Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ransomware Expected To Hit 'Lifesaving' Medical Devices In 2016 (forrester.com)

Posted by Soulskill on from the whatever-can-be-hacked-will-be-hacked dept.

An anonymous reader writes: A surge in ransomware campaigns is expected to hit the medical sector in 2016, according to a recent report published by forecasters at Forrester Research. The paper 'Predictions 2016: Cybersecuirty Swings To Prevention' suggests that the primary hacking trend of the coming year will be "ransomware for a medical device or wearable," arguing that cybercriminals would only have to make mall modifications to current malware to create a feasible attack. Pacemakers and other vital health devices would become prime targets, with attackers toying with their stability and potentially threatening the victim with their own life should the ransom demands not be met.

108 comments

  1. I'm careful about using the term "Evil" by unimacs · · Score: 4, Insightful

    But that would qualify.

    1. Re:I'm careful about using the term "Evil" by Anonymous Coward · · Score: 2, Insightful

      Anyone who willingly and knowingly infects a medical device with the purpose of causing harm is deserving of the death penalty. Full stop. These people are already a true menace, but medical equipment? This goes beyond the pale. Hang them from neck until dead in public.

    2. Re:I'm careful about using the term "Evil" by Anonymous Coward · · Score: 0

      Anyone who willingly and knowingly infects a medical device with the purpose of causing harm is deserving of the death penalty. Full stop. These people are already a true menace, but medical equipment? This goes beyond the pale. Hang them from neck until dead in public.

      Screw that. Behead the cunts. With a dull, rusty kitchen knife. In public.

    3. Re:I'm careful about using the term "Evil" by bev_tech_rob · · Score: 1

      Anyone who willingly and knowingly infects a medical device with the purpose of causing harm is deserving of the death penalty. Full stop. These people are already a true menace, but medical equipment? This goes beyond the pale. Hang them from neck until dead in public.

      At the very least, classify the programmer of the malware as a terrorist, sikk Seal Team Six on him/her and send them to Gitmo.

      --
      You're messin' with my Zen Thing, man.....
    4. Re:I'm careful about using the term "Evil" by mikael · · Score: 1

      "We have infected your implanted pacemaker with a virus. Your pacemaker will stop within 24 hours. Please send $100,000 by Western Union to the following bank account and we will remove the virus".

      --
      Vintage computer adverts: http://www.vintageadbrowser.com/computers-and-software-ads
    5. Re:I'm careful about using the term "Evil" by Anonymous Coward · · Score: 0

      Killing them is much, much better. Holding all these islamic terrorists is already costing the USA heaps of money. The ones they do release, around 50% of them end up back in terrorist camps. I'd just kill them all and call it good.

    6. Re:I'm careful about using the term "Evil" by Anonymous Coward · · Score: 0

      You can flip that around, too.

      People who go to all the extra trouble to install and execute random malware on their devices, will start getting death penalties, when those devices include medical stuff. Up to now, when people have bothered to install and execute malware, they just helped to fund spam delivery, helped to pay for the cost of someone else's bitcoin mining, and sometimes become volunteer data hostages. Now they'll start to become volunteer corpses too.

      This could be the long-anticipated beginning of the end for malware. The people who have been pro-malware or noncommittal on the subject will end up selected out, and people who have principles explicitly against installing and running malware, will be the survivors. The stakes could finally be high enough that it starts to matter. A lot of people think death is pretty damn important, and from an individual behavior perspective, death objectively is pretty damn important. Dead people simply don't have the capacity to continue installing, running, and spreading malware. And if they can't do it, they won't do it. So this really could be the end of malware. It'll finally be "mal" enough.

    7. Re:I'm careful about using the term "Evil" by Sperbels · · Score: 1

      Isn't this often the case with the pharmaceutical and medical industry charging prices waaay beyond cost.

    8. Re:I'm careful about using the term "Evil" by penguinoid · · Score: 1

      But that would qualify.

      Which, making life-critical devices which are vulnerable to hackers to save money on security, or to ask people with insecure devices for money?

      --
      Don't waste your vote! Vote for whoever you want, unless you live in a swing state it won't matter anyways
    9. Re:I'm careful about using the term "Evil" by Anonymous Coward · · Score: 0

      Increasing the punishments will only help a little. The risk of getting caught is always the strongest deterrent. So long as the criminals feel that they are reasonably hard to catch, they will take risks for the money.

      Better to invest quite a lot into solid security with no back doors.

