In the course of his DefCon 23 presentation, Australian security expert Chris Rock demonstrates how fake death or birth records can be created these days.
DefCon host: When I was going through the schedule trying to see what speakers we’re going to be watching, I saw this description and said “Oh yeah, I got to come check this out!” This is Chris Rock, and he is going to talk to us a little bit about messing with identity. Let’s give him a big hand.Chris Rock: Okay guys, my name is Chris Rock. I’m not the black comedian, but it will explain the big audience that we have. Today I’m going to talk to you about the death industry – I’m a little bit gloomy, aren’t I? But I’ll make it a little bit lighter and we’ll talk about the birth industry. And then we’ll make it a little bit gloomier again and I’ll talk to you about how you can combine both of those, both death and the birth, to look at the vulnerabilities to actually make some money out of virtual people. Okay, this is a global problem that we have (see left-hand image). This is not an American problem, this is not an Australian problem. I originally did my research in the Australian system and, obviously, adapted this presentation for American audience, but it also works in other countries. I refer to this as an End of Life (E0L) Vulnerability. It’s not so much a vulnerability, it’s just a fuckup, and it’s a global fuckup. Anyone with this knowledge can kill another person, multiple people, or even yourself. I have not contacted any vendor for fixes. This is a definition of irresponsible disclosure. So, why do I research the death industry? I was watching the news one night and I noticed that a hospital in Northern Victoria, Australia – where I’m from – announced the death of 200 patients (see right-hand image). They sent out 200 death notices instead of 200 discharge notices. I thought, how could that possibly happen? They have obviously moved into the Internet world, where you can kill 200 off very quickly with a tick of the button on a mouse. So, then I started looking into the death industry in Australia. Here is a global view of the death process (see left-hand image), where at step 1 someone dies, then the doctor fills out what’s called in America the “Certificate of Death”, they have 24 hours to fill out this certificate. This certificate contains details such as the cause of death, the name of the victim, and next of kin. That document then passes down to the funeral director. The funeral director then has seven days to dispose of the body. This is a signed document in America; in Australia it’s two separate documents. Once those documents have been completed, they pass on to the registrar, or Births, Deaths and Marriages department, and then they will issue the death certificate to the next of kin. So, in terms of a security process, we can see that we really need to compromise Step 2 and Step 3. The first thing we are going do is have a look at the doctor’s component. Here is a traditional Certificate of Death (see right-hand image), this is what you guys use in the States. The top part of the form is filled out by the funeral director, it includes where the person is actually buried and the details of the victim. And the bit that we are looking at is down at the bottom of the document, which is the medical practitioner. The medical practitioner will fill out the details such as cause of death. In Australia, we have moved to an online system. Here’s a snapshot of an Internet accessible portal that doctors can use (see left-hand image). You can see the doctor needs to put in their first name and last name, the license number, where they are from, and submit. And once they submit that form, then all the details of that form will be available to the doctor. In America, you are using a system called EDRS, Electronic Death Registration System. It was rolled out in 2005 and it’s nearly rolled out to all states (see right-hand image), so you all now moved online as well. When a doctor logs on to fill out the Certificate of Death, not paper-based anymore, they’ll get a screen like this (see left-hand image). This is an example of the Californian EDRS. You can see there are some security protections there, where there’s a username and password required for the doctor. Here’s an example of what EDRS looks like once the doctor has logged on (see right-hand image). You can see the sort of drop-down boxes which are pretty easy to fill out, such as autopsy details, place of death, or next of kin details. This is a snapshot of the Californian system. One thing to note there, you’ll see “Was an Autopsy Performed?” field. It’s important to note that, because when we talk about killing people later on down the track, it’s probably not a good idea to put “I am a smoker” in your life insurance policy and then die of lung cancer – you are not going to get your payout, they will actually refuse to pay it out. EDRS is actually used for mass mortality surveillance (see right-hand image). Here’s an example of Hurricane Sandy in 2012, and you can see actually where the deaths occurred, obviously, from drowning. The government love EDRS, because it has the ability to get accurate death records quickly, so instead of waiting for a doctor to fill out that paper-based system with the signature, they can get death records very quickly. It also shows what the person died of. This is important for when the government is planning, whether it’s anti-cancer, whether it’s kids wearing bike helmets – they can do the lookups to make it easy to fix.
Read next: I will kill you. Part 2: Accessing EDRS