Slashdot Mirror
Consumer Device Hacking Concerns Getting Lost In Translation
ancientribe writes "Hackers who hack insulin pumps, heart monitors, HVAC systems, home automation systems, and cars are finding some life-threatening security flaws in these newly networked consumer devices, but their work is often dismissed or demonized by those industries and the policymakers who govern their safety. A grass-roots movement is now under way to help bridge this dangerous gap between the researcher community and consumer product policymakers and manufacturers. The security experts driving this effort appealed to the DEF CON 21 hacking conference audience to help them recruit intermediaries who can speak both hacker and consumer product and policy."
People in positions of power generally don't have a clue how things work... since they never, you know, work. I'm sure if we hopped in the TARDIS and went back to when the Egyptians were building the pyramids, the foreman in charge of positioning the bricks was constantly complaining about the idiot Pharaoh putting down the wrong dimensions in the foundation, and telling them to use unwoven rope because he read in Pharaoh Times (the premier Pharaoh trade stone tablet!) that it would improve efficiency. He probably also randomly decided to outsource 30% of his slaves because "leading experts" said it was universally a great idea.
*cough* People at the top not having a clue is a problem as old as humanity.
#fuckbeta #iamslashdot #dicemustdie
Since that is an approach almost universally rejected by said "company or governing body" in recent history, I assume the context of the article is "what to do after the most responsible approach fails because said company or governing body is actually completely irresponsible."
Nothing will really change - the people in charge of these things will simply fall back on their marketing departments to say "all is well" to their customers.
Its not until someone sues one of them for billions of dollars that that company's board will sit down and actually decide that spending some money on security, and more on marketing of course, is a good thing to do.
In the meantime, I'd say that a letter directly addressed to the CEO explaining how easy his devices are to compromise, and pointing out the massive financial implications to his company (and therefore his bonus and possibly even job) will be the only realistic way of getting through to these people. Remember most of them don't really care about what the company does, they only care about running that company. They're businessmen who "do business", and so you have to appeal to that aspect.
I guess the other problem is that your average CEO doesn't even know defcon exists.
I have to agree to that. I large companies it is rather hard to find someone to listen to you AND in a position to actually change something. Even if the company knows about the problem, they will probably either ignore it, or find the cheapest way to make it disappear. Probably a new software module in the 2016 model.
If the information gets public though, they can't deny knowledge of the problem and become liable. I do believe companies should get a warning and some time to find a proper solution, not for them, but for those affected by their products, but that warning should include a deadline.
Oh and I consider it completely irresponsible, stupid and dangerous to go after the hackers and charge them with computer crimes.
Problem is some things *need* networking.
Pacemakers usually require tuning, both when first installed and later on. And since you can't take it out and plug it into a diagnostic machine you need to be able to connect to it to run tests too.
That doesn't mean connecting it to the Internet, Wi-fi etc is a good idea... but you do need to connect to it somehow and even if it's an obscure type of network that means that someone nearby with the correct networking hardware could try to access it.
And what do you do if the companies and governing bodies (at best) ignore you?
The most responsible thing to do is try to get it fixed as safely as possible.
If that doesn't work, the most responsible thing to do is try method with as little risk as possible.
Continue trying to get it fixed and you may have to end up publishing it at a security conference.
Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
You can "hack" any pacemaker with a strong enough magnet, for example. It's the standard method for putting the things in their emergency mode. "Securing" this mode would make it more complicated to activate in case of a real emergency and kill people this way.
Some of the exploits for these vital machines were only discovered by researchers spending months working on it, using multiple labs, and using their researcher status to gain access to information that wouldn't be available to the general public. Should we not at least address the question of whether some of this exploit research is actually creating exploits that otherwise wouldn't have cropped up for years or even decades afterwards? Jaron Lanier pointed out one such developed exploit for pacemakers where the only way to "patch" the lab-uncovered exploit would be invasive and possibly life-threatening surgery on everyone who had implanted one.
Murder is easy. Getting away with it is hard. If the old guy with a heart condition drops dead from apparent heart failure, who is going to even suspect murder?
If that's "a good example" I'd hate to see all the other ones. Ford and Toyota representatives were the only rational and reasonable voices, and absolutely correct that the "hacking" in this case, involved SITTING IN THE BACK SEAT AND PLUGGING IN TO THE CAR. What do we say around here about having physical access to someone else's computer?
