences. While both conferences focus on cybersecurity, they have a very different feel and approach. Compared to the relatively staid and corporate environment at Black Hat, DEF CON is the wild west of hacking conventions.

For that reason, some medical device manufacturers have shied away from participation in the Biohacking Village at DEF CON. They shouldn’t. The Biohacking Village is a safe, controlled space for manufacturers to engage with cybersecurity professionals, amateur hobbyists and hacktivists, and even potential users of their devices. These may be people who are already trying to hack your device, whether you like it or not. Why not engage with them and hear what they have to say? This is your opportunity to open a conversation with knowledgeable experts and get their perspectives and advice on improving security for your devices. And, with a little preparation, the risks are much lower than you might think.

Here’s what you should know:

• Discovering new vulnerabilities is not the main objective of the Biohacking Village. Most attendees are just there to learn about devices, not actually hack them. Overall, the Village is educational in nature and creates opportunities to open conversations that might otherwise never happen outside of the context of a formal coordinated vulnerability disclosure.
• Attendees of the Device Lab (the space where you would give them access to your device) must sign the “Hippocratic Oath of Connected Medical Devices” and a Coordinated Vulnerability Disclosure (CVD) agreement, establishing some basic rules of engagement if a vulnerability is discovered. It provides time for the manufacturer and researcher to work together to choose an appropriate remediation and develop messaging before a vulnerability becomes public.
• Your device is under your control at all times.
• Medical device manufacturers are encouraged by the FDA to participate in the Biohacking Village at DEF CON and take the #wehearthackers pledge. #wehearthackers is a collaborative initiative between the medical device and cybersecurity communities to advance security maturity for the industry. Participation is one way to demonstrate your commitment to cybersecurity to the broader healthcare community.
• You don’t have to participate in the Device Lab. If you just want to come and talk and listen, that’s fine, too. You’ll learn a lot just by attending.

What to Expect at DEF CON 2021

This year’s DEF CON, DEF CON 29, will be a hybrid event due to continuing pandemic-related travel restrictions. While last year’s event was completely online, this year will combine some in-person events in Las Vegas while still providing online access to nearly everything for those attending from home. Participating in the virtual conference is a great way to engage with DEF CON for the first time. (Though you will miss some of the “flavor” of the conference and the more exciting in-person events.)

The Biohacking Village will be completely online for 2021. Booths or tables are normally provided in the Device Lab for participating medical device manufacturers to staff and display devices. Similar to last year’s virtual event, this year’s booth will be a virtual “meeting room” where people can engage with your team. This gives security researchers and users an opportunity to stop by and ask questions or bring up any concerns they have uncovered in an informal environment. This is a great way to educate the security community about your device so they better understand what it does, how it works and the context in which it is used. Remember, the event is for educational purposes, not sales, so stay on theme.

How to Prepare

Before diving into your first DEF CON, make sure you’re ready.

• You will need a Discord account to participate virtually. Here are instructions for setting up your Discord account.
• Prepare a reactive communication plan. Are you ready if a researcher presents on your product? Do you have approved social media responses prepared? Make sure everyone participating knows what (and how much) you want to communicate. Media training for all staff participants can be helpful.
• ·??????If you are participating in the Device Lab, create a staffing plan so someone is always available during booth hours (either physical or virtual). Plan for what you want to show and how participants will access and interact with your device. Bring the product(s) for penetration testing as well as a one-page overview that describes what it is, how it is used and its interfaces. It is best to take smaller devices back to the hotel overnight.
• Have information on your coordinated disclosure program and contacts for vulnerability reporting handy for anyone wishing to discuss a potential vulnerability they have discovered.
• Review the agenda and decide which workshops and talks you would like to attend. These events provide great learning opportunities for your team and insights into the issues the security community is most concerned with right now.
• If you’re looking for cybersecurity talent, come prepared with a job description and a hiring plan.

What to Do

Of course, we recommend participating in the Biohacking Village, even if you are not submitting a device to the Device Lab. You’ll find plenty of workshops, talks and discussion groups targeted to the medical device community.?

Outside the Biohacking Village, there are plenty of other things to do.

