Simple. Due to security loopholes that investigators say most hospitals dont even know about. The extent of what a hospital hacker can do is incredibly disturbing. They could take control of critical equipment during emergencies. Or alter patient information in a physicians database impacting that persons treatment. Earlier this month, the fbi warned Health Care Providers about weaknesses in their Cyber Security systems that we say could make your Health Insurance data and medical records vulnerable to hackers. So clearly with Great Innovation comes great risk as hospitals increasingly introduce Digital Technology in to their services, are they prepared to insure your privacy and safety . We have a great lineup of guests joining us to breakdown the topic, joining us on set is billy rios, the director of Vulnerability Research and Threat Intelligence at an Information Security provider. Hes also work odd Security Issues for google and microsoft and notified the department of Homeland Security last year about the ease of manipulating medical instruments after hacking in to them himself. And out of oakland, california on skype is kim setter, she is Senior Reporter for wired magazine, covering cyber crime, privacy and security. Thanks for both of you guys for joining us, so billy, this new study that hacking in to medical equipment is extremely easy and the equipment is vulnerable. And we are talking about hacking in to medical equipment. What does that really mean . Whats going on . If you look at a modern hospital, its an amazing facility and they treat patients there, probably one of the most intimate organizations that we can think of in the world. And in order to make themselves more efficient and effective, they have basically put all of their stuff online, put it in networks and so when you go in to a hospital and you see a device or you see a doctor walking around, they dont have a paper chart anymore. That tells you what the patient is ailing from or what their symptoms are. Instead, everything is digital. And so that means not only is the ipad they are working around with digital but all the equipment that they are working with is digital as well. So the mri scanner doing the mri on you is connected to a network and feeding Digital Information to a centralized server someplace collecting the data. The pumps or monitors are doing the same thing. And this allows a hospital to collect the data on you so that they can do a analytics that mae find things that they would not normally have found through normal investigations which is awesome. Which is great. Innovation of technology. But it also introduces new risks, right from because all the devices are now on networks. In they are all interconnected in the hospital, if you hack in to one thing does that mean you have gotten in to all of it . What we have seen in real hospitals, you know, in the world basically, is pretty much that. So the devices are really fragile. And i think the latest study that we saw mentioned this as well. As soon as someone gets onto a hospital network. It seems like the shot in a lot of trouble the devices arent resill i didnt wanresilient ag. We have to keep people off the Hospital Networks but its a really difficult task, extremely difficult task. Now people are shifting focus to the devices themselves asking ourselves basically how we can make these devices more resilient to attacks, because right now they are not. Kim, between 2009 and 2011, we know that at least at least 181 malicious attacks on equipment at v. A. Hospitals. You have been report on the ground this. Is it your sense that hospitals are prepared to protect our security . No. You mentioned in your intro they arent really ware of the problems here. Security experts have been looking in the systems and vulnerabilities with them for quite a long time. The hospitals themselves, you know, obviously their First Priority is treating patience and necessarily the security of their equipment or records and so they dont understand the complexities of the networks and how easy it is to get in to them. Its going to be become one in the same treating your patients and protecting them. The patients are the ones that are pour i had worried. That actually happened in a fictional episode of homelands. Rosemary as a nurse says now, billy, unleash your cyber geek. Guide us through the loopholes here, the security loopholes that would allow a hack tore bypass the security passwords and actually, you know, perhaps, if you will, change xrays, medical records or drug Infusion Pumps. I actually brought in some equipment here. This is an Infusion Pump if i were to look for vulnerabilities in a devicsin a device like thid just buy one, go to ebay, have it sent to your home. How much does it do some of cost . A few hundred dollars. Totally legal. Totally legal. Nothing wrong with it. The most important piece here if you look in the back there is a Network Connection. Show that at that to dave. Its meant to be on the network. There is a Network Connection there. What you cant see is also on top is a wireless connective at this. It connects to a wireless network. The first thing i would do is take it away they are just really computers its the same as a laptop or desktop. What did you look for when you tear it a apart like this . The main thing i look for is how it works, to understand how it works. And a lot of times what we discover when we do Vulnerability Research on a device like this, at the end of the day, after a couple of months, we probably understand how this device works better than the people that actually made this device. But specifically, what we are looking for are the chips, the firm ware that have the software and thats the brain for the device, that tells this device how its supposed to run, thats where we find vulnerabilities, we take the software off the