Researchers Mount Cyberattacks Against Surgery Robot

← Back to Stories (view on slashdot.org)

Researchers Mount Cyberattacks Against Surgery Robot

Posted by Soulskill on Tuesday April 28, 2015 @06:05AM from the backseat-aortic-bypass dept.

An anonymous reader writes: A group of researchers from University of Washington have tested the security of a teleoperated robotic surgery system created by their colleagues, and have found it severely lacking. "Teleoperated surgical robots will be expected to use a combination of existing publicly available networks and temporary ad-hoc wireless and satellite networks to send video, audio and other sensory information between surgeons and remote robots. It is envisioned these systems will be used to provide immediate medical relief in under-developed rural terrains, areas of natural and human-caused disasters, and in battlefield scenarios," the researchers noted, and asked: "But what if these robotic systems are attacked and compromised?"

55 comments

Min score:

Reason:

Sort:

never underestimate by calzones · 2015-04-28 06:07 · Score: 1

never underestimate people's capacity to be mind-glowingly evil...
it seem's they have this thought in mind

--
Asking people to think is like asking them to buy you a new car
1. Re:never underestimate by calzones · 2015-04-28 06:08 · Score: 1
  
  *blowingly
  
  --
  Asking people to think is like asking them to buy you a new car
2. Re:never underestimate by Mr+D+from+63 · 2015-04-28 07:16 · Score: 1
  
  never underestimate people's capacity to be mind-glowingly evil... it seem's they have this thought in mind
  Or overestimate the risk. Just think how many easy ways there are to rig something or randomly poison something and do great harm to people, yet it rarely happens the 'sneaky' way. More often someone will blatantly cause harm and to others and often themselves as well. I think for many the risk of getting caught doing something that evil via hacking is likely a deterrent as well. It certainly would bring pretty harsh penalties.
  
  I'm not saying we shouldn't take reasonable steps to prevent these risks, just keep the fear within reason.
3. Re:never underestimate by zerro · 2015-04-28 07:33 · Score: 1
  
  But to commit intentional murder or violence in a conventional way (usually) requires you to be present in the jurisdiction where the crime occurred, so at least in this new arena, it's entirely conceivable that an "attacker" (literally) could cause bodily injury, even death, without setting foot into any jursidiction where they have the "risk" of being apprehended or even extradited. ... that is, if you can even determine who the attacker was, or even if you can distinguish that there was a malicious actor involved, in the first place, and not just some random bug in the software...
  There is the concept of systems engineering with regard to "safety of life", which should be respected here.
  That is, the security of your aorta tele-surgery is arguable more important than your wristwatch's cloud calendar.
  This sort of thing should be subject to rigorous testing and code review, and in general have higher standards, e.g., MISRA C.
4. Re:never underestimate by cusco · 2015-04-28 09:49 · Score: 1
  
  The old saying of, "Never automatically credit to malevolence when stupidity or ignorance is is equally likely." If you can disable or misdirect the tool on purpose, it's likely that it can also be done by accident. In its day having your web site SlashDotted could be more destructive than an organized DOS attack, more than one web server was brought to its knees by being linked to in a SlashDot thread.
  
  --
  "Think about how stupid the average person is. Now, realise that half of them are dumber than that." - George Carlin
5. Re:never underestimate by calzones · 2015-04-28 09:53 · Score: 1
  
  The evil I refer to is the idea of taking pains to commit random, motiveless murder of a helpless innocent victim for no reason other than to do it.
  Most murders have a highly relevant and particular motive to the murderer. Even terrorism has a motive, but to achieve that motive it must have a broad reach. Hacking a medical connection to kill one person won't achieve that.
  Yet surely, someone would do it just to prove they can.
  You might say a terrorist would want to do it many times over because that would be effective. But I counter that doing it just once would lead to the closure of whatever loophole he exploited; to continue any further would be an expensive cat and mouse game. No terrorist sees the ROI in that. So it's a dead end.
  So, in reality, what we're looking at —as the only viable scenario— is a sick loser who wants to incite disgust and sorrow.
  Hence, "never underestimate people's capacity to be mind-blowingly evil".
  