• We strongly recommend the “D0 N0 H4rm – A Healthcare Security Conversation” evening panel discussion on healthcare security hosted by Christian "quaddi" Dameff MD and Jeff "r3plicant" Tully. Check the DEF CON schedule for details. In the meantime, watch the video from last year’s panel.
• Check out some of the other Villages to see what’s happening in cybersecurity across industries. Other Villages include Aerospace, Payments, AI, Voting, Passwords, Hardware Hacking and many more. Current, acting and aspiring security leaders, or those who are just curious, are encouraged to visit the Security Leaders Village.
• The Policy Department provides a space for hackers, industry representatives and policymakers to come together to discuss issues in cybersecurity.
• Tune into one of the fun games and contests. (Hacker Jeopardy is a popular place to start.)
• Attend some of the parties and gatherings to connect to the community in an informal space. There are both virtual and in-person events at this year’s DEF CON.

Preparing for DEF CON 2022

While it’s too late to submit a device for the Device Lab this year, now is the perfect time to start preparing for DEF CON 30 (2022). Take the opportunity this year to simply explore the event, and then start planning for DEF CON 30. Next year’s conference will take place in Las Vegas on August 11-14. If you can spare the time, it is best to plan for a full 9 days in Vegas so you can attend the IamtheCavalry track of BSides Las Vegas, usually the weekend before DEF CON. Make sure to follow @DC_BHV and watch for calls for sponsors, devices, volunteers and speakers to open in March 2022.

Here’s what you should do now to prepare:

• Consider volunteering every year, especially your first! It is a great way to make new friends and learn what makes the BioHacking Village tick before exhibiting in the Device Lab.
• Determine your goals for the event. Who would you like to connect with? What would you like to learn? Are there specific concerns or questions you would like to explore?
• Secure space in the Device Lab and plan which device(s) you would like to submit. Calls for devices and sponsors usually open in the Spring.
• Select the team that will attend the event and staff the Device Lab.
• If you have cybersecurity expertise on staff, consider submitting a speaker or workshop proposal. Choose your speakers and plan your presentation now.
• If you don’t already have a strong coordinated disclosure program and vulnerability response plan in place, start working on it now so it’s ready before you step into the Village.
• Start planning your media and communication strategy.
• To get an even better picture of what to expect, watch DEFCON – The Full Documentary.

Tips for In-Person Attendance

If you are attending in person, there are a few things you should know.

• Many events happen in the evenings, so be prepared for long days that stretch into the nights.
• The event is known for its informal, irreverent atmosphere. Don’t overdress.
• Always have water handy; it is the desert, after all.
• If you are attending in person, be aware that others may attempt to hack your personal devices such as laptops and mobile phones. The “Wall of Sheep” is a public “shame list” projecting the names of people who sign into the public Wi-Fi at the convention or area hotels without using appropriate security protocols (emails and passwords are redacted on the list). The goal is not to harvest credentials, but to educate people into being more aware of security when using public networks. While the official DEF CON Wi-Fi is generally the safest option during the conference, it’s probably best to limit your digital footprint during the conference—or better yet, leave your device off or at home. Some companies limit company-owned equipment that can be brought to an event like DEF CON and may prefer that temporary cell phones or laptops be used instead.

Participating in DEF CON is a great way to show your users, the security community, and the FDA that you are taking cybersecurity seriously and are willing to engage with researchers and concerned users. Whether you go all-in with Device Lab participation, or just take the opportunity to talk and listen, it’s well worth the time and cost of admission.

About Scott

Scott Hanson is widely recognized as one of the leading experts on medical device cybersecurity. Scott is a highly sought-after consultant in the healthcare industry and helps clients incorporate cybersecurity into their product development processes and quality systems.

About MedSec

MedSec?is uniquely prepared to meet the specific challenges of medical device and healthcare cybersecurity. MedSec partners with medical device manufacturers and healthcare delivery organizations to address cybersecurity in medical devices throughout all stages of the device lifecycle. For medical device manufacturers, MedSec leverages its cybersecurity expertise, coupled with its intimate knowledge of the healthcare regulatory and operating environments, to offer support in design, architecture, verification, penetration testing, risk assessments, regulatory filings and SBOM development.