    10. Re:I'm careful about using the term "Evil" by AntiAntagonist · · Score: 0

      Citation needed

    11. Re:I'm careful about using the term "Evil" by Anonymous Coward · · Score: 0

      No, torture them for years and years. Surgically amputate all of their limbs, remove their genitals, scoop out their eyes, cut their vocal chords and extract all of their teeth without anaesthetics but in a sterile, professional manner so that they don't die. Let them live the rest of their lives out as nothing but a torso with a blind, voiceless head atop.

    12. Re:I'm careful about using the term "Evil" by unimacs · · Score: 1

      The latter of course. There is a broad spectrum of misdeeds. I consider a willful act of doing harm to be worse than negligence.

      Besides, in the case of implanted medical devices it takes years and years of testing to get them to market. I had a relative in the industry whose company basically went bankrupt for that reason. They spent years testing in Germany with good success but eventually they ran out of money.

      Adding proper security is probably a small portion of the total cost of development and I doubt many device manufactures would knowingly skimp in that area knowing how vulnerable they are to lawsuits. What is more likely to happen is that attacks get more sophisticated over time and products that did have reasonable security when implanted in your body 5 years ago, don't anymore.

    13. Re:I'm careful about using the term "Evil" by Anonymous Coward · · Score: 0

      Someone just uploaded this payload from your computer. You already know the sentence, you scumbag. Prepare to meet your Maker.

    14. Re:I'm careful about using the term "Evil" by c4757p · · Score: 1

      You write like you probably orgasmed at least once while thinking that shit up.

    15. Re:I'm careful about using the term "Evil" by Half-pint+HAL · · Score: 1

      It would also qualify as "stupid". The basic rule of thumb in internet crime is "do only that which isn't worth tracking you down for". Basic financial fraud is a nightmare to handle across juridictions, and no-one gets physically "hurt", so it rarely gets prosecuted. But serial killers tend to come up pretty high on Interpol's hit list, and if you're hacking pacemakers and insulin pumps, that's basically what you are.

      --
      Got them moderator blues I blieve I walk out the do', With these mod-points I been gettin', I 'most never post no mo'
    16. Re:I'm careful about using the term "Evil" by Anonymous Coward · · Score: 1

      Really? You cannot Google this for yourself? Why defend any fascist islamist, even obliquely? They all deserve what they get. I agree with the Chechen leader: let's strap all captured terrorists to drones and drop them on the heads of their accomplices. Sounds like a really decent plan. I'd also drop pig guts and blood over their mosques, pay huge bounties for informants to turn on their own people, use snipers to literally kill their morale.

    17. Re:I'm careful about using the term "Evil" by Anonymous Coward · · Score: 0

      When caught, hope they get charged with first degree murder (if *anyone* dies as a direct or indirect cause of this), and sentenced appropriately... perhaps spammers would think twice about screwing with people's lives if their own life was on the line.

    18. Re:I'm careful about using the term "Evil" by Anonymous Coward · · Score: 0

      how do you match up real world addresses and Pacemakers?
      Why would you trust the email and not run to the Doctor?
      Ransom-ware assumes there is something of value. You could always reformat and re install.
      But you would lose your pictures. Nothing special in a pacemaker.

    19. Re:I'm careful about using the term "Evil" by sce7mjm · · Score: 1

      And then find out the guy was stitched up by the government and turned out to be innocent. Well done.

    20. Re:I'm careful about using the term "Evil" by Anonymous Coward · · Score: 0

      Frankly, some of the movements in the malware industry seem too driven by the infosec consulting group produced ideas and advisories.

      Ransomware, especially some of the Cryptolocker variants look like corporate sponsored efforts to penalize people for not being their customers for AV or spam filtering. A great example is how much your aggregate incoming mail increases (all of the increase being additional spam) after you tell Barracuda that you don't plan to renew your subscription.

      It's amazing how little effort the FBI and DHS will due to track the money given the ease of tracking bitcoin and credit transactions. Again, this points to the efforts being driven by special interests.

    21. Re:I'm careful about using the term "Evil" by Anonymous Coward · · Score: 0

      Yeah, the smarter move is to lie and say you hacked the device.

    22. Re:I'm careful about using the term "Evil" by Khashishi · · Score: 1

      Dear God! What is that thing?

    23. Re:I'm careful about using the term "Evil" by penguinoid · · Score: 1

      I consider a willful act of doing harm to be worse than negligence.

