Equipment is surprisingly simple. Due to security loopholes that investigators say most hospitals dont even know about. The extent of what a hospital hacker can do is incredibly disturbing. They could take control of critical equipment during emergencies. Or alter patient information in a physicians database impacting that persons treatment. Earlier this month, the fbi warned Health Care Providers about weaknesses in their Cyber Security systems that we say could make your Health Insurance data and medical records vulnerable to hackers. So clearly with Great Innovation comes great risk as hospitals increasingly introduce Digital Technology in to their services, are they prepared to insure your privacy and safety . We have a great lineup of guests joining us to breakdown the topic, joining us on set is billy rios, the director of Vulnerability Research and Threat Intelligence at an Information Security provider. Hes also work odd Security Issues for google and microsoft and notified the department of Homeland Security last year about the ease of manipulating medical instruments after hacking in to them himself. And out of oakland, california on skype is kim setter, she is Senior Reporter for wired magazine, covering cyber crime, privacy and security. Thanks for both of you guys for joining us, so billy, this new study that hacking in to medical equipment is extremely easy and the equipment is vulnerable. And we are talking about hacking in to medical equipment. What does that really mean . Whats going on . If you look at a modern hospital, its an amazing facility and they treat patients there, probably one of the most intimate organizations that we can think of in the world. And in order to make themselves more efficient and effective, they have basically put all of their stuff online, put it in networks and so when you go in to a hospital and you see a device or you see a doctor walking around, they dont have a paper chart anymore. That tells you what the patient is ailing from or what their symptoms are. Instead, everything is digital. And so that means not only is the ipad they are working around with digital but all the equipment that they are working with is digital as well. So the mri scanner doing the mri on you is connected to a network and feeding Digital Information to a centralized server someplace collecting the data. The pumps or monitors are doing the same thing. And this allows a hospital to collect the data on you so that they can do a analytics that mae find things that they would not normally have found through normal investigations which is awesome. Which is great. Innovation of technology. But it also introduces new risks, right from because all the devices are now on networks. In they are all interconnected in the hospital, if you hack in to one thing does that mean you have gotten in to all of it . What we have seen in real hospitals, you know, in the world basically, is pretty much that. So the devices are really fragile. And i think the latest study that we saw mentioned this as well. As soon as someone gets onto a hospital network. It seems like the shot in a lot of trouble the devices arent resill i didnt wanresilient ag. We have to keep people off the Hospital Networks but its a really difficult task, extremely difficult task. Now people are shifting focus to the devices themselves asking ourselves basically how we can make these devices more resilient to attacks, because right now they are not. Kim, between 2009 and 2011, we know that at least at least 181 malicious attacks on equipment at v. A. Hospitals. You have been report on the ground this. Is it your sense that hospitals are prepared to protect our security . No. You mentioned in your intro they arent really ware of the problems here. Security experts have been looking in the systems and vulnerabilities with them for quite a long time. The hospitals themselves, you know, obviously their First Priority is treating patience and necessarily the security of their equipment or records and so they dont understand the complexities of the networks and how easy it is to get in to them. Its going to be become one in the same treating your patients and protecting them. The patients are the ones that are pour i had worried. That actually happened in a fictional episode of homelands. Rosemary as a nurse says now, billy, unleash your cyber geek. Guide us through the loopholes here, the security loopholes that would allow a hack tore bypass the security passwords and actually, you know, perhaps, if you will, change xrays, medical records or drug Infusion Pumps. I actually brought in some equipment here. This is an Infusion Pump if i were to look for vulnerabilities in a devicsin a device like thid just buy one, go to ebay, have it sent to your home. How much does it do some of cost . A few hundred dollars. Totally legal. Totally legal. Nothing wrong with it. The most important piece here if you look in the back there is a Network Connection. Show that at that to dave. Its meant to be on the network. There is a Network Connection there. What you cant see is also on top is a wireless connective at this. It connects to a wireless network. The first thing i would do is take it away they are just really computers its the same as a laptop or desktop. What did you look for when you tear it a apart like this . The main thing i look for is how it works, to understand how it works. And a lot of times what we discover when we do Vulnerability Research on a device like this, at the end of the day, after a couple of months, we probably understand how this device works better than the people that actually made this device. But specifically, what we are looking for are the chips, the firm ware that have the software and thats the brain for the device, that