Slashdot Mirror

← Back to Stories (view on slashdot.org)

Consumer Device Hacking Concerns Getting Lost In Translation

Posted by samzenpus on from the tell-him-about-the-twinkie dept.

ancientribe writes "Hackers who hack insulin pumps, heart monitors, HVAC systems, home automation systems, and cars are finding some life-threatening security flaws in these newly networked consumer devices, but their work is often dismissed or demonized by those industries and the policymakers who govern their safety. A grass-roots movement is now under way to help bridge this dangerous gap between the researcher community and consumer product policymakers and manufacturers. The security experts driving this effort appealed to the DEF CON 21 hacking conference audience to help them recruit intermediaries who can speak both hacker and consumer product and policy."

16 of 100 comments (clear)

  1. This just in... by girlintraining · · Score: 4, Funny

    People in positions of power generally don't have a clue how things work... since they never, you know, work. I'm sure if we hopped in the TARDIS and went back to when the Egyptians were building the pyramids, the foreman in charge of positioning the bricks was constantly complaining about the idiot Pharaoh putting down the wrong dimensions in the foundation, and telling them to use unwoven rope because he read in Pharaoh Times (the premier Pharaoh trade stone tablet!) that it would improve efficiency. He probably also randomly decided to outsource 30% of his slaves because "leading experts" said it was universally a great idea.

    *cough* People at the top not having a clue is a problem as old as humanity.

    --
    #fuckbeta #iamslashdot #dicemustdie
    1. Re:This just in... by hairyfeet · · Score: 4, Insightful

      You made a funny but the truth of the situation? Really isn't. Time and time again we have seen whistleblowers attacked by everyone from the government to the MSM and in the end it all comes down to money. By exposing their bullshit, be it ignoring laws, building defective by design products, or cutting corners on safety it costs the corps money to fix these issues, sometimes billions, and with the government here bought and paid for you can bet your soon to be worthless last dollar they WILL try to destroy those that expose this corporate douchebaggery as it costs the owners of the country money.

      If Nader published "Unsafe at any speed" today he would probably be heckled by the press, sued by the corps, and have a dozen charges on him cooked up by the feds. Frankly you couldn't pay me enough to be a security researcher...which is of course the point, the chilling effect in action.

      --
      ACs don't waste your time replying, your posts are never seen by me.
    2. Re:This just in... by BVis · · Score: 3, Insightful

      Those in power usually *don't* understand. They have people for that. I've worked for a few Fortune 500 companies in IT; at one, the CEO's password was the name of the company and set to never expire. At another, when I tried to educate a user on how to avoid a particular problem (so that the problem wouldn't happen again, and lead to their loss of productivity and an increase in my workload) and was dismissed with a wave of the hand and a "Oh, I don't have to know that."

      They don't understand. They don't WANT to understand. And when your job title has a "Chief" at the beginning of it, IT goes along with whatever insecure, dangerous, counterproductive nonsense you want.

      --
      Never underestimate the power of stupid people in large groups.
    3. Re:This just in... by oag2 · · Score: 3, Insightful

      Yes. Just as currency has value because people collectively agree it does, words have meanings because people collectively agree on them. Most people think hacker = bad. So if you want them to see you as working for good, don't use the term to refer to yourself.

  2. Re:Hey, Look what I can do! by Narcocide · · Score: 5, Insightful

    Since that is an approach almost universally rejected by said "company or governing body" in recent history, I assume the context of the article is "what to do after the most responsible approach fails because said company or governing body is actually completely irresponsible."

  3. Re:yay,lawyers by Opportunist · · Score: 4, Insightful

    Just point out "You make medical devices. Medical devices that sick people need. Most sick people are old. Congressmen and other people that have influence on laws being passed tend to be in the upper age bracket of the population. Do you think it's a good idea to build devices that are insecure and mostly used by rich, influential people?"

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  4. Re:Hey, Look what I can do! by azalin · · Score: 4, Interesting

    I have to agree to that. I large companies it is rather hard to find someone to listen to you AND in a position to actually change something. Even if the company knows about the problem, they will probably either ignore it, or find the cheapest way to make it disappear. Probably a new software module in the 2016 model.
    If the information gets public though, they can't deny knowledge of the problem and become liable. I do believe companies should get a warning and some time to find a proper solution, not for them, but for those affected by their products, but that warning should include a deadline.
    Oh and I consider it completely irresponsible, stupid and dangerous to go after the hackers and charge them with computer crimes.

  5. Re:Just because we can, should we... by Anonymous Coward · · Score: 4, Insightful

    Problem is some things *need* networking.

    Pacemakers usually require tuning, both when first installed and later on. And since you can't take it out and plug it into a diagnostic machine you need to be able to connect to it to run tests too.

    That doesn't mean connecting it to the Internet, Wi-fi etc is a good idea... but you do need to connect to it somehow and even if it's an obscure type of network that means that someone nearby with the correct networking hardware could try to access it.