      Only on a case-by-case basis. For example, I'd consider widespread willful negligence that results in the deaths of thousands do be way more serious a crime than a serial killer who's reaching his second dozen victims.

      Adding proper security is probably a small portion of the total cost of development and I doubt many device manufactures would knowingly skimp in that area knowing how vulnerable they are to lawsuits. What is more likely to happen is that attacks get more sophisticated over time and products that did have reasonable security when implanted in your body 5 years ago, don't anymore.

      That's not how security works, except security by obscurity. Bugs don't mysteriously appear in old code; they have always been there and are merely discovered. You can build code that is and will forever be resistant to network attacks (unless they find your password). I understand it's possible to build provably secure code, it's just very expensive.

      --
      Don't waste your vote! Vote for whoever you want, unless you live in a swing state it won't matter anyways
    24. Re:I'm careful about using the term "Evil" by mysidia · · Score: 1

      I assume the criminals who would do this have risen to a new level of evil, and there's a measurably higher reward to offset the high likelihood they'll get caught eventually.

      I am imaging "Ransomware" evolves into "Racketeeringware"

      Instead of "pay us this ransom ...." to infected users, they launch a campaign getting people to "Pay 400BTC in Exchange for protection"

      The explanation being... the evil device hackers are killing people left and right, But if you pay this "protection charge", Your medical device will get added to a list of devices that they won't attack

      A short bit later, they change into a monthly protection fee to be paid by the device manufacturer.

      And a long while later, they recast themselves as an "antivirus company" that releases proof of concept malware to the public, for devices whose manufacturers are not customers.

    25. Re:I'm careful about using the term "Evil" by Anonymous Coward · · Score: 0

      Yeah sure. Any more conspiracies theories you got to share tinfoil boy?

    26. Re:I'm careful about using the term "Evil" by Anonymous Coward · · Score: 0

      That attitude makes you and the Chechen leader no better than terrorists.

      Battle not with monsters, lest ye become a monster, and if you gaze into the abyss, the abyss gazes also into you. --Friedrich Nietzsche

      Captcha: replica

    27. Re:I'm careful about using the term "Evil" by unimacs · · Score: 1

      I consider a willful act of doing harm to be worse than negligence.

      Only on a case-by-case basis. For example, I'd consider widespread willful negligence that results in the deaths of thousands do be way more serious a crime than a serial killer who's reaching his second dozen victims.

      You are talking about the severity and magnitude of outcomes. I'm talking about evil. Though they can be related, they aren't the same, at least not in my mind.

      In your examples, the second is a worse outcome for sure but evil is strongly tied to intent. A guy who drives drunk and ends up killing 4 people is negligent and responsible. He should be punished and it would be quite understandable if the family of the victims hated him and never forgave him. He demonstrated exceptionally bad judgement and selfishness. But I wouldn't call him evil.

      Let's say another man kidnaps and tortures a couple of kids for the fun of it, but they eventually escape and in time fully recover. That guy is more evil than the drunk even though the outcome is not as severe.

      Adding proper security is probably a small portion of the total cost of development and I doubt many device manufactures would knowingly skimp in that area knowing how vulnerable they are to lawsuits. What is more likely to happen is that attacks get more sophisticated over time and products that did have reasonable security when implanted in your body 5 years ago, don't anymore.

      That's not how security works, except security by obscurity. Bugs don't mysteriously appear in old code; they have always been there and are merely discovered. You can build code that is and will forever be resistant to network attacks (unless they find your password). I understand it's possible to build provably secure code, it's just very expensive.

      Exploiting bugs are not the only form of attack. Encryption schemes get broken, the tools available to hackers get more sophisticated and social engineering continues to be a problem. Even air gapped systems have been compromised. Given time and money, just about any system can be hacked. Do you doubt that?

      It's not always about negligence. Sometimes that blame lies strictly with the perpetrator.

    28. Re:I'm careful about using the term "Evil" by unimacs · · Score: 1

      Sorry, meant to say that the thousands dying is a worse outcome, but a worse outcome is not always the result of more "evil" act.

    29. Re:I'm careful about using the term "Evil" by Zaowulf · · Score: 1

      And then the public gets to pay for their ongoing care. Brilliant!

    30. Re:I'm careful about using the term "Evil" by AntiAntagonist · · Score: 1

      "around 50% of them end up back in terrorist camps"
      Not every person in gitmo is a terrorist and the number that get released, that then decide to become (or continue being) terrorists is not general knowledge.

