Slashdot Mirror
Consumer Device Hacking Concerns Getting Lost In Translation
ancientribe writes "Hackers who hack insulin pumps, heart monitors, HVAC systems, home automation systems, and cars are finding some life-threatening security flaws in these newly networked consumer devices, but their work is often dismissed or demonized by those industries and the policymakers who govern their safety. A grass-roots movement is now under way to help bridge this dangerous gap between the researcher community and consumer product policymakers and manufacturers. The security experts driving this effort appealed to the DEF CON 21 hacking conference audience to help them recruit intermediaries who can speak both hacker and consumer product and policy."
People in positions of power generally don't have a clue how things work... since they never, you know, work. I'm sure if we hopped in the TARDIS and went back to when the Egyptians were building the pyramids, the foreman in charge of positioning the bricks was constantly complaining about the idiot Pharaoh putting down the wrong dimensions in the foundation, and telling them to use unwoven rope because he read in Pharaoh Times (the premier Pharaoh trade stone tablet!) that it would improve efficiency. He probably also randomly decided to outsource 30% of his slaves because "leading experts" said it was universally a great idea.
*cough* People at the top not having a clue is a problem as old as humanity.
#fuckbeta #iamslashdot #dicemustdie
Of course you're going to be shamed when you showcase a fatal flaw in a pacemaker to a bunch of people at a convention. It may not be the easiest thing to do, but the most responsible thing to do is to go to the company or governing body and explain things
Nothing will really change - the people in charge of these things will simply fall back on their marketing departments to say "all is well" to their customers.
Its not until someone sues one of them for billions of dollars that that company's board will sit down and actually decide that spending some money on security, and more on marketing of course, is a good thing to do.
In the meantime, I'd say that a letter directly addressed to the CEO explaining how easy his devices are to compromise, and pointing out the massive financial implications to his company (and therefore his bonus and possibly even job) will be the only realistic way of getting through to these people. Remember most of them don't really care about what the company does, they only care about running that company. They're businessmen who "do business", and so you have to appeal to that aspect.
I guess the other problem is that your average CEO doesn't even know defcon exists.
network everything?
The bad guys out there are having a field day with all sorts of devices. Eventually (if not already) people are gonna die.
Then the lawsuits will start to flow.
The ISP
The Doctor(in the case of an insulin pump)
The hospital
The kit maker
Every company that makes something that goes into the device, even something as innocent as a screw.
Uncle tom cobbly and all
and not forgetting the cleaner at the hospital.
Why don't we stop networking everything in sight until it is properly hardened against attack. These devices must be able to detect attack and disconnect them from the internet before any damage is done.
Why do they have to be connected all the time? Why not open a link for 5 secs every so often and send some data and close it again?
Etc etc etc
The engineer in me fails to really see why everything needs to be connected 24/7. If you do, you are just asking for trouble.
Is there a governing body testing the safety and quality of electronic medical devices? According to this BBC documentary http://www.youtube.com/watch?v=H3BBjzVQhe0 , there isn't for medical utensils. Is it the same for electronic devices?
And let them deal with the fallout when (not if) the first people is being killed by such a hack. This will CERTAINLY make headline news and people will CERTAINLY listen for maybe the first time something "computerish" is unsafe, because now it is their life that's hanging on it. And watch how people will DEMAND rigid standards, far more rigid than you could possibly want to implement. And no donations to Washington will drive that white elephant out of the room because people will keep watching it, and they will keep suing if they lose their loved ones to your shoddy designs.
This is not your average security flaw that eventually blows over when people forget it. People cannot forget that their LIFE depends on it, and they will not go quiet until you can somehow PROVE that it's safe to use. Yes, they will still buy your crap, duh, they have to. But rest assured that they will sue, most likely with the backing of various consumer rights groups (malpractice protection groups tend to have DEEP pockets, and considering that it is a medical device they most certainly will be interested).
Those things ain't some stolen credit cards or similar tidbits of passing interest. It's nothing people brush off with a "aw heck, if something happens, I got insurance". People care about money only until their life is at stake.