  --
  Asking people to think is like asking them to buy you a new car
6. Re:never underestimate by FatdogHaiku · 2015-04-28 10:24 · Score: 1
  
  *blowingly
  I liked it better the other way...
  That's him officer, the guy with the head that looks like a cheap LED candle! Be careful, he's very evil...
  
  --
  You have the right to remain sentient. If you give up the right to remain sentient, you will be elected to public office
7. Re:never underestimate by FatdogHaiku · 2015-04-28 10:34 · Score: 1
  
  Well, if they chose to attack a person using such a method then the punishment should fit the crime...
  They get a dangerous and unnecessary surgery of their very own...
  via dialup...
  with no firewall...
  using a system running Windows ME...
  
  That last one might be a step too far. (damn, I ran out of ellipsis!)
  
  --
  You have the right to remain sentient. If you give up the right to remain sentient, you will be elected to public office
8. Re: never underestimate by Namarrgon · 2015-04-28 12:02 · Score: 1
  
  Also accepted:
  *slowingly
  *plowingly
  *flowingly
  *loweringly
  *gloatingly
  *glaringly
  *Cowboy Neal
  
  --
  Why would anyone engrave "Elbereth"?
Dick Cheney... by DriveDog · 2015-04-28 06:10 · Score: 1

...has already thought about this.
kyle Reese recalls Judgment Day by Anonymous Coward · 2015-04-28 06:17 · Score: 0

...hooked into everything. Then Eyenet took over, launching missiles against Russia.
1. Re:kyle Reese recalls Judgment Day by Anonymous Coward · 2015-04-28 07:11 · Score: 0
  
  Eyenet? Really?
2. Re:kyle Reese recalls Judgment Day by Anonymous Coward · 2015-04-28 08:12 · Score: 0
  
  Yes; it sees everything.
3. Re:kyle Reese recalls Judgment Day by DroolTwist · 2015-04-28 08:28 · Score: 1
  
  It is Skynet's pupil.
I know what will happen... by Anonymous Coward · 2015-04-28 06:21 · Score: 0

The exactly same thing will happen if they do not provide the service to undeveloped areas, the patient suffers and possibly dies. Any effort to do something is better than doing nothing despite the risks involved.
1. Re:I know what will happen... by davidwr · 2015-04-28 06:30 · Score: 2
  
  Which is worse for a patient with a condition that is typically not fatal and for which on-site surgery has a known risk of fatality:
  * Sorry, you'll have to wait for a doctor who may never come
  * We'll give you remote surgery but there's a chance someone will hack the system in a way that could kill you, plus there is still the normal risk you will never wake up from the anesthesia
  
  --
  Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
2. Re:I know what will happen... by Anonymous Coward · 2015-04-28 06:36 · Score: 0
  
  It's OK the lawyers have a form you fill in to fix that problem, also doctors bury their mistakes and dead men don't talk.
3. Re:I know what will happen... by bhcompy · 2015-04-28 06:39 · Score: 1
  
  Not just that. Humans are corruptible. Send a doctor in to do it live and there's no reason that a doctor couldn't be compromised and kill the person anyways.
4. Re:I know what will happen... by Kjella · 2015-04-28 06:43 · Score: 1
  
  The exactly same thing will happen if they do not provide the service to undeveloped areas, the patient suffers and possibly dies. Any effort to do something is better than doing nothing despite the risks involved.
  Sure, but there's a few more options than doing this and doing nothing. For example, if the connection is so unreliable would you rather have someone on-site try doing it under audio/video/photo/sketch/text guidance and if the connection breaks down he'll just have to wing it or do you really want a remotely operated robot that'll leave you stranded when the connection fails. Not to mention the latter is harsh, but maybe needed on-the-job training. And if you want remotely operated robots, well you need some pretty advanced skills to maintain and repair them so you might just replace one skill they don't have for another.
  