      Doing a cursory Google search points to a far lower percentage (than 50%), and has further decreased over the years.
      http://www.cbsnews.com/news/18...
      http://www.theguardian.com/us-...

      So again I say "Citation needed"

  2. "Mall modifications"? by Anonymous Coward · · Score: 4, Funny

    I suppose it's inevitable that these devices would become a Target at some point. Security is a Hot Topic these days. Sak's to be a victim.

    Also, Walmart.

    1. Re:"Mall modifications"? by SeaFox · · Score: 0

      Modifications to wearable tech wont be restricted to victims' PCs, it will be able to effect them in their Bed, Bath, and Beyond. Will a computer be even necessary? Or will people who don't even own PCs, like cookie-baking Mrs. Field's get a letter some day asking her to send a MoneyPak to some obscure location, lest her pacemaker start having "issues" one Tuesday Morning. Security has been through obscurity for so long with these devices, perhaps now that attacks are imminent we can stop blurring the lines between PCs and prosthetics and get a Sharper Image of where the division should be for devices that can be remotely administered and which ones should need an in-person assist for security reasons. Internet connectivity shouldn't be one of the Staples of the features on implants just because we can make the tech small and low power enough.

    2. Re:"Mall modifications"? by Howitzer86 · · Score: 1

      Look here, my pacemaker can play an obviously pirated copy of Super Mario by streaming RF radiation directly into my TV antennae. Downside: it requires me to play non-stop to stay alive. In hindsight, perhaps I shouldn't have bought it at that mall kiosk... the surgery was free though, so it was hard to say no.

  3. Smells like FUD by The+MAZZTer · · Score: 3, Interesting

    It's my understanding that when you're committing a crime, the last thing you want to do is break even worse laws that will get you a worse sentence if caught. Ransoming encrypted computer files is one thing. Murder is something else.

    1. Re:Smells like FUD by gstoddart · · Score: 4, Interesting

      Easily automated from anywhere in the world, hard to trace, and exploiting utterly useless security.

      Honestly, this was pretty much inevitable.

      The security of most consumer devices is pathetic and useless. The security of medical devices has known to be almost non-existent for years now.

      Humans are not intrinsically honest. It's time to stop pretending they are.

      --
      Lost at C:>. Found at C.
    2. Re:Smells like FUD by NotInHere · · Score: 1

      I guess it is hard to do actually any blackmail of a specific person, as if it is known that a medical device is hacked, the owner of the medical device could just call medical service, and then they can survive it, unless of course the attacker also controls the devices of the ambulance etc. So it can really only be used for targeted murder, or for a less specific blackmail of the form "I have hacked 100 medical devices of people in your city. If you don't pay, I'll kill them one by one." sent to majors or other authorities.

    3. Re:Smells like FUD by Anonymous Coward · · Score: 0

      Yet another excuse for governments to swear up and down that encryption is costing lives. :(

    4. Re:Smells like FUD by Maritz · · Score: 1

      What I don't see in this instance is what is actually being ransomed. What files do you encrypt on a pacemaker?

      --
      I do not want your cheap brainburning drugs. They are useless for work. And I am a working man today.
    5. Re:Smells like FUD by TWX · · Score: 1

      It's only inevitable because the people creating these devices are using commodity operating systems that allow someone else's software to run on them.

      These kinds of devices should not run conventional operating systems that can run third-party software. They should probably use a model more like Cisco's where the OS and all software are contained in a single package, but taken a step further where better sanity-checking makes it even harder to crack.

      --
      Do not look into laser with remaining eye.
    6. Re:Smells like FUD by fuzzyf · · Score: 1

      Hard to trace? Just follow the money.

    7. Re:Smells like FUD by DarkOx · · Score: 1

      I think its a question of how likely are you to get caught and do you fear the consequences. Look at some of the historic mobsters for example. They had little concern about taking their illegal gambling, moonshine, and drug running into the realm of murder. Most of those guy knew they either would not be caught because they had resources equal to those working to contain them. That or they simply 'own' a large portion of the authorities via corruption.

      The other case is you are already looking at very long sentence so you don't care if its 2 consecutive life sentences or 20.

      EL Chapo is the modern example. Even when he was re-arrested he did not stay in prison for too long, and there was a massive conspiracy to get him out. I think he is still at large? Point being if he wants to 'whack someone' he does it. He knows either he won't be caught, will be helped to escape, or if the system does work his rap sheet is so long it does not matter at this point.