I'd fix that fast. The very LAST thing you want is that the law gets involved. Remember: Congressmen tend to be old geezers. And now guess who is highly dependent on your shoddy goods...
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
True, "hack insulin pumps, heart monitors, HVAC systems, home automation systems, and cars" are consumer devices. But so are WiFi routers, mobile phones, etc.
My point: TFT(itle) would have sounded better as "Life threatening hacking concerns [etc]"
You can "hack" any pacemaker with a strong enough magnet, for example. It's the standard method for putting the things in their emergency mode. "Securing" this mode would make it more complicated to activate in case of a real emergency and kill people this way.
It has taken the computer industry years to stop prosecuting every "security researcher" ("hacker"? not applicable, not even with hats and "ethical" attached), the SCADA bunch haven't learned even after stuxnet, and now the medicos...?
Of course not. Worse yet, these "security researchers" haven't learned either. They're still using their bogeyman moniker for everything, lawful or not, and make it a habit to regularly blog or issue press releases with juicy tidbits to stay in the spotlights and spread some more FUD. Fundamental improvements? Structural security strenghtening? All absent.
What is also absent is effective outreach. You know, getting companies to cooperate instead of getting them to sue you for daring to suggest their software, firmware, or hardware isn't the bestest evar.
Since it is the security industry that seeks to profit from the problems, they're as much responsible for acting in ways that get them sued and neglecting to create a constructive environment where security can be usefully addressed and improved, as are the suers and producers of products with security holes. Not because they're victims of getting sued, but because they put themselves on the spot in ways that got them sued. The industry as a whole hasn't managed to create a constructive security-concious mindset.
Instead, it has revelled in coopting a term that used to indicate technological creativity and now only means "dodgy stuff with computers involved". To the point that they first needed hats to sort out who was good and who was bad, and these days that distinction is becoming stale, for still indiscernable. It's as if they like that sheen of criminality so much they will go out of their way to create it if it doesn't come naturally.
So in a nutshell, it is really the security industry that has dropped the ball... again. Congratulations.
...Today, like in the Pharaohs time, anyone who complains or points out the flaws in the design are also... executed.
Some of the exploits for these vital machines were only discovered by researchers spending months working on it, using multiple labs, and using their researcher status to gain access to information that wouldn't be available to the general public. Should we not at least address the question of whether some of this exploit research is actually creating exploits that otherwise wouldn't have cropped up for years or even decades afterwards? Jaron Lanier pointed out one such developed exploit for pacemakers where the only way to "patch" the lab-uncovered exploit would be invasive and possibly life-threatening surgery on everyone who had implanted one.
Because You can threaten them remotely and kill them practically without leaving any traces? Because it will not be construed as a murder, but just a problem of faulty apparatus? Because in the event of a war, somebody could just kill a few generals (like Collin Powell, who's so dependant on such an apparatus, that he doesn't have any pulse), without even any bullets, with a nondescript piece of machinery?
Everybody knows how a gun looks. How does a machine that kills people with pacemakers look? Could it be a phone?
>And since publishing vulnerabilities serves no purpose other than giving tools to such dangerous animals, publication should be punishable as well.
Yeah, that's why publications about viruses, and virology in general is punishable by law. Because it can give shitheads ideas about making dangerous viruses that are difficult to cure. Oh, and while You're at it, criminals use cement to kill people, so le'ts ban it as well with electricity, lasers and poisonous plants.
Censorship is banning steaks because a child can't chew them.
>Every hour that some developer spends on fixing vulnerabilities that give opportunities to shitheads, that developer isn't working to help patients.
That is why the software for thsese pacemakers must be open source if not free software -- Linus' Law, etc. And that developer is working to help patients -- that's like arguing that You should not alert people that live in a house that is liable to collapse any second because they might get upset, and the builder that could fix their house should use his time to build more buildings that have the same vulnerabilities instead of fixing them. In short, an extremely stuipd opinion. I hope You get a pacemaker vulnerable to some of these bugs some time in Your life.
Murder is easy. Getting away with it is hard. If the old guy with a heart condition drops dead from apparent heart failure, who is going to even suspect murder?