  --
  Live today, because you never know what tomorrow brings
5. Re:I know what will happen... by Anonymous Coward · 2015-04-28 06:44 · Score: 0
  
  But the point of the article is that remote procedures open more surface area for malicious attack.
6. Re:I know what will happen... by ColdWetDog · 2015-04-28 07:02 · Score: 2
  
  Yes. The entire thesis of the researchers is more than a little bizzare:
  
  A crucial bottleneck that prevents life-saving surgery being performed in many parts of the world is the lack of trained surgeons. One way to get around this is to make better use of the ones that are available.
  No, these machines are going to be used in 'first world' situations in order to help surgeons perform difficult tasks. The idea that someone is going to send a highly complex robot out into the total boonies is pretty far fetched. Surgery is much more than the surgeon. It's the scrub and circulator nurses. It is the sterile OR and equipment. It is anesthesia and pre op and post op nursing. This machine will do little to help with the lack of care.
  Now, having a poorly secured surgical robot anywhere isn't such a bright idea and it is likely that the manufacturers need to work on this, but surgery robots are in their infancy at present.
  
  --
  Faster! Faster! Faster would be better!
7. Re:I know what will happen... by Anonymous Coward · 2015-04-28 07:38 · Score: 0
  
  Holy false dichotomy batman! How about: Option #3: Hire a competent network security trained developer to tunnel the telepresence technology through a VPN? I think the DoD CAC system(https://militarycac.com/) is good enough for authentication risk management to make this threat model sufficiently unlikely to justify foregoing the benefits of the technology.
  FFMPEG's ffserver has the capability to do low-latency rtsp video streams and you can embed one of those directly in a webpage. The HMI to the robot could be done using javascript client-side and a web-socket.
  At that point: you need to lock down the pc's on either side of the connection so they have no ability to install additional software or have unauthorized code run in any way.
  Client side is easy: ChromeBox with USB HID for the exotic joysticks.
  Server side? SELinux sounds like a good choice.
8. Re:I know what will happen... by itzly · 2015-04-28 08:52 · Score: 1
  
  No, these machines are going to be used in 'first world' situations in order to help surgeons perform difficult tasks.
  
  No, they'll be used in first world, but the operator sits in an Indian surgery center fixing your heart valve for $10 per hour.
9. Re:I know what will happen... by cusco · 2015-04-28 10:24 · Score: 1
  
  It depends on the cost of these things. If each robot is a gazillion dollars then yes, you're right, they'll only be used in the first world. If the price is intermediate then they may well be mounted in military helicopters and mobile facilities to do battlefield surgery beyond the capability of the corpsmen. If they are cheap (comparatively) then they will be widely deployed, never mind the network and security issues, in the Third World. In Peru, which I am most familiar with, the top surgeons tend to prefer to live in Lima or Arequipa, and if you need their services you need to travel there. Most other Third World countries are much the same. If I lived in Machu Picchu and needed heart surgery I would need to travel to Cusco, and then to Lima, three days of travel before I could even be examined. If I can go to Cusco and be examined and treated I would dramatically reduce the travel and expense necessary while still receiving decent care. Even more likely is that advanced medical students will be called in to perform large numbers of basic medical services, like dental treatment and cataract removal, in the smaller towns while still under the supervision of their instructors.
  
  --
  "Think about how stupid the average person is. Now, realise that half of them are dumber than that." - George Carlin
10. Re:I know what will happen... by ColdWetDog · 2015-04-28 11:27 · Score: 1
  