chips and get it onto our computers thats when we start looking for bugs and vulnerabilities. Guy . A lot of different things. This is an important piece here, anyone can do this. I am just an individual, i bought this thing, you know, from an auction site. You glossed right over that. You are not going to tell me what the vulnerabilities are . We did find a the lot. This is happen important piece, anyone can do this. Right . And i know what they look like, and i wont talk about the specifics because i am writing a report that will be sent to d. H. S. On what they are. No one knows what they are exempts me. If i wanted to take advantages of the vulnerabilities in the hospital i would know how to do it. How do we know if somebody out there isnt doing the exact same thing you are. There could be. With tha nefarious intention. There could be. The route i take is i usually tell dhs. In this case ill tell dhs via a plays that they have ics certificate. The cyber Emergency Response team. I spends my findings to them it. Since this is a medical device they have a channel with the fda. The fda will be notified then the fda will notify the vendor and they start working on a fix. The wheels of government turn so slowly, this is the kind of information that you want back to vendor very quickly. Yes, exact. I. Do you get the sense that it gets turned over rapidly. I think it does. The fixes do not get turned over very rapidly. So if we look at the historical, you know, context that we have for devices like this, it could take years for a Software Update to come out for a device like this. Wow. So thats a big window. Right . For any kind of devise, so hopefully things move faster in the future, but right now it is a slow process. Well, unlikely allies are teaming up to protect you from potential internet bugs, up next we discuss the crucial market for hiring hackers. Their employers might surprise you, plus well speak to a scientist and hacker who just hacked his own body to treat a chronic condition a few days ago, hear his bizarre story next. On real money with ali velshi, a yearlong series, americas vanishing middle class. Im on a mission, that i have to keep this business going. Three families struggling every day we had to pull the whole retirement fund. Real stories. Real people. Real advice. You need to pay the water bill, if you dont pay it, were shutting your water off in a half hour how will you survive . The stakes are so high. Americas middle class rebuilding the dream on real money with ali velshi on Al Jazeera America results of analyses were skewed in favor of the prosecution the fbi cant force the states to look at those cases the truth will set you free yeah. Dont kid yourself the system has failed me we hope the stream never actually gets hacked, like that. But considering the conversation that we are slug i am beginning to believe that anything can be hacked. The least of it would be a tv show compared to medical devices. I am probably being hacked right now. So, you know, thats probably whats happening. You know, but please hackers, we are nice and kind and be our friend. If you are just tuning in we are talking about the new ways that hackers are using their skills not always with malicious intent. One of the abilities they have is to identify security bugs or vulnerabilities that attack specific programs. They are making up to a whopping 160,000 per bug that they find. And youll never guess who is buying . Private businesses, in confronting the complex challenge of souper Security Companies are turn to this attitude if you cant beat them. He join them. The hackers for hire is increasing in relevance especially in the wake of discovery of heart bleed, Internet Explorer bug that just happened a week ago. Our own government spend 25 million last year on acquiring these vulnerabilities. How effective is hiring hackers to protect the public from Cyber Attacks . Joining us now is dan chief scientist, hes a noted security researchers that has advised several fortunate 500 Companies Including cisco and microsoft. Hes also an experienced hacker. I want to get to the government and the industry work in a second. But before the break, dan, we said that you hacked your own body to treat a chronic condition. What is that all about . Well, we are kind of living in this incredible era around whats actually diabetes. This disease has become enormously experience i have. Its hurting a lot of people. With the amount of investment gone in there is a lot of new technology. In my hands i had this little device by a company that actually gives me a real time feed of this is your blood glucose level from minute to minute. I have better monitoring on my body than i do on some of my servers and its really important. Because this sort of technology is going to save lives. The challenge that we have, with a lot security, is, yes, hackers come in and do some damage, but there are other sources of damage. There is just not knowing your blood sugar is too high or more importantly too low until its too late so they are many ways a system can fail. Medicine for the long effort tile has been optimized for how do we deal with the random failures and the lack of information. A lot of people have died because handwriting couldnt be read. We are talking about this booming hacking market, lisa. And shawn says marketing Critical Software flaws should be a crime. Walter says this isnt new, Certain Companies have been brokering underground hacking markets to government and. Com companies for year, and in any case the middle man equals a big part of the problem. A good step might be to push them out but thats as much as the researchers. Kim, how does a perna choir the tastiest cyber goods and how do i hookup with a broker . Do they take a fee, a commission, whats going on . Yeah, so there are a couple of ways that they are being