DHS Investigates 24 Potentially Lethal IoT Medical Devices

An anonymous reader writes: In the wake of the U.S. Food and Drug Administration's recent recommendations to strengthen security on net-connected medical devices, the Department of Homeland Security is launching an investigation into 24 cases of potential cybersecurity vulnerabilities in hospital equipment and personal medical devices. Independent security researcher Billy Rios submitted proof-of-concept evidence to the FDA indicating that it would be possible for a hacker to force infusion pumps to fatally overdose a patient. Though the complete range of devices under investigation has not been disclosed, it is reported that one of them is an "implantable heart device." William Maisel, chief scientist at the FDA's Center for Devices and Radiological Health, said, "The conventional wisdom in the past was that products only had to be protected from unintentional threats. Now they also have to be protected from intentional threats too."

Re:Well ... duh!

[gstoddart]

You don't have to harden your internet connected refrigerator against malicious attacks. Why? Because when you ask "what could possibly go wrong?" the answer is your food will spoil, and you will have to throw it out. It's not like spoiled food is not instantly recognizable.

See, anything which would allow a remote attacker to destroy your property and cause you to spend money is an indication than in internet enabled fridge is either a really stupid idea, or that it needs to be hardened.

So, other than some moronic social experiment of "information wants to be free so if you see what's in my fridge what's the harm" ... what the hell would I want one for? What benefit does it give me? It's just another stupid, insecure application which wants to tie into a smart phone so I can feel all hip and cool.

If some asshole hacking my fridge and spoiling my food (or, possibly my medication) is the price of having an internet connected fridge ... then why would I even consider owning one? What is the upside here for me?

You sound like you're willing to give manufacturers of fridges some kind of free pass to be incompetent/indifferent to security. I'm saying any manufacturer which is either of those two things doesn't deserve to get my money.

The same goes for my thermostat. And my lights. And my stove. And my freezer. If you're not taking security seriously, I'm not taking your fscking product seriously.

So, if the internet of things is predicated on terrible security, or being indifferent to it altogether ... then the internet of things is a bad joke doomed to failure. And, of course, things which are that bad at security make additional risks for other things.

If I have to firewall my fridge to make it useful, I won't connect it to the internet at all. If it pokes holes in my security and provides an access point to attack other things ... then I really don't want it.

To me there is no scenario in which I'm willing to accept companies being too damned lazy to care about security. Because that pretty much makes the devices not trustworthy from the start.

this has been a problem fro quite some time.

[nimbius]

in neonatal units for example, nearly everything is wireless and unencrypted. Its why visitors and parents are frequently told to shut off cellphones as no ones entirely certain the devices wont interfere with heart rate monitors or life support systems. Its theoretically possible to create a denial of service condition in a hospital where a nurses station for an entire floor suddenly sees life-threatening conditions for every patient, or receives a nurse request page for every patient. Injection attacks can also result in patients that are dead for hours but reported as still alive.