Some idiot reporters like the NYTimes article threw-in the word "remote" to describe the attacks, when it clearly didn't belong. Though to be fair, later mentioned that, "The researchers said they did not address the question of the defenses the cars might have against remote access."
So this being the only actual referenced example in TFA, is a lot of baseless BS fear-mongering, and we are left without any reason to believe a problem actually exists.
Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
Looking at any major CVE list, it seems most significant issues are fixed rather quickly. When a researcher or self-centered asshole doesn't get quite the response they want, those are the cases that get a headline on Slashdot a few times per year. Slashdot doesn't report on the 20 or so per day that go through the standard process and are resolved appropriately.
To me, that sounds a lot like saying "couples facing divorce almost always murder each other" because those that end in murder are the ones you still hear about years later. (Reiser, for example.). That ignores the hundred divorce cases every day that are either amicable or simply not newsworthy because nothing interesting happens.
My own experience with reporting a few issues matches what I see in the CVEs - they've been addressed quickly and professionally. The BIG one I found had replacement Debian packages out within 48 hours. Wikipedia was patched to fix the vulnerability I found within 24 hours.
"The problem with some of these devices is that making them hack-proof is equivalent to locking a fire extinguisher in a secure cabinet. Sure it's secured against misuse, but it's also no longer easily available when it's needed in an emergency.
You can "hack" any pacemaker with a strong enough magnet, for example. It's the standard method for putting the things in their emergency mode. "Securing" this mode would make it more complicated to activate in case of a real emergency and kill people this way."
I think it's more general than that - the same thing is true of security across the board. Every security feature also makes it harder for people that are entitle to access to do their work. When you have someone that isnt specially tuned to security issues designing a system, they quite naturally tend to do the opposite of the secure choice at every instance. Like leaving a root account with a blank password open - to an honest person that isnt specifically tuned to security issues, this seems like a very good idea, likely to save a lot of time and effort the first time the password gets lost. To the security-tuned, however, this is a very bad idea, a hole big enough to drive trains through just begging to be hit.
The damnation of it is, they are both right.
=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Friends don't let friends enable ecmascript.
There are plenty of easier ways to kill someone. The threat of someone going out of their way to hack the insulin pump is so near zero that any cost to fix it is not justified. If the flaw were something that could be triggered accidentally or by a simple fumbling around they would be more likely to act on it. As it is, we can't patch for a person's vulnerability to poison, gunshot, bludgeoning, air bubble injections, etc. so the existence of one more extremely improbable attack isn't worrying people who have more dangerous things to worry about.
This posting is provided 'AS IS' without warranty of any kind, implied or otherwise.
The BIG one I found had replacement Debian packages out within 48 hours. Wikipedia was patched to fix the vulnerability I found within 24 hours.
Both non-profit. 'nuf said.
Are you kidding? If I was to kill someone, this would be THE way to go. The perfect crime. No visible traces, the autopsy would just conclude that the device malfunctioned and I'm off the hook.
It's not that it wasn't easier to kill someone in different ways, of course there are far easier ways to kill someone, that's a given. But they are invariably more "visible". A bullet hole or one a knife cuts is a dead giveaway to foul play. There is almost no way to hide poison in this time and age if there is at least a hint of reason to test for it. Air bubbles are harder to find but also far from impossible.
But this is just a medical device that malfunctioned. The manufacturer will blame it on the patient's error or try to weasel out any other way, the relative who actually offed the geezer will easily agree to get the case closed quickly and everyone's happy. Well, at least everyone still alive.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Not only that, but I'm betting he's never tried reporting a found vulnerability in any embedded product.
It's trivially easy to change a file and upload it to a website. It's significantly tougher and more expensive to roll out embedded firmware running in 1.5 million cars across multiple countries, let alone 200,000 pacemakers that would require major surgery to update or replace.
"Unheard of means only it's undreamed of yet,
Impossible means not yet done." ~~ Julia Ecklar
Everything is networked because doctors want it that way. 'Networked' has an 'ooh shiny' factor that doctors love. That's bad enough, but when you combine it with the fact that nobody is stingier or dumber with IT resources than hospitals, you get a recipe for disaster.
Never underestimate the power of stupid people in large groups.
I just want the codes to Dick Cheney's implanted defibrillator.
"Think about how stupid the average person is. Now, realise that half of them are dumber than that." - George Carlin