  But if you lived in Machu Picchu and needed heart surgery, it would be extremely unlikely that anyone would truck the machine up there. Because you also need a bypass machine. And a damned good anesthesiologist (who probably lives with the other docs in the big city) and the nurses and the dacron grafts and the special sutures and the ventilators and the vent techs and so forth and so on.
  So having the smart machine doesn't help you over much. Even for battlefield medicine, I don't think surgical robots are going to prove useful for the same reasons. It's easier to just pack up everyone as a team and dump them on some handy flat piece of ground away from the front. Then drag your victim in using paramedic level persons and helicopters - things that can stand being shot at and don't need high bandwidth connections to function.
  The supervision of basic providers is an excellent model but that is typically going to be just video rather than a robot. Anything with opposable thumbs can do a basic cataract - you could build a robot that would do some of the manipulations, but it's pretty automated as it is. There are going to be niches with this sort of tech, certainly we can work on changing some procedures that have remained the same for 200 years, but surgical robots are going to be just a small part of things. Hell, a 3D printer might even be more useful - a common situation in remote areas is that the docs / providers know how to do something, they just don't stock the special screw / graft / gizmo that a bigger hospital would. Even 3D printed orthotics (ie, very low tech) would be pretty useful (and I'm sure I've seen articles where they are starting on this).
  
  --
  Faster! Faster! Faster would be better!
No excuse for this by davidwr · 2015-04-28 06:25 · Score: 3, Interesting

You can't completely prevent your communication going down due to malice, accident, or acts of nature. When those fail you have to have a backup plan such as going into a failsafe mode.
BUT You can and must detect interference and either correct for it or treat it like a total communications failure. There is no excuse for being fooled into taking instructions from an unauthorized party (well, unless the instruction is "you think I'm hacking your communications but I'm really doing a side-channel attack to trick you into doing what you normally do when you lose communications, now obey me and do what you normally do when your communications are hosed, thank you.").

--
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
1. Re:No excuse for this by Anonymous Coward · 2015-04-28 06:32 · Score: 0
  
  Something about if they have physical access means you won't have any security anyway
2. Re:No excuse for this by Immerman · 2015-04-28 07:10 · Score: 1
  
  What does that have to do with anything? If someone on-site is compromised, they don't need to compromise the sophisticated surgical robot to kill the patient, there's plenty of other ways to do the same job.
  The risk now is that some script kiddie half way around the world (or a neighbor with an ax to grind) takes control of the robot midway through the operation and implements "blender mode". Rather than worrying about the handful of professionals on-site, now you have to worry that anyone, anywhere on Earth might want to kill the patient.
  
  --
  --- Most topics have many sides worth arguing, allow me to take one opposite you.
3. Re:No excuse for this by davidwr · 2015-04-28 08:38 · Score: 1
  
  Grandparent:
  
  Something about if they have physical access means you won't have any security anyway
  Parent:
  
  What does that have to do with anything? If someone on-site is compromised,
  Actually, the grandparent has a point: Someone with physical access to the robot prior to the surgery could replace or reprogram the robot. Someone with physical access to a machine "inside" the hospital's network (or for that matter, the network of the hospital where the human driving the robot is at) might be able to remotely-control the robot in ways that someone "outside" the network wouldn't be able to do if there was a site-to-site secure VPN but no machine-to-machine secure communications channel. Like physical access to the robot itself, the physical access to the "on-LAN" equipment doesn't even have to be during the operation.
  
  --
  Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
FUD by Anonymous Coward · 2015-04-28 06:26 · Score: 0

This is more security research for the sake of security research, so they can sell snake oil security products for threats that don't exist. Turn in your "ethical hacker" certificate and get real job.
DoS by itzly · 2015-04-28 06:38 · Score: 1

Even with a secure link it's possible to overload the network with a denial of service attack.
1. Re:DoS by Immerman · 2015-04-28 07:14 · Score: 2
  
  Sure - but the implications of the robot going "dead" halfway through a surgery are much less severe than someone suddenly hijacking the signal and switching to "blender mode". A dead 'bot is still a problem, but you probably have on-site staff capable of at least attempting to stabilize the patient.
  