tells this device how its supposed to run, thats where we find vulnerabilities, we take the software off the chips and get it onto our computers thats when we start looking for bugs and vulnerabilities. Guy . A lot of different things. This is an important piece here, anyone can do this. I am just an individual, i bought this thing, you know, from an auction site. You glossed right over that. You are not going to tell me what the vulnerabilities are . We did find a the lot. This is happen important piece, anyone can do this. Right . And i know what they look like, and i wont talk about the specifics because i am writing a report that will be sent to d. H. S. On what they are. No one knows what they are exempts me. If i wanted to take advantages of the vulnerabilities in the hospital i would know how to do it. How do we know if somebody out there isnt doing the exact same thing you are. There could be. With tha nefarious intention. There could be. The route i take is i usually tell dhs. In this case ill tell dhs via a plays that they have ics certificate. The cyber Emergency Response team. I spends my findings to them it. Since this is a medical device they have a channel with the fda. The fda will be notified then the fda will notify the vendor and they start working on a fix. The wheels of government turn so slowly, this is the kind of information that you want back to vendor very quickly. Yes, exact. I. Do you get the sense that it gets turned over rapidly. I think it does. The fixes do not get turned over very rapidly. So if we look at the historical, you know, context that we have for devices like this, it could take years for a Software Update to come out for a device like this. Wow. So thats a big window. Right . For any kind of devise, so hopefully things move faster in the future, but right now it is a slow process. Well, unlikely allies are teaming up to protect you from potential internet bugs, up next we discuss the crucial market for hiring hackers. Their employers might surprise you, plus well speak to a scientist and hacker who just hacked his own body to treat a chronic condition a few days ago, hear his bizarre story next. Award winning producer and director Joe Berlinger exposes the truth. Our Current System has gone awry. A Justice System rum by human beings, can run off the rails. Sometimes the system doesnt serve and protect, and the innocent pay the price. What goes wrong . Its a nightmarish alternative reality, sometimes you cant win. An original investigative series. When justice is not for all. The system with joe beringer only on Al Jazeera America we hope the stream never actually gets hacked, like that. But considering the conversation that we are slug i am beginning to believe that anything can be hacked. The least of it would be a tv show compared to medical devices. I am probably being hacked right now. So, you know, thats probably whats happening. You know, but please hackers, we are nice and kind and be our friend. If you are just tuning in we are talking about the new ways that hackers are using their skills not always with malicious intent. One of the abilities they have is to identify security bugs or vulnerabilities that attack specific programs. They are making up to a whopping 160,000 per bug that they find. And youll never guess who is buying . Private businesses, in confronting the complex challenge of souper Security Companies are turn to this attitude if you cant beat them. He join them. The hackers for hire is increasing in relevance especially in the wake of discovery of heart bleed, Internet Explorer bug that just happened a week ago. Our own government spend 25 million last year on acquiring these vulnerabilities. How effective is hiring hackers to protect the public from Cyber Attacks . Joining us now is dan chief scientist, hes a noted security researchers that has advised several fortunate 500 Companies Including cisco and microsoft. Hes also an experienced hacker. I want to get to the government and the industry work in a second. But before the break, dan, we said that you hacked your own body to treat a chronic condition. What is that all about . Well, we are kind of living in this incredible era around whats actually diabetes. This disease has become enormously experience i have. Its hurting a lot of people. With the amount of investment gone in there is a lot of new technology. In my hands i had this little device by a company that actually gives me a real time feed of this is your blood glucose level from minute to minute. I have better monitoring on my body than i do on some of my servers and its really important. Because this sort of technology is going to save lives. The challenge that we have, with a lot security, is, yes, hackers come in and do some damage, but there are other sources of damage. There is just not knowing your blood sugar is too high or more importantly too low until its too late so they are many ways a system can fail. Medicine for the long effort tile has been optimized for how do we deal with the random failures and the lack of information. A lot of people have died because handwriting couldnt be read. We are talking about this booming hacking market, lisa. And shawn says marketing Critical Software flaws should be a crime. Walter says this isnt new, Certain Companies have been brokering underground hacking markets to government and. Com companies for year, and in any case the middle man equals a big part of the problem. A good step might be to push them out but thats as much as the researchers. Kim, how does a perna choir the tastiest cyber goods and how do i hookup with a broker . Do they take a fee, a commission, whats going on . Yeah, so there are a couple of ways that they are being sold one through is third pert companies, some defense