      So I am not sure it works like you suggest. Most criminals are not very bright bulbs. If they were they probably could work the system and make a decent life for themselves legally.

      If you look at it from a pure risk reward standpoint it should be painful clear the robbing a convince store is pretty dumb but if you was hungry and destitute enough its possible you might decide to try it. It is after all a soft target and the clerk or even the owner might have little personal interest in doing anything but cooperating with you. They probably have some kind of business continuity insurance after all. Why risk their lives trying to protect the $150 bucks in the register and a few slim jims? It could work out.

      Now add gun to mix as the criminal element often does and suddenly you have swapped larceny and simple assault for armed robbery and assault with deadly weapon (remember you don't actually have to hit or short someone for assault just credibly threaten it). You have perhaps encouraged a little more compliance from the store staff but at a cost of upping the ante for a probably 6mo - 1 year in the slam to 10+ years if caught. Totally not worth it! Yet criminals does it all the time!

      --
      Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
    8. Re:Smells like FUD by JaredOfEuropa · · Score: 1

      It also is much harder to figure out the specific person who carries the hacked pacemaker. With normal ransomware, you don't have to know anything about the person who owns the hacked computer, since the same computer is delivering the ransom note. It does make a lot more sense to hold a city, a hospital, or the manufacturer to ransom.

      --
      If construction was anything like programming, an incorrectly fitted lock would bring down the entire building...
    9. Re:Smells like FUD by gstoddart · · Score: 3, Insightful

      I don't expect every company to build an OS .. that would pretty much mean we don't get any new devices and software ever.

      But I do expect that companies not be so damned lazy when it comes to writing security, and that they be required to support OS updates and fix security holes ... you can't just say "nope, you have to stay on an ancient and unpatched OS because we can't confirm our stuff still works". And if you can't, you should lose any certifications the device has.

      I've been saying for years the makers of consumer electronics need to be held to a higher standard when it comes to security, and to actually have some liability for it.

      The makers of medical devices and cars and the like need to be held to a significantly higher standard than that.

      But companies just rush some crap out the door and walk away.

      --
      Lost at C:>. Found at C.
    10. Re:Smells like FUD by Anonymous Coward · · Score: 0

      It's my understanding that when you're committing a crime, the last thing you want to do is break even worse laws that will get you a worse sentence if caught. Ransoming encrypted computer files is one thing. Murder is something else.

      So is terrorism. Think of attacks against a country. Lots of people in this world hate a lot of other people solely based on where they live.

    11. Re:Smells like FUD by Anonymous Coward · · Score: 3, Interesting

      I'm in the Healthcare industry and I'm working with a vendor who has said "We're not saying not to patch your device. We're saying that if you do, it will impact the speed at which we can resolve any issues that arise with it." Our doctors and staff here that and tell us not to patch it. That's crazy to me and I've heard from nearby hospitals that the same thing happens there.

    12. Re:Smells like FUD by Anonymous Coward · · Score: 0

      What I don't see in this instance is what is actually being ransomed. What files do you encrypt on a pacemaker?

      Look, we were having a perfectly good Panic Attack over vague, unfounded speculation that someone might possibly hack into a medical device and encrypt something. And you're trying to ruin it.
      We can't do away with medical devices, and there are too many unviewed cat pictures to do away with the internet, so the obvious thing to do here is attack encryption! Used by both Terrorists and Murderers of Little Old Ladies alike! And Pedophiles, don't forget them either!
      Experts predict that sometime in 2016, encryption software will be used to hack and abduct your children!

    13. Re:Smells like FUD by nitehawk214 · · Score: 1

      You would think these assholes are smart enough not to try this. One sure way to ramp up the investigations of these things is to switch from inconveniencing idiots that don't backup to murder.

      --
      I'm a good cook. I'm a fantastic eater. - Steven Brust
    14. Re:Smells like FUD by info6568 · · Score: 1

      But you know, when terrorist that explode themselves are there, this is really a dangerous issue.

      For them human life is not so important as what they can ask from it.

    15. Re:Smells like FUD by Cajun+Hell · · Score: 1

      TlL criminals are rational users of game theory who carefully evaluate the payoff tables.

      --
      "Believe me!" -- Donald Trump
    16. Re:Smells like FUD by Anonymous Coward · · Score: 1

      I have heard from more than one PM the saying, "the only profit a lock ever made was for the lock maker".