sold one through is third pert companies, some defense companies, some private brokers and some individual researchers that sale to the government. The average hacker doesnt know how to make contact with the government. And may not get governments attention if they find a vulnerability so the broker induces them, agents as liaison and takes a percentage of that. In terms of defense contractors thats part of their Business Plan is to find vulnerabilities and sale them to the government. Billy, business is booming right now globally for what hackers call the discovery of zero days of vulnerabilities. Explain to folks what that means and why its such a big industry right now . Sure. So zero day of vulnerability doesnt have a patch. So you cant basically defends yourself defense it. The you cannot go microsoft or google and get a patch that protects from you that exploit. That means you have zero days to fix it, once they are in they are in and you dont know it. Zero days means there is no knowledge of other than the people uses it against you. I read most r6 day vulnerabilities exist for 312 days on average before they are discovered. Is that what your experience has led you to believe . It could very. Depends on the system that you are looking for. The one problem with zero days is you dont know who has them. Right . Because no one knows about the zero day vulnerability. Only the people that have them or are willing to use them against people. And so you cant guess and say i think this person has five zero days, it doesnt work that way. Thats the hard part of regulating. The twitter feed said we should stop this. It doesnt work that way. Any person can get software and find vulnerabilities. Those are zero day vulnerabilities. Whether we know that they have them or not, its impossible to tell. Speaking of vulnerabilities, you brought a small piece of equipment here. But it could have very significant impact. Yeah. Let me show you this this is actually a chip thats part of the firm ware for a device that does explosive detection. Like at the airport . Exactly. They swab your hands and put it in to a device this, tells someone whether or not you have explosive residue your hand. This chip is the brain for that device. The device is too big to the bring in the stou studio. This chip is where the software is at. No one on would know that i have this in my pocket and extracted the software off this chip and found vulnerabilities. No one would know that i gave the vulnerability report that i wrote found this particular software that dhs. No one knows that, those are zero day vulnerabilities. If i decided not to tell dhs and gave it to someone else, who would know . Only myself and the person i gave it to. Thats the difficult in regulating. There is now a bug Bounty Program. An Unlikely Alliance between corporations and hackers to find out these vulnerabilities and erica says i think its a Great Program but most companies that have these vulnerabilities dont offer the programs. How do you think bug Bounty Programs have influenced hackers who find vulnerabilities in software . Billy says i cant say for sure, but here are the possibility. Hack for cashing. Number two, exploit vulnerabilities and number three, learn from exploits. Now, dan, about these bug Bounty Programs, do you think they incentivize hackers to be good and ethical . Absolutely. Its kind ive cynical quote but not Everyone Wants to be a dug dealer, not Everyone Wants to go ahead and make things that blow stuff up. Turns out to be true. This his toll klee toll i historically. Hackers have been selling these tools. Offense came first and people were getting hit who like how do we stop getting hit . How do we protect ourselves . So really starting in the 2000s, a lot of corporations started spending real money bringing in hackers as consultants and employing hackers to go ahead and build more effective defenses. You need hackers to fight hackers. Like you need soldiers for fight soldiers, you cant have people on the battlefields there are bullets that move fast, gosh, they hurt when they hit. You we have mercenaries with information out there, vital security information and its available to the highest bidder, that seems to be creating a very, very serious problem. Something i want to talk about after the break is why is there such a lack of regulation, we have a lot more to explore here including the arms race between major world powers, up next should the u. S. Be allowed to withhold and exploit vulnerability to his stay ahead of the competition . Children at work only on Al Jazeera America welcome back, we are discussing hackers for hire where companies and Government Agencies employ skilled hackers to find Software Security loopholes. So, dan, governments are hiring hackers to find loopholes. But are they also purchasing cyber bugs from the hackers . Always have and always will, i hate to say. Surprise gonna spy, thats how the whole nation system works. Thats changed is there are other buyers looking at defense. And what kind of buyers are we talking about . You know, the big thing with bug bounty is his not that they dont pay as much as if you sold to somebody that breaks in to networks, it turns out there is a different aspects defending versus robbing a bang, there are different amounts of cash to get back. And run counties are getting involved with this too, right . Yes. Go ahead. I think its important to understand this. Buying and selling software bugs, and exploits is actually not illegal. So if i wanted to sell a bug to someone, i wanted to sell you a software bug and up today purchase it. We can do that here you can do that as much as up to. I can have a legitimate business that says i buy software vulnerabilities. What about the bug that disabled irans uranium en run of. Its not illegal. It may cost legal bound reu bouy united st