companies, some private brokers and some individual researchers that sale to the government. The average hacker doesnt know how to make contact with the government. And may not get governments attention if they find a vulnerability so the broker induces them, agents as liaison and takes a percentage of that. In terms of defense contractors thats part of their Business Plan is to find vulnerabilities and sale them to the government. Billy, business is booming right now globally for what hackers call the discovery of zero days of vulnerabilities. Explain to folks what that means and why its such a big industry right now . Sure. So zero day of vulnerability doesnt have a patch. So you cant basically defends yourself defense it. The you cannot go microsoft or google and get a patch that protects from you that exploit. That means you have zero days to fix it, once they are in they are in and you dont know it. Zero days means there is no knowledge of other than the people uses it against you. I read most r6 day vulnerabilities exist for 312 days on average before they are discovered. Is that what your experience has led you to believe . It could very. Depends on the system that you are looking for. The one problem with zero days is you dont know who has them. Right . Because no one knows about the zero day vulnerability. Only the people that have them or are willing to use them against people. And so you cant guess and say i think this person has five zero days, it doesnt work that way. Thats the hard part of regulating. The twitter feed said we should stop this. It doesnt work that way. Any person can get software and find vulnerabilities. Those are zero day vulnerabilities. Whether we know that they have them or not, its impossible to tell. Speaking of vulnerabilities, you brought a small piece of equipment here. But it could have very significant impact. Yeah. Let me show you this this is actually a chip thats part of the firm ware for a device that does explosive detection. Like at the airport . Exactly. They swab your hands and put it in to a device this, tells someone whether or not you have explosive residue your hand. This chip is the brain for that device. The device is too big to the bring in the stou studio. This chip is where the software is at. No one on would know that i have this in my pocket and extracted the software off this chip and found vulnerabilities. No one would know that i gave the vulnerability report that i wrote found this particular software that dhs. No one knows that, those are zero day vulnerabilities. If i decided not to tell dhs and gave it to someone else, who would know . Only myself and the person i gave it to. Thats the difficult in regulating. There is now a bug Bounty Program. An Unlikely Alliance between corporations and hackers to find out these vulnerabilities and erica says i think its a Great Program but most companies that have these vulnerabilities dont offer the programs. How do you think bug Bounty Programs have influenced hackers who find vulnerabilities in software . Billy says i cant say for sure, but here are the possibility. Hack for cashing. Number two, exploit vulnerabilities and number three, learn from exploits. Now, dan, about these bug Bounty Programs, do you think they incentivize hackers to be good and ethical . Absolutely. Its kind ive cynical quote but not Everyone Wants to be a dug dealer, not Everyone Wants to go ahead and make things that blow stuff up. Turns out to be true. This his toll klee toll i historically. Hackers have been selling these tools. Offense came first and people were getting hit who like how do we stop getting hit . How do we protect ourselves . So really starting in the 2000s, a lot of corporations started spending real money bringing in hackers as consultants and employing hackers to go ahead and build more effective defenses. You need hackers to fight hackers. Like you need soldiers for fight soldiers, you cant have people on the battlefields there are bullets that move fast, gosh, they hurt when they hit. You we have mercenaries with information out there, vital security information and its available to the highest bidder, that seems to be creating a very, very serious problem. Something i want to talk about after the break is why is there such a lack of regulation, we have a lot more to explore here including the arms race between major world powers, up next should the u. S. Be allowed to withhold and exploit vulnerability to his stay ahead of the competition . Weekday mornings on Al Jazeera America we do have breaking news this morning. Start your day with in depth coverage from around the world. First hand reporting from across the country and real news keeping you up to date. The big stories of the day, from around the world. These people need help, this is were the worst of the attack took place. And throughout the morning, get a global perspective on the news. The life of doha. This is the International News hour. An informed look on the nights events, a smarter start to your day. Mornings on Al Jazeera America ray suarez hosts inside story weekdays at 5 eastern only on Al Jazeera America welcome back, we are discussing hackers for hire where companies and Government Agencies employ skilled hackers to find Software Security loopholes. So, dan, governments are hiring hackers to find loopholes. But are they also purchasing cyber bugs from the hackers . Always have and always will, i hate to say. Surprise gonna spy, thats how the whole nation system works. Thats changed is there are other buyers looking at defense. And what kind of buyers are we talking about . You know, the big thing with bug bounty is his not that they dont pay as much as if you sold to somebody that breaks in to networks, it turns out there is a different