      The problem with security is that companies can get away with breaches without much, if any penalties. Look at the stock value six months after a major breach, and it usually is untouched, if not up slightly due to the "we are more secure than ever" PR the company slings. Even though it might be that the "more secure than ever" just means the Windows admin forced a change on all users across the AD forest, with a 10 character password rather than an 8 character password.

      Even with medical devices, I have seen a number of them running Java... and Sun/Oracle has, in their EULA, the clause that Java is not to be used for medical or nuclear purposes, and is not life-safety grade.

      I'm not surprised that ransomware is going to go this route. Pay up, or they pull the virtual heart plug, especially if the victim is someone influential, will get a criminal organization a lot of gains.

      Will it be prosecuted? The will isn't there. Criminals are looked at, as figures of people smart enough to get around the system, not scumbags. If some people wind up as victims of the "remote kill" functionality, even then, there still won't be interest in security.

      If security were treated like IP infringement, things would be different, where a device maker with shitty security controls would be treated just like a HDCP 2.2 device maker that leaves a backdoor -- sued into the ground for contributory infringement. It should be that way with security, where if a device isn't up to muster with its security, the company that made it should face legal liability, and if it is a medical device, imports of it should be banned.

    17. Re:Smells like FUD by Anonymous Coward · · Score: 0

      Yet another excuse for governments to swear up and down that encryption is costing lives. :(

      ... while being the main users of these medical device vulnerabilities for 'hits'.

    18. Re:Smells like FUD by TWX · · Score: 2

      They might not need to write an OS from scratch, but they can choose from any of a number of non-commodity operating systems or kernels on which to build their software. These are single-purpose machines. They don't need an OS that's capable of running a word processor.

      --
      Do not look into laser with remaining eye.
    19. Re: Smells like FUD by Anonymous Coward · · Score: 0

      How do you follow a bitcoin?

    20. Re:Smells like FUD by Anonymous Coward · · Score: 0

      Maybe someone just takes over one of those rascal scooters and has it do a few donuts or something. Not quite murder.

      I can see it now:
      Dear user, your rascal will preform a crazy ivan every 20 minutes until you pay us 1 bitcoin. Don't worry it will always go to port in the bottom half of the hour.

    21. Re:Smells like FUD by Anonymous Coward · · Score: 0

      It's my understanding that when you're committing a crime, the last thing you want to do is break even worse laws that will get you a worse sentence if caught. Ransoming encrypted computer files is one thing. Murder is something else.

      IMO it's all about the risk/reward for both the hacker and the hacked, just like how you have to think how much the data since you last backup is worth paying the hacker for, you will now have to think if your life is worth what the hacker is askign for... also the companies making the equipment are so gonna get sued everytime...

    22. Re:Smells like FUD by Anonymous Coward · · Score: 0

      Encryption has nothing to do with it. You ransom the device's primary functionality. I.e. What's preventing the patient from dying. By intentionally causing it to stop working.

      There truly is nothing more evil than taking advantage of those who are defenseless to your attacks. The perpetrators of such a crime (in my opinion) deserve nothing but death. (I can't bring myself to show any empathy for someone who gives none.)

      If anything, this may finally get Joe Q. Public to demand better IT security. (Security theater only works until people start dying.) Sad that it takes such extreme circumstances though. Even worse however is the fact that the call for change will come from emotional outrage. Which given the current Crypto War 2.0 going on, I don't have high hopes for.....

    23. Re: Smells like FUD by Anonymous Coward · · Score: 0

      See who picks the bitcoins. It's all public.

    24. Re: Smells like FUD by Applehu+Akbar · · Score: 1

      This would be an ideal test of the idea we keep hearing that bitcoin is traceable through the blockchain. Ransomware as it exists today is already worthy of intense law-enforcement focus because it targets business and government. Having it target medical devices would throw he effort into overdrive,

    25. Re:Smells like FUD by Anonymous Coward · · Score: 0

      JustAnotherOldGuy posting here without signing in...

      I suppose you could tamper with the timing and/or trigger controls, amplitude of the pacing signal, or maybe just set a control to shut it off at some point. I don't know much about the internals of pacemakers, but it seems likely that something could be fiddled with to mess things up.

      (I'm assuming that some of the code is held in firmware rather than ROM, but I don't know.)

