DHS Investigates 24 Potentially Lethal IoT Medical Devices

An anonymous reader writes: In the wake of the U.S. Food and Drug Administration's recent recommendations to strengthen security on net-connected medical devices, the Department of Homeland Security is launching an investigation into 24 cases of potential cybersecurity vulnerabilities in hospital equipment and personal medical devices. Independent security researcher Billy Rios submitted proof-of-concept evidence to the FDA indicating that it would be possible for a hacker to force infusion pumps to fatally overdose a patient. Though the complete range of devices under investigation has not been disclosed, it is reported that one of them is an "implantable heart device." William Maisel, chief scientist at the FDA's Center for Devices and Radiological Health, said, "The conventional wisdom in the past was that products only had to be protected from unintentional threats. Now they also have to be protected from intentional threats too."

Fine, but...

[Jonifico]

Of course, it's always good to see patient safety is encouraged. I hope making it public does push towards fixing the issues and not people panicking.

At last...

William Maisel, chief scientist at the FDA's Center for Devices and Radiological Health, said, "The conventional wisdom in the past was that products only had to be protected from unintentional threats. Now they also have to be protected from intentional threats too."

This statement comes so late... The security community has been saying that for years! What happened to forward-thinking?

I, for one, will be happy...

[Overzeetop]

...when referring to connected/connectable devices as IoT dies.

Re:I, for one, will be happy...

[arth1]

It's the buzzword of the year. Give it 3-4 years to die out.

Words that have peaked and are on the way down and out include freemium, cloud, neet, big data, crowd[anything], agile and emoji.
Slightly worrying is that [anything]gate has not petered out yet.

The good things about the buzzwords is that they serve to positively identify those who use them as sheep, not wolves.

Most metal impants are "hackable"

[davidwr]

As I pointed out a few weeks ago, most implants with electronics or metal can be "hacked" by targeting them with microwaves. Sure, so can the human body but you don't need as much power to disable a possibly-life-sustaining electronic device as you to do cook flesh. Even metal parts will heat up (and cook adjacent living tissue) with less power than the human body.

However, if my heart is dying and I have a choice between getting an implantable artificial heart even knowing that I could be killed by someone armed with a microwave gun or dying waiting for a human donor, I'll take the artificial heart.

Well ... duh!

[gstoddart]

If you are going to connect things to the internet, you pretty much need to harden them against malicious attacks.

So many of these things are done with the very naive "what could possibly go wrong?" kind of attitude where there's pretty much no attempt at security.

So many companies (especially some of the medical companies) treat security as something they don't need to worry about. The problem is if something is accessible, and people can muck about with it, they will simply because it's there.

It may sound like a movie plot, but if I know you have a particular kind of internet-enabled implant ... it's far easier to go after you from a distance than up close.

Sadly, while they're looking at the medical stuff, I'm betting there will still be a huge list of other "IoT' devices for which security is a complete joke, if not outright non-existent.

Which is why I have no interest at all in the Internet of Things. At present, it's marketing hype, which hasn't even begun to address basic security and privacy issues.

Re:Well ... duh!

[gurps_npc]

I disagree. You don't have to harden your internet connected refrigerator against malicious attacks.

Why? Because when you ask "what could possibly go wrong?" the answer is your food will spoil, and you will have to throw it out. It's not like spoiled food is not instantly recognizable.

But when you ask that company about medical equipment, the answer is PEOPLE WILL DIE.

The problem is obvious, it just takes half a second to think and you know you need security.

Actually, the real problem is that idiot manufacturers refused to think at all.

Re:Well ... duh!

Depends entirely on what is in the fridge.

Turning off the fridge containing your supply of insulin can make the insulin go bad. Hide the fact the fridge has been off that long by turning it back on.

If you take the dosage before realizing the fridge has been off that long could kill you.

Re:Well ... duh!

[gstoddart]

You don't have to harden your internet connected refrigerator against malicious attacks. Why? Because when you ask "what could possibly go wrong?" the answer is your food will spoil, and you will have to throw it out. It's not like spoiled food is not instantly recognizable.

See, anything which would allow a remote attacker to destroy your property and cause you to spend money is an indication than in internet enabled fridge is either a really stupid idea, or that it needs to be hardened.

So, other than some moronic social experiment of "information wants to be free so if you see what's in my fridge what's the harm" ... what the hell would I want one for? What benefit does it give me? It's just another stupid, insecure application which wants to tie into a smart phone so I can feel all hip and cool.

If some asshole hacking my fridge and spoiling my food (or, possibly my medication) is the price of having an internet connected fridge ... then why would I even consider owning one? What is the upside here for me?

You sound like you're willing to give manufacturers of fridges some kind of free pass to be incompetent/indifferent to security. I'm saying any manufacturer which is either of those two things doesn't deserve to get my money.

The same goes for my thermostat. And my lights. And my stove. And my freezer. If you're not taking security seriously, I'm not taking your fscking product seriously.

So, if the internet of things is predicated on terrible security, or being indifferent to it altogether ... then the internet of things is a bad joke doomed to failure. And, of course, things which are that bad at security make additional risks for other things.

If I have to firewall my fridge to make it useful, I won't connect it to the internet at all. If it pokes holes in my security and provides an access point to attack other things ... then I really don't want it.

To me there is no scenario in which I'm willing to accept companies being too damned lazy to care about security. Because that pretty much makes the devices not trustworthy from the start.