aspects defending versus robbing a bang, there are different amounts of cash to get back. And run counties are getting involved with this too, right . Yes. Go ahead. I think its important to understand this. Buying and selling software bugs, and exploits is actually not illegal. So if i wanted to sell a bug to someone, i wanted to sell you a software bug and up today purchase it. We can do that here you can do that as much as up to. I can have a legitimate business that says i buy software vulnerabilities. What about the bug that disabled irans uranium en run of. Its not illegal. It may cost legal bound reu bouy united stating but buying or uniteunited stating but buying and selling is not. Th paul tweets in like all tech that has proceeded it will be integrateed in to warfare but not replace boots on the ground. Kim, are we looking at sky net . Is sky net online . Is this the future of warfare . Will it be cyber . Explain the scenario to me. Yeah, i think that, you know, the cyber armageddon will not ham. I think the doubling 258 warfare will become an element of future warfare and it already is currently an element of president day warfare, i dont think it will replace boots on the ground but it will enhance the capabilities of militaries. So billy i want to get back to the idea of bug bounties. If a company like microsoft is playing 150,000, thats a lot of money. But thats not going to compete with russia or brazil or any other Major Company that really wants this coding flaw. Right. So one, doesnt sounds like the incentive is there for the hacker to go to a Small Company versus a country. But secondly, what is the incentive on the parts of countries particularly the u. S. To regulate it this if they are engaged in it . I think these are very complicated questions. I actually disagree with dan in that i dont think bug bounties will sway someone to be a good hacker as opposed to a bad hacker. I think you are a good hacker you give the bug do a bug bounty thats respected. You will take less money than you would if you sold it on the black market. If the option didnt exist you probably wouldnt sale it on the black market anyway. But if all you cared about was money you would never consider an official Bounty Program by microsoft or google you would just sale it on the black market as you could for as much money as you could. Whats the sin tentative for the government to regulate it if the government is buying it. I dont think the government can regulate it. Its not like we are buying widgets where you need certain materials its totally intellectually property. Finding the vulnerability is end lex tull property. You dont know someone has this until its either used against you or they tell you that they have it. It makes it very difficult to regulate it. Does the government have a responsibility to inform citizens that its sitting on a Software Vulnerability . Kaleb says, yes, the government should warn citizens. What if 100 to 200 million in a bank account were hacked from a known flaw its only a matter of time. Kim, how much should the government inform the public when they discover a Software Vulnerability . Its being debated in the government right now. Its been a problem for a long time. The public hasnt been aware that the government is using zero data and sitting to ofoegbu flaws, heart bleed brought it forward when it should that nsa knew about it for two years. President obama has inning doubt aid new policy in january where he says these plays will be disclosed to vendors to be fixed unless ther there is an you were gents National Security need to use it or a Law Enforcement need to use it. That leaves a lot of loopholes, i dont think the government has been very transparent about how they make the decision on what they will or will wont disclose. You are shaking your head. There is such a thing as a bomb that is too big. A vulnerability that would be very nice to use but by the way, everyone else can use it and oh, we sort of built our Global Economy on his this technology, so people talk about the duel missioduedualmission for offens, it is a dual mission, there is a defensive need as well. The United StatesNational Interest actually includes the economy functioning. Okay, so billy, i want to back this off the big picture for a him. Because while everybody who is watching this i am sure is as disturbed as we are about the implications, ultimately you come back to yourself and you think how do i protect myself . How do i protect my own equipment and where i am going online . How do i protect myself even in hey hospital. What do you tell people . The first step is to understand what your exposure is and thats different for everyone organization. When the government decides how they need to defends defend their network than a person at the home. Understanding that is important. Thats part of the reason we do the Vulnerability Research. We want to help organizations understand the risk. If medical devices are not robust, we want hospital to his know that. That i weigh they can readjust their posture to make sure they take it in to consideration when they are architecting their networks, deploying these devices and using they devices s in Critical Situations thats the first step. And is sounds really easy but its a hard step and thats the step that needs to be given the most thought. All right. Thanks to all of our guests, bill i y row owes, kim and dan. Until next time well see on you line. To say, to go eastern ukraines vote in a referendum on self rule. Hello, welcome. Im steven cole in doha. The son of the former libyan dictator Muammar Gaddafi is about to go on trial. We are live in tripoli. Another five years in office the a. N. C. Officially declared the winner of south africas application. Plus. Im