Consumer Device Hacking Concerns Getting Lost In Translation

ancientribe writes "Hackers who hack insulin pumps, heart monitors, HVAC systems, home automation systems, and cars are finding some life-threatening security flaws in these newly networked consumer devices, but their work is often dismissed or demonized by those industries and the policymakers who govern their safety. A grass-roots movement is now under way to help bridge this dangerous gap between the researcher community and consumer product policymakers and manufacturers. The security experts driving this effort appealed to the DEF CON 21 hacking conference audience to help them recruit intermediaries who can speak both hacker and consumer product and policy."

This just in...

[girlintraining]

People in positions of power generally don't have a clue how things work... since they never, you know, work. I'm sure if we hopped in the TARDIS and went back to when the Egyptians were building the pyramids, the foreman in charge of positioning the bricks was constantly complaining about the idiot Pharaoh putting down the wrong dimensions in the foundation, and telling them to use unwoven rope because he read in Pharaoh Times (the premier Pharaoh trade stone tablet!) that it would improve efficiency. He probably also randomly decided to outsource 30% of his slaves because "leading experts" said it was universally a great idea.

*cough* People at the top not having a clue is a problem as old as humanity.

Re:This just in...

[hairyfeet]

You made a funny but the truth of the situation? Really isn't. Time and time again we have seen whistleblowers attacked by everyone from the government to the MSM and in the end it all comes down to money. By exposing their bullshit, be it ignoring laws, building defective by design products, or cutting corners on safety it costs the corps money to fix these issues, sometimes billions, and with the government here bought and paid for you can bet your soon to be worthless last dollar they WILL try to destroy those that expose this corporate douchebaggery as it costs the owners of the country money.

If Nader published "Unsafe at any speed" today he would probably be heckled by the press, sued by the corps, and have a dozen charges on him cooked up by the feds. Frankly you couldn't pay me enough to be a security researcher...which is of course the point, the chilling effect in action.

Re:Hey, Look what I can do!

[Narcocide]

Since that is an approach almost universally rejected by said "company or governing body" in recent history, I assume the context of the article is "what to do after the most responsible approach fails because said company or governing body is actually completely irresponsible."

Re:yay,lawyers

[Opportunist]

Just point out "You make medical devices. Medical devices that sick people need. Most sick people are old. Congressmen and other people that have influence on laws being passed tend to be in the upper age bracket of the population. Do you think it's a good idea to build devices that are insecure and mostly used by rich, influential people?"

Re:Hey, Look what I can do!

[azalin]

I have to agree to that. I large companies it is rather hard to find someone to listen to you AND in a position to actually change something. Even if the company knows about the problem, they will probably either ignore it, or find the cheapest way to make it disappear. Probably a new software module in the 2016 model.
If the information gets public though, they can't deny knowledge of the problem and become liable. I do believe companies should get a warning and some time to find a proper solution, not for them, but for those affected by their products, but that warning should include a deadline.
Oh and I consider it completely irresponsible, stupid and dangerous to go after the hackers and charge them with computer crimes.

Re:Just because we can, should we...

Problem is some things *need* networking.

Pacemakers usually require tuning, both when first installed and later on. And since you can't take it out and plug it into a diagnostic machine you need to be able to connect to it to run tests too.

That doesn't mean connecting it to the Internet, Wi-fi etc is a good idea... but you do need to connect to it somehow and even if it's an obscure type of network that means that someone nearby with the correct networking hardware could try to access it.

Re:What are you afraid of?

[SuricouRaven]

Murder is easy. Getting away with it is hard. If the old guy with a heart condition drops dead from apparent heart failure, who is going to even suspect murder?

Re:It's not just about security by obscurity

[SuricouRaven]

You assume that the attackers would be basement hackers. Not a good assumption. There have been plenty of government assassinations in even recent history. Do you think Russia or China would be above killing, say, a US senator who keeps voting against their interests? Because I'm sure they would be willing, if they could be absolutly sure of not being caught. I wouldn't even trust the US with it - they already use drone strikes against suspected terrorists without trial, but drones are messy and lead to bad PR. And if Iran gets hold of the hack... they'd probably set up a virus that transmits the 'drop dead' command from any device with a bluetooth interface and US-English language setting.

Pacemakers need replacement every seven years or so anyway as the batteries go flat. You can just install one without the vulnerability then. It's a routine procedure.

The manufacturers are correct...

[evilviper]

How did Ford and Toyota react? They publicly dismissed the research and thus far haven't committed to fixing any of the weaknesses that Miller and Valasek found. Ford described the hacks as "highly aggressive direct physical manipulation of one vehicle ... which would not be a risk to customers," while Toyota said in its statement that their work wasn't hacking. Miller, who is a security engineer at Twitter, says he isn't confident the car-makers will do anything about the flaws. Percoco says the car-hacking research was a good example of finding important security flaws in consumer products.

If that's "a good example" I'd hate to see all the other ones. Ford and Toyota representatives were the only rational and reasonable voices, and absolutely correct that the "hacking" in this case, involved SITTING IN THE BACK SEAT AND PLUGGING IN TO THE CAR. What do we say around here about having physical access to someone else's computer?

Some idiot reporters like the NYTimes article threw-in the word "remote" to describe the attacks, when it clearly didn't belong. Though to be fair, later mentioned that, "The researchers said they did not address the question of the defenses the cars might have against remote access."

So this being the only actual referenced example in TFA, is a lot of baseless BS fear-mongering, and we are left without any reason to believe a problem actually exists.

evidence suggests that's rare, headline grabbing

[raymorris]

Looking at any major CVE list, it seems most significant issues are fixed rather quickly. When a researcher or self-centered asshole doesn't get quite the response they want, those are the cases that get a headline on Slashdot a few times per year. Slashdot doesn't report on the 20 or so per day that go through the standard process and are resolved appropriately.

To me, that sounds a lot like saying "couples facing divorce almost always murder each other" because those that end in murder are the ones you still hear about years later. (Reiser, for example.). That ignores the hundred divorce cases every day that are either amicable or simply not newsworthy because nothing interesting happens.

My own experience with reporting a few issues matches what I see in the CVEs - they've been addressed quickly and professionally. The BIG one I found had replacement Debian packages out within 48 hours. Wikipedia was patched to fix the vulnerability I found within 24 hours.