Re:Well ... duh!

[geekmux]

I disagree. You don't have to harden your internet connected refrigerator against malicious attacks.

Why? Because when you ask "what could possibly go wrong?" the answer is your food will spoil, and you will have to throw it out. It's not like spoiled food is not instantly recognizable.

If I turn off your fridge for 8 hours during the day and spoil your mayo or other like food that may be very difficult to discern is bad or not, and then turn your fridge back on before you get home, you have no damn idea the dangers that could be lurking in the spoiled food that you were unaware had been exposed to dangerously high temps for several hours.

The CDC estimates that 1 in 6 Americans are affected by a foodborne illness each year, resulting in 3,000 fatalities. So yeah, PEOPLE DIE

Funny thing about comparing food to people with hackable implants. Everyone has to eat. Not everyone has an implant.

Try and understand the true risk beyond your simple analysis here.

Since these people still don't get it....

[MitchDev]

Anything computerized with a network connection can (and most likely WILL) be hacked...

Screw this stupid "Internet of Things"

Re:Since these people still don't get it....

[naasking]

Last I checked, programming languages are designed and implemented by human beings. Even if a programming language can decrease your attack surface, there could still be an exploit associated with the interpreter/compiler or a mistake in implementation of the language.

That's what theorem provers are for. The seL4 microkernel was just formally verified as correct, we have verified C compilers, we have C verification tools (Frama-C for instance), and we have higher level, safer languages even at the systems level (Ada and Spark-Ada). This isn't an open theoretical CS question anymore, these technologies can and have been used very successfully to produce formally verified software, but the inertia behind outdated technologies and the hubris of developers who think they know better will continue to result in exploitable software.

The idea that there's a non-zero probability that your compiler, the theorem prover used to certify it, and the theorem prover used to certify that theorem prover, may all have a bug that coincidentally permit an exploit is about as meaningful as the argument that hypothetically, QM implies there's a non-zero probability that you could spontaneously be transported to the surface of the sun.

Re:Since these people still don't get it....

[naasking]

Don't be naive... security is a deep and subtle problem, full of nasty surprises. There is no magic bullet solution... your "safe programming language" has thousands of bugs in its standard API and run-time

I think you should update your knowledge of this field. Then you should also realize that over 90% of security vulnerabilities in programs written in unsafe languages wouldn't have occurred with safe languages. And of the vulnerabilities among safe languages, 90% of those wouldn't have occurred if they were designed to be capability secure (which is just another safety property most languages ignore).

it won't prevent devs from concatenating SQL with user input

You can't do this in, say Haskell, unless you write your own SQL interface library that builds solely on strings.

misusing threading primitives

You can't do this in concurrent safe languages, like Concurrent ML, Rust and Haskell.

bungling up an authentication protocol

Session types, which Haskell can verify too. Of course, all of these safety properties are encodable in even more powerful systems, like Agda or Coq.

you must at minimum use an approach where (1) security is a primary design concern thru the entire product lifecycle, (2) security solutions are deployed in a structured/layered approach using (3) actual expertise, and (4) security is an ongoing program with both proactive and reactive elements.

So basically, safety properties have importance on par with domain requirements, and must be subject to the same rigour that domain features get, ie. testing, verification, etc. So basically, the safer the language, in the sense that the more properties can be assured at compile-time, the more features and safety properties you can verify, and the fewer security vulnerabilities.

The only surprise

[sinij]

The only surprise is that catastrophes are not commonplace. As an information security professional I can tell you based on a first-hand experience that we are metasploit module away from a major disaster. Industrial automation, medical, automotive and many other industries simply do not get information security. Chances are, your municipal water treatment system, you office building's elevators and heating, your glucose monitoring system, your car's infotainment system, your neighborhood's stoplights are trivially hackable. The only good news is that there is no money (but plenty of mayhem) to be made from compromising these systems. As such, people who can ether don't have a motivation or a conscientious enough to do that. Such miniscule margin of safety keeps me up at night.

this has been a problem fro quite some time.

[nimbius]

in neonatal units for example, nearly everything is wireless and unencrypted. Its why visitors and parents are frequently told to shut off cellphones as no ones entirely certain the devices wont interfere with heart rate monitors or life support systems. Its theoretically possible to create a denial of service condition in a hospital where a nurses station for an entire floor suddenly sees life-threatening conditions for every patient, or receives a nurse request page for every patient. Injection attacks can also result in patients that are dead for hours but reported as still alive.

Re:Basic Medical Technology 101.

[sinij]

Only liability insurance industry can force the change. Otherwise it will be impossible to put a monetary value on this effort.

When bad things happen, the liability is covered by the insurance. The insurance industry can accurately estimate the risk, and raise premiums accordingly. They generally don't reward greatly reducing marginal risks, as such expense of completely securing medical information systems would not meaningfully reduce premiums. It is only when prevalence of compromise increases, something (at much greater expense and urgency) will be done.

The underlying issue is that these types of risks seen as negligible. Historically, this is accurate view, but they have not experienced almost-none to all-the-time ramp up of incidences we have seen in say network security.

Re:Please

[turning+in+circles]

Dick Cheney had the wireless connection to his defibrillator removed just so he couldn't be targeted wirelessly. Of course, there are supposed to be regulations to ensure privacy and security on all new wireless health devices, so the FDA is not completely napping.