  --
  --- Most topics have many sides worth arguing, allow me to take one opposite you.
2. Re:DoS by itzly · 2015-04-28 07:27 · Score: 1
  
  Sure, but a DoS attack is much easier to perform, much harder to resist, and can be continued for a long time. If you're halfway during a transplant, you can't really afford to wait.
  As for the rest of the stuff, you could simply run the connection through a VPN. That's probably smarter than trying to reinvent security protocols.
Cart before the horse? by The-Ixian · 2015-04-28 06:44 · Score: 1

Great that they are thinking about security on the device long before they are implemented... but, I would think that it would be way more important to think about the connection these things are communicating over first...

Seems to me that battlefield and rural areas would have the least reliable network connection possible. I would think that the bar would need to be raised in this area before SURGERY could be accomplished.

--
My eyes reflect the stars and a smile lights up my face.
1. Re:Cart before the horse? by itzly · 2015-04-28 06:57 · Score: 1
  
  Depends... if somebody's critically wounded on the battlefield, and there's no local surgeon available, a 80% chance of a successful remote surgery is better than none.
2. Re:Cart before the horse? by Immerman · 2015-04-28 07:23 · Score: 1
  
  Well, you probably have a local surgeon who could attempt the operation - the robot simply allows a specialist to do the job instead. If the datalink drops out the local surgeon can take over - it may drop the patient's recovery chances considerably, but nothing compared to having a scalpel-wielding robot suddenly go berserk on their innards.
  Also, did you miss the part where they said satellite links are one of the options? Probably the ONLY real option in the aftermath of a major natural disaster. And battlefield data links are probably some of the most high-priority assets available to a modern military, they're unlikely to be disrupted effectively, especially miles from the front lines where hospitals are set up.
  
  --
  --- Most topics have many sides worth arguing, allow me to take one opposite you.
Laggy by Imagix · 2015-04-28 06:54 · Score: 1

And you thought _gamers_ complain about lag time on public networks. What about a robot with a knife in someone? Add to that the unreliability of battlefield network connections? This is not giving me the warm fuzzies...
1. Re:Laggy by hedleyroos · 2015-04-28 07:05 · Score: 1
  
  You can now literally be hacked.
Dear Doctors and Hospitals.... by Lumpy · 2015-04-28 07:02 · Score: 1

Pay for real IT security staff. $250,000 a year each is a starting wage for Good ones. Until you do so you will have problems.
WE need to stop with this bullshit of trying to get security without paying for it. Tell these morons, DUH! you refuse to pay for it. until they understand.

--
Do not look at laser with remaining good eye.
1. Re:Dear Doctors and Hospitals.... by riis138 · 2015-04-28 07:57 · Score: 1
  
  Couldn't agree more.
  
  --
  Somewhere, something incredible is waiting to be known. -Carl Sagan
Medical Pod 720i by ArcadeMan · 2015-04-28 07:18 · Score: 1

The attack will come from within.

--
Get free satoshi (Bitcoin) and Dogecoins
Oops! by Anonymous Coward · 2015-04-28 07:31 · Score: 0

Sorry, we thought you said you needed a craneotomy, not an appendectomy!
1. Re:Oops! by DroolTwist · 2015-04-28 08:37 · Score: 1
  
  Sorry, we thought you said you needed a craneotomy, not an appendectomy!
  A crappendectomy?
TeleAssassination? by Vonotar82 · 2015-04-28 07:49 · Score: 1

This sounds like the perfect vehicle for the cloak-and-dagger set to eliminate high-value targets while they are most vulnerable. That frightens me quite a bit.

--
"I drank WHAT?!"--Socrates
1. Re:TeleAssassination? by Anonymous Coward · 2015-04-28 10:17 · Score: 0
  
  There are, like, already drones that can kill you with a missile.
  And, don't forget, teledildonics!
Stop the insanity! by riis138 · 2015-04-28 07:55 · Score: 1

First they're doing surgery, then they're asking to join Starfleet. When does it end?