I could fill that role. If they're seriously looking for someone in that role, I can pass on credentials to boot.
Select from tblFriends where interesting >= 4;
If that's "a good example" I'd hate to see all the other ones. Ford and Toyota representatives were the only rational and reasonable voices, and absolutely correct that the "hacking" in this case, involved SITTING IN THE BACK SEAT AND PLUGGING IN TO THE CAR. What do we say around here about having physical access to someone else's computer?
Some idiot reporters like the NYTimes article threw-in the word "remote" to describe the attacks, when it clearly didn't belong. Though to be fair, later mentioned that, "The researchers said they did not address the question of the defenses the cars might have against remote access."
So this being the only actual referenced example in TFA, is a lot of baseless BS fear-mongering, and we are left without any reason to believe a problem actually exists.
Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
Looking at any major CVE list, it seems most significant issues are fixed rather quickly. When a researcher or self-centered asshole doesn't get quite the response they want, those are the cases that get a headline on Slashdot a few times per year. Slashdot doesn't report on the 20 or so per day that go through the standard process and are resolved appropriately.
To me, that sounds a lot like saying "couples facing divorce almost always murder each other" because those that end in murder are the ones you still hear about years later. (Reiser, for example.). That ignores the hundred divorce cases every day that are either amicable or simply not newsworthy because nothing interesting happens.
My own experience with reporting a few issues matches what I see in the CVEs - they've been addressed quickly and professionally. The BIG one I found had replacement Debian packages out within 48 hours. Wikipedia was patched to fix the vulnerability I found within 24 hours.
"The problem with some of these devices is that making them hack-proof is equivalent to locking a fire extinguisher in a secure cabinet. Sure it's secured against misuse, but it's also no longer easily available when it's needed in an emergency.
You can "hack" any pacemaker with a strong enough magnet, for example. It's the standard method for putting the things in their emergency mode. "Securing" this mode would make it more complicated to activate in case of a real emergency and kill people this way."
I think it's more general than that - the same thing is true of security across the board. Every security feature also makes it harder for people that are entitle to access to do their work. When you have someone that isnt specially tuned to security issues designing a system, they quite naturally tend to do the opposite of the secure choice at every instance. Like leaving a root account with a blank password open - to an honest person that isnt specifically tuned to security issues, this seems like a very good idea, likely to save a lot of time and effort the first time the password gets lost. To the security-tuned, however, this is a very bad idea, a hole big enough to drive trains through just begging to be hit.
The damnation of it is, they are both right.
=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Friends don't let friends enable ecmascript.
I suppose my post was against the prevailing slashdot meme. The slashdot meme of the elite hackers with the power over life and death that are just sooo important. I would just say that those people who voted me down as "troll" just don't have the slightest clue about security.
When you care about security, you start by looking at the possible targets (a persons life), then you look at the possible attacks and identify those that are most likely. You don't look at a possible attack and go OMG and lose your brain over it, as happened here. Attacking a persons life is done with guns, knifes, baseball bats, poison, karate moves, and very very very far at the end of a very very long list are hacker attacks against pacemakers.
T-Mobile using Symantec to replay phone web access?
/x/a.php?i=5767450 /x/a.php?i=5778500 /x/a.php?i=5911843
/x/a.php?i=5767450 - Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.8) Gecko/20100721 Firefox/3.6.8 /x/a.php?i=5767450 - Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.8) Gecko/20100721 Firefox/3.6.8 / - Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.8) Gecko/20100721 Firefox/3.6.8
I accessed a file on 7 Aug. three times using t-mobile cell, as this well-abridged log shows:
20130807 080258 1.2.3.4 200 3205 GET
20130807 080309 1.2.3.4 200 3205 GET
20130807 080521 1.2.3.4 200 3205 GET
1.2.3.4 is the stand-in for the t-mobile IP space 206.29...
The next day, through a symantec server (rulespace.com) the first of those was replayed,
and when it did not get access, it tried the default page.
