Slashdot Mirror
DHS Investigates 24 Potentially Lethal IoT Medical Devices
An anonymous reader writes: In the wake of the U.S. Food and Drug Administration's recent recommendations to strengthen security on net-connected medical devices, the Department of Homeland Security is launching an investigation into 24 cases of potential cybersecurity vulnerabilities in hospital equipment and personal medical devices. Independent security researcher Billy Rios submitted proof-of-concept evidence to the FDA indicating that it would be possible for a hacker to force infusion pumps to fatally overdose a patient. Though the complete range of devices under investigation has not been disclosed, it is reported that one of them is an "implantable heart device." William Maisel, chief scientist at the FDA's Center for Devices and Radiological Health, said, "The conventional wisdom in the past was that products only had to be protected from unintentional threats. Now they also have to be protected from intentional threats too."
Of course, it's always good to see patient safety is encouraged. I hope making it public does push towards fixing the issues and not people panicking.
William Maisel, chief scientist at the FDA's Center for Devices and Radiological Health, said, "The conventional wisdom in the past was that products only had to be protected from unintentional threats. Now they also have to be protected from intentional threats too."
This statement comes so late... The security community has been saying that for years! What happened to forward-thinking?
...when referring to connected/connectable devices as IoT dies.
Is it just my observation, or are there way too many stupid people in the world?
If you are going to connect things to the internet, you pretty much need to harden them against malicious attacks.
So many of these things are done with the very naive "what could possibly go wrong?" kind of attitude where there's pretty much no attempt at security.
So many companies (especially some of the medical companies) treat security as something they don't need to worry about. The problem is if something is accessible, and people can muck about with it, they will simply because it's there.
It may sound like a movie plot, but if I know you have a particular kind of internet-enabled implant ... it's far easier to go after you from a distance than up close.
Sadly, while they're looking at the medical stuff, I'm betting there will still be a huge list of other "IoT' devices for which security is a complete joke, if not outright non-existent.
Which is why I have no interest at all in the Internet of Things. At present, it's marketing hype, which hasn't even begun to address basic security and privacy issues.
Lost at C:>. Found at C.
The only surprise is that catastrophes are not commonplace. As an information security professional I can tell you based on a first-hand experience that we are metasploit module away from a major disaster. Industrial automation, medical, automotive and many other industries simply do not get information security. Chances are, your municipal water treatment system, you office building's elevators and heating, your glucose monitoring system, your car's infotainment system, your neighborhood's stoplights are trivially hackable. The only good news is that there is no money (but plenty of mayhem) to be made from compromising these systems. As such, people who can ether don't have a motivation or a conscientious enough to do that. Such miniscule margin of safety keeps me up at night.