  6. Re:Hey, Look what I can do! by mwvdlee · · Score: 3, Insightful

    And what do you do if the companies and governing bodies (at best) ignore you?

    The most responsible thing to do is try to get it fixed as safely as possible.
    If that doesn't work, the most responsible thing to do is try method with as little risk as possible.
    Continue trying to get it fixed and you may have to end up publishing it at a security conference.

    --
    Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
  7. The problem with some of these devices is ... by Ihlosi · · Score: 3, Interesting
    ... that making them hack-proof is equivalent to locking a fire extinguisher in a secure cabinet. Sure it's secured against misuse, but it's also no longer easily available when it's needed in an emergency.

    You can "hack" any pacemaker with a strong enough magnet, for example. It's the standard method for putting the things in their emergency mode. "Securing" this mode would make it more complicated to activate in case of a real emergency and kill people this way.

  8. Re:What are you afraid of? by SuricouRaven · · Score: 4, Interesting

    Murder is easy. Getting away with it is hard. If the old guy with a heart condition drops dead from apparent heart failure, who is going to even suspect murder?

  9. Re:It's not just about security by obscurity by SuricouRaven · · Score: 4, Insightful

    You assume that the attackers would be basement hackers. Not a good assumption. There have been plenty of government assassinations in even recent history. Do you think Russia or China would be above killing, say, a US senator who keeps voting against their interests? Because I'm sure they would be willing, if they could be absolutly sure of not being caught. I wouldn't even trust the US with it - they already use drone strikes against suspected terrorists without trial, but drones are messy and lead to bad PR. And if Iran gets hold of the hack... they'd probably set up a virus that transmits the 'drop dead' command from any device with a bluetooth interface and US-English language setting.

    Pacemakers need replacement every seven years or so anyway as the batteries go flat. You can just install one without the vulnerability then. It's a routine procedure.

  10. The manufacturers are correct... by evilviper · · Score: 4, Interesting

    How did Ford and Toyota react? They publicly dismissed the research and thus far haven't committed to fixing any of the weaknesses that Miller and Valasek found. Ford described the hacks as "highly aggressive direct physical manipulation of one vehicle ... which would not be a risk to customers," while Toyota said in its statement that their work wasn't hacking. Miller, who is a security engineer at Twitter, says he isn't confident the car-makers will do anything about the flaws. Percoco says the car-hacking research was a good example of finding important security flaws in consumer products.

    If that's "a good example" I'd hate to see all the other ones. Ford and Toyota representatives were the only rational and reasonable voices, and absolutely correct that the "hacking" in this case, involved SITTING IN THE BACK SEAT AND PLUGGING IN TO THE CAR. What do we say around here about having physical access to someone else's computer?

    Some idiot reporters like the NYTimes article threw-in the word "remote" to describe the attacks, when it clearly didn't belong. Though to be fair, later mentioned that, "The researchers said they did not address the question of the defenses the cars might have against remote access."

    So this being the only actual referenced example in TFA, is a lot of baseless BS fear-mongering, and we are left without any reason to believe a problem actually exists.

    --
    Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
    1. Re:The manufacturers are correct... by Ihlosi · · Score: 3, Funny
      SITTING IN THE BACK SEAT AND PLUGGING IN TO THE CAR

      In the next horror film, the hidden psycho on the back seat won't have an axe or a knife, but a laptop ...

  11. evidence suggests that's rare, headline grabbing by raymorris · · Score: 4, Interesting

    Looking at any major CVE list, it seems most significant issues are fixed rather quickly. When a researcher or self-centered asshole doesn't get quite the response they want, those are the cases that get a headline on Slashdot a few times per year. Slashdot doesn't report on the 20 or so per day that go through the standard process and are resolved appropriately.

    To me, that sounds a lot like saying "couples facing divorce almost always murder each other" because those that end in murder are the ones you still hear about years later. (Reiser, for example.). That ignores the hundred divorce cases every day that are either amicable or simply not newsworthy because nothing interesting happens.

    My own experience with reporting a few issues matches what I see in the CVEs - they've been addressed quickly and professionally. The BIG one I found had replacement Debian packages out within 48 hours. Wikipedia was patched to fix the vulnerability I found within 24 hours.

  12. Re:Fine. Let them. by Opportunist · · Score: 3, Insightful

    Are you kidding? If I was to kill someone, this would be THE way to go. The perfect crime. No visible traces, the autopsy would just conclude that the device malfunctioned and I'm off the hook.

    It's not that it wasn't easier to kill someone in different ways, of course there are far easier ways to kill someone, that's a given. But they are invariably more "visible". A bullet hole or one a knife cuts is a dead giveaway to foul play. There is almost no way to hide poison in this time and age if there is at least a hint of reason to test for it. Air bubbles are harder to find but also far from impossible.

    But this is just a medical device that malfunctioned. The manufacturer will blame it on the patient's error or try to weasel out any other way, the relative who actually offed the geezer will easily agree to get the case closed quickly and everyone's happy. Well, at least everyone still alive.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.