    26. Re:Smells like FUD by pr0fessor · · Score: 1

      Still it's a valid point as far as risk vs payoff...

      easily infect 100k+ computers most of which will be used for entertainment many of which will never be reported to law enforcement or taken seriously if they are reported.

      or a more difficult to infect life preserving device where almost 100% will be reported immediately w/ every report taken seriously and every report intensifying the search for the perpetrator.

    27. Re:Smells like FUD by Areyoukiddingme · · Score: 1

      The security of most consumer devices is pathetic and useless. The security of medical devices has known to be almost non-existent for years now.

      Agreed. And there have been exactly zero attempts to exploit that. Or at least so close to zero, it can successfully be concealed from the entire public. So no, not inevitable. This smells like FUD. The authors of malware take great pride in knowing about zero-day exploits. That's where the money is, generally speaking. This is the polar opposite. This is a 5 year exploit. Or possibly even older. And yet it hasn't been exploited. So what's going to be different in 2016? Short answer: nothing. This is FUD.

      The types of criminals who will ransom your Word documents have already performed the calculus of risk and decided that being the test case for Murder By Remote is the very last thing they want to do. Law enforcement does exactly nothing about your Word docs. Law enforcement would pull out all the stops for that murder case, and criminals know it. Essentially all of those criminals are not psychotic. Sociopathic, yes, but not psychotic. This topic is a good illustration of the difference.

      Humans are not intrinsically honest. It's time to stop pretending they are.

      Humans in successful societies typically are intrinsically honest. The spontaneous first response is the honest response. And that's why the society works. The societies that work the most poorly are those that are the least honest. Books have been written about the reasons and the mechanisms, but that's what it boils down to.

    28. Re:Smells like FUD by KGIII · · Score: 1

      It's Forrester and, for reasons, a long time ago we used to pay for some of their papers as well as some from Gartner. I've never compiled the data but I concluded that they were actually wrong more often than they were right when it came to their ability to make predictions.

      --
      "So long and thanks for all the fish."
  4. Strange by Anonymous Coward · · Score: 0

    What kind of modifications to a mall would they need to make? The Hot Topic needs to switch places with the Spencers Gifts?

  5. SEE THIS IS JAIL BAIT !! by Anonymous Coward · · Score: 0

    I meant, click bait. Accidental.

  6. DJ Kardio and the Beatskippers by Pseudonymous+Powers · · Score: 5, Insightful

    How about we don't put a network chip on a pacemaker, dumbasses.

    Why would you ever need to communicate with it? Is there ever a time when you want your heart not to beat?

    1. Re:DJ Kardio and the Beatskippers by mlw4428 · · Score: 1

      There is programming that go into some of these devices, including pacemakers. I suspect it has to do with everyone's bodies being just a bit different and thus things like electrical signals/frequencies/etc are different and need to be accounted for to produce a monitoring pattern that is correct.

    2. Re:DJ Kardio and the Beatskippers by cdrudge · · Score: 4, Informative

      Communication with an implant isn't uncommon. Diagnostics, monitoring, tweaking for optimal operation, etc. It's a lot easier to do checkups and make adjustments on a person when you don't need to open up the chest cavity.

    3. Re:DJ Kardio and the Beatskippers by ebh · · Score: 1

      C|N>K

      And me without mod points. :(

    4. Re:DJ Kardio and the Beatskippers by Anonymous Coward · · Score: 1

      Communication with an implant isn't uncommon. Diagnostics, monitoring, tweaking for optimal operation, etc. It's a lot easier to do checkups and make adjustments on a person when you don't need to open up the chest cavity.

      Oh, that makes perfect sense to me. What I question is why you'd do something like put a wifi or bluetooth chip in a medical device. It seems to me like this would be something that you'd want to use near field communication for, and NOT leave the authentication set to a factory default.

    5. Re:DJ Kardio and the Beatskippers by jandersen · · Score: 1

      Is there ever a time when you want your heart not to beat?

      I feel that way when X-factor comes on and I don't have the remote.

    6. Re:DJ Kardio and the Beatskippers by tibit · · Score: 4, Interesting

      How about we don't put a network chip on a pacemaker, dumbasses.

      How about you don't take stupid fear-mongering from an inept "journalist" at face value? Pacemakers don't have a "network" chip or anything like that. They have a near-field communications system that can communicate with dedicated programming/data capture terminal. It makes little sense for any kind of ransomware on what amounts to a mostly offline device, where the owner doesn't have any means of accessing the data link or exposing it as an on-line node.