--
Somewhere, something incredible is waiting to be known. -Carl Sagan
Underkill. by westlake · 2015-04-28 08:41 · Score: 1

Why bother hacking into a single robot when comm links are fragile and you can bring everything down?
A stitch in time saves 9 by Anonymous Coward · 2015-04-28 08:53 · Score: 0

I did a design review of a robotic surgery device a number of years ago. They told me that when the trigger was pushed, the device would cut. When the trigger release signal was received, the device would stop cutting. When I asked about immunization a link failure they said .... Oops!
Conducting a threat and risk assessment along with vulnerability analysis in an open and methodical manner is one step to resolving the oops! Issue.
Something to seriously consider for remote surgery by WillAffleckUW · 2015-04-28 09:06 · Score: 1

As an example, it's very hard to get any MDs or nurses in some of the emptier remote parts of WA, BC, and ID, and at times, even if you could drive it, it's 50-100 miles to the nearest hospital over mountain passes with a heck of a lot of snow where I grew up. Some days the highway won't reopen for a week.
So something like this is way more important than you might realize.
Links aren't that fragile in many of these remote areas, as a lot of our power generation is going on there, so you can piggyback on the transmission line power at very high communication rates, but sometimes you can't even fly there, and the surgery is needed ASAP.

--
-- Tigger warning: This post may contain tiggers! --
Look where and when they plan to use it by morgauxo · 2015-04-28 09:07 · Score: 1

Look at where and when they plan to use these. It sounds like they intend them for situations where a live doctor is not available. If they use it in 10 emergencies, 1/2 of the time it is succesful and 1/2 of the time it is hacked then that's 5 lives saved that would have died and 5 lost that would have died anyway.
Don't get me wrong, these things should be secured and the goal should be to save all 10. But.. no use letting the 5 lucky ones die just because it isn't ready yet!
Battle Field Robotic General by Anonymous Coward · 2015-04-28 09:42 · Score: 0

Fight your way out of reach of a flock of hysterical surgery robots, recently hacked and delivering death at the corridors of the hospital. Wipe your tears as one of the robots encapsulates its disappointment to its designer and its builder at the factory to clean 1500 byte packets. Team up with disaffected MIT graduates to deliver deadly blows to the robots using improvised weaponry made solely out of the equipment found from the hospital cafeteria. Enjoy the drama, enjoy the action, enjoy the Battle Field Robotic General!
Re:Something to seriously consider for remote surg by ColdWetDog · 2015-04-28 11:36 · Score: 1

And again. It's not just the doctor that you can't get in rural areas. It's the nurse, the anesthetist, the OR tech, the OR, the pieces parts, the blood bank, the ventilator, etc. Surgery is a whole package. It is much safer to get the patient out to an institution that does the procedure on a regular basis than to try to hack through a treatment that the staff hasn't done in a year. Not everything goes right. Sometimes you want another specialist to help when surgical misadventures arise. Until the tech gets to be something like a Weyland Med Pod, robot surgery is going to be a niche area, confined to hard to get areas or procedures that need extremely fine physical control.

--
Faster! Faster! Faster would be better!
Re:Something to seriously consider for remote surg by WillAffleckUW · 2015-04-28 11:45 · Score: 1

Actually, the UW surgical robot is the one you see in the space training sequences of certain SF movies. Ender's Game specifically.
It actually exists.

--
-- Tigger warning: This post may contain tiggers! --
Much ado about nothing. by Anonymous Coward · 2015-04-28 13:31 · Score: 0

the researchers noted, and asked: "But what if these robotic systems are attacked and compromised?"
Then we shoot their field doctors too. There's a reason why medics paint a big visible cross on their helmet, it keeps them from getting specifically targeted on the battlefield. Specifically targeting the medical telerobotics systems with your cyberwarfare apparatus will likely escalate far beyond what would happen if you had just killed the patient properly. Healthy soldiers, fair game. You fuck up and don't kill your enemy, then that's on you, you don't get to kill the medics.
In other words: The "researchers" didn't think shit through properly, again.
"Satellite link?" by Anonymous Coward · 2015-04-28 14:17 · Score: 0

Surgery over a satelite link to a remote location sounds dangerous, due to the 500ms latency for any feed back...