20130808 063332 207.189.121.1 b4hsbo.rulespace.com 403 563 GET
20130808 063333 207.189.121.1 b4hsbo.rulespace.com 403 563 GET
20130808 063336 207.189.121.2 b5hsbo.rulespace.com 403 563 GET
Ideas on what is up with t-mobile replaying my web access? NSA? FBI? OMG?
Here: $$$
The BIG one I found had replacement Debian packages out within 48 hours. Wikipedia was patched to fix the vulnerability I found within 24 hours.
Both non-profit. 'nuf said.
Not only that, but I'm betting he's never tried reporting a found vulnerability in any embedded product.
It's trivially easy to change a file and upload it to a website. It's significantly tougher and more expensive to roll out embedded firmware running in 1.5 million cars across multiple countries, let alone 200,000 pacemakers that would require major surgery to update or replace.
"Unheard of means only it's undreamed of yet,
Impossible means not yet done." ~~ Julia Ecklar
Every time slashdot has reported on one of security vunderabilities is after the 'bug' was reported to the manufacturer a couple of times gave them a deadline of 3 months, and then finally published it after 6 months of no response of the manufacturer.
Stop sweeping problems under it.
If these devices are vulnerable then they will be exploited. The best solution is transparency and working consortia for both testing/verification and patching these problems before that vehicle, pacemaker or other device is used against consumers.
gigantino.tv - Heavy but weighs nothing.
Yeah, for all 12 reported on Slashdot, that's the claim. (Two sides to every story, and Slashdot sure isn't objective.)
The million or so that aren't reported on Slashdot are the ones handled properly through the standard process. All of those security updates you see every day don't magically appear from nowhere, they are generated through a fairly standardized process.
The newsworthy stories are by definition not the normal case. Take those newsworthy cases and put some propaganda spin on them and you get an impression that bears little to know resemblance to daily reality.
So Microsoft, Adobe, et al have never issued any security updates, ever?
All of those updates you see every day don't magically appear from nowhere. They come from the standard process of reporting and handling issues that most people follow. Selfish attention whores report maybe 0.5% of the issues. The other 99.5% are reported and fixed with no drama.
The crack assassin will be a fat, greasy, male basement-dweller covered in Cheetos dust. This will doubtless be distorted by Hollywood, to the point where the assassin in movies actually has dealings with beautiful women.
"When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
Selfish attention whores report maybe 0.5% of the issues. The other 99.5% are reported and fixed with no drama.
From whence do these statistics come?
So Microsoft, Adobe, et al have never issued any security updates, ever?
No one said anything of the kind, but there are plenty of cases of them being, how do I say this nicely, not as prompt and responsive as they might be. Like sitting on known issues for months, and/or letting the NSA have fun with them first. Furthermore, Adobe and Microsoft make software for general purpose computers. The focus here is on embedded devices, which are harder to update and have a worse track record.
Lastly, the personal experiences you cite are both with non-profits, and Debian in particular is famous for their speed and responsiveness in patching security problems. If everyone was as responsive as them, blackhats would have a real problem.
I know that because that's my field. That's what I've been doing all day, every day, for seventeen years. If you want to see for yourself, check any major CVE list. Flaws are handled daily, through a well known process, just like bags of garbage are dealt with every day by those professionals. You can watch the process on the lists and in the databases.
A few times per year, a dead body is found in a trash bag. So it's true that "every trash bag covered on the news has a dead body or something in it". It would be an epic fail of intelligence to deduce from that "most trash bags contain dead bodies". Software flaws are the same, and thinking that most are handled very poorly is the same failure to think as assuming that because newsworthy trash contains bodies, most trash contains bodies.
Link to the alluded-to grassroots community doing the work mentioned in the OP or it's not a story and you can GTFO.
Sadly, a Libertarian cannot force his views on another, and freedom cannot spread as does the cancer known as religion.
the pyramids were not build by jews, or slaves.
I love the fantasy comparison - but people who keep perpetuating this complete myth need to shut their ignorant fucking mouths so these dumbass jew fags can stop using these made up excuses to enslave us, with them being "the chosen people"
Seems like a lot of work when you could just hack Lizzie Borden style.