      --
      A successful API design takes a mixture of software design and pedagogy.
    7. Re:DJ Kardio and the Beatskippers by tibit · · Score: 1

      you'd do something like put a wifi or bluetooth chip in a medical device

      If you're talking about pacemakers specifically, you're just making shit up. Please stop.

      --
      A successful API design takes a mixture of software design and pedagogy.
    8. Re:DJ Kardio and the Beatskippers by gstoddart · · Score: 1

      Why would you ever need to communicate with it?

      Well, think about it ... if making any fine-tuning adjustments to the damned thing can be done via some form of wireless connection, or by way of open heart surgery ... which would you choose?

      Honestly, having the ability to have it communicate with the outside world makes perfect sense. Having the damned thing have zero security on that path, that's utterly ridiculous.

      The problem is so many of these things are just slapped in with no security, and just assume anybody communicating when them must be authorized.

      --
      Lost at C:>. Found at C.
    9. Re:DJ Kardio and the Beatskippers by canajin56 · · Score: 3, Informative

      The problem is that people see "wireless" and think "wireless network a.k.a. WiFi". These devices are programmable using wireless communication, but they are not on WiFi. They communicate with a "programmer", a device that is placed on the patient and used to change the treatment protocols. The issue is that this communication is not encrypted and it is vulnerable to a replay attack. That means with a USRP module and a some GNU Radio know-how, you can mimic the programmer device from a long way away. This lets you send commands like "disable treatment 1". The reason this is potentially lethal is that while the pacemaker cannot be turned off by the programmer, this is part of the UI, not part of the pacemaker! So if treatment 1 was the only one currently enabled, the UI would not let the doctor send "disable treatment 1" but the pacemaker would still accept that command should it receive it. But that's a slow kind of lethal. It just means that if the patient has an issue that needs correcting, the pacemaker won't correct it. This particular model has another thing it can do. It has a built in defibrillator. That way of the patient needs zapping, the pacemaker can be told to do it, rather than needing paddles (which would potentially fry the pacemaker). This mode is also activated by a wireless command. One that can be sent using a replay attack. Normally after a shock, the pacemaker would reestablish rhythm. But not if all treatment protocols are turned off.

      So although these devices are hackable, it's not a remote hack unless you happen to hack a computer that's close to the patient, and that has a radio you can control with GNU Radio.

      That's not to say these devices don't touch WiFi at all. To avoid frequent doctor's appointments, the hospital can give you a device that will connect to your home network and act as a relay. This doesn't let them reprogram the pacemaker remotely, what it does is transmit telemetry remotely so the doctor can check up on you daily without needing to schedule an appointment. As I understand it, this relay runs Windows XP and is full of holes (but I repeat myself). This lets hackers potentially access lots of confidential medical data, but doesn't let them kill you.

      --
      ASCII stupid question, get a stupid ANSI
    10. Re:DJ Kardio and the Beatskippers by Anonymous Coward · · Score: 0

      Mod up parent. Really, what "ransom" is to had from a dead person? I'd bet if you tracked through "Forrester Research" they either stand to gain through a client that would benefit from increasing "security" on these devices, came up with some sort of "security" on pacemakers, or it's a manufacturers of the pacemakers/said medical equipment that hired them to put on FUD so they can charge more for a "secure" device.

    11. Re:DJ Kardio and the Beatskippers by Anonymous Coward · · Score: 0

      How about you think a little more broadly before dismissing everything out-of-hand:
      1. Mobsters buy or steal "dedicated" terminal (entirely realistic)
      2. Mobsters reverse engineer terminal and find backdoor (entirely realistic)
      3. Mobsters build tiny device that impersonates dedicated terminal to reprogram pacemaker via NFC (entirely realistic)
      4. Mobsters install device on subway turnstile (entirely realistic)
      5. Profit.
      I think you're vastly underestimating how well-funded and technologically savvy some crime syndicates are. Just because something only uses NFC does not make it safe.

    12. Re:DJ Kardio and the Beatskippers by Anonymous Coward · · Score: 0

      I have a pacemaker. My doc needs to be able to communicate with it for various reasons:
      - Diagnose current state battery condition / remaining battery life
      - Download diagnostic data (heart) to understand recent events (e.g. atrial fibrillation, etc.)
      - Be able to reprogram the pacemaker in the event configurations aren't right (e.g. my pacemaker was pacing my heart far too frequently when first implanted, we tweaked that)
      - Much more

      For me, a pacemaker is as much a medical diagnostic device as it is a treatment for