Slashdot Mirror
Consumer Device Hacking Concerns Getting Lost In Translation
ancientribe writes "Hackers who hack insulin pumps, heart monitors, HVAC systems, home automation systems, and cars are finding some life-threatening security flaws in these newly networked consumer devices, but their work is often dismissed or demonized by those industries and the policymakers who govern their safety. A grass-roots movement is now under way to help bridge this dangerous gap between the researcher community and consumer product policymakers and manufacturers. The security experts driving this effort appealed to the DEF CON 21 hacking conference audience to help them recruit intermediaries who can speak both hacker and consumer product and policy."
Since that is an approach almost universally rejected by said "company or governing body" in recent history, I assume the context of the article is "what to do after the most responsible approach fails because said company or governing body is actually completely irresponsible."
Just point out "You make medical devices. Medical devices that sick people need. Most sick people are old. Congressmen and other people that have influence on laws being passed tend to be in the upper age bracket of the population. Do you think it's a good idea to build devices that are insecure and mostly used by rich, influential people?"
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Problem is some things *need* networking.
Pacemakers usually require tuning, both when first installed and later on. And since you can't take it out and plug it into a diagnostic machine you need to be able to connect to it to run tests too.
That doesn't mean connecting it to the Internet, Wi-fi etc is a good idea... but you do need to connect to it somehow and even if it's an obscure type of network that means that someone nearby with the correct networking hardware could try to access it.
And what do you do if the companies and governing bodies (at best) ignore you?
The most responsible thing to do is try to get it fixed as safely as possible.
If that doesn't work, the most responsible thing to do is try method with as little risk as possible.
Continue trying to get it fixed and you may have to end up publishing it at a security conference.
Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
You made a funny but the truth of the situation? Really isn't. Time and time again we have seen whistleblowers attacked by everyone from the government to the MSM and in the end it all comes down to money. By exposing their bullshit, be it ignoring laws, building defective by design products, or cutting corners on safety it costs the corps money to fix these issues, sometimes billions, and with the government here bought and paid for you can bet your soon to be worthless last dollar they WILL try to destroy those that expose this corporate douchebaggery as it costs the owners of the country money.
If Nader published "Unsafe at any speed" today he would probably be heckled by the press, sued by the corps, and have a dozen charges on him cooked up by the feds. Frankly you couldn't pay me enough to be a security researcher...which is of course the point, the chilling effect in action.
ACs don't waste your time replying, your posts are never seen by me.
You assume that the attackers would be basement hackers. Not a good assumption. There have been plenty of government assassinations in even recent history. Do you think Russia or China would be above killing, say, a US senator who keeps voting against their interests? Because I'm sure they would be willing, if they could be absolutly sure of not being caught. I wouldn't even trust the US with it - they already use drone strikes against suspected terrorists without trial, but drones are messy and lead to bad PR. And if Iran gets hold of the hack... they'd probably set up a virus that transmits the 'drop dead' command from any device with a bluetooth interface and US-English language setting.
Pacemakers need replacement every seven years or so anyway as the batteries go flat. You can just install one without the vulnerability then. It's a routine procedure.
Are you kidding? If I was to kill someone, this would be THE way to go. The perfect crime. No visible traces, the autopsy would just conclude that the device malfunctioned and I'm off the hook.
It's not that it wasn't easier to kill someone in different ways, of course there are far easier ways to kill someone, that's a given. But they are invariably more "visible". A bullet hole or one a knife cuts is a dead giveaway to foul play. There is almost no way to hide poison in this time and age if there is at least a hint of reason to test for it. Air bubbles are harder to find but also far from impossible.
But this is just a medical device that malfunctioned. The manufacturer will blame it on the patient's error or try to weasel out any other way, the relative who actually offed the geezer will easily agree to get the case closed quickly and everyone's happy. Well, at least everyone still alive.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Those in power usually *don't* understand. They have people for that. I've worked for a few Fortune 500 companies in IT; at one, the CEO's password was the name of the company and set to never expire. At another, when I tried to educate a user on how to avoid a particular problem (so that the problem wouldn't happen again, and lead to their loss of productivity and an increase in my workload) and was dismissed with a wave of the hand and a "Oh, I don't have to know that."
They don't understand. They don't WANT to understand. And when your job title has a "Chief" at the beginning of it, IT goes along with whatever insecure, dangerous, counterproductive nonsense you want.
Never underestimate the power of stupid people in large groups.
Yes. Just as currency has value because people collectively agree it does, words have meanings because people collectively agree on them. Most people think hacker = bad. So if you want them to see you as working for good, don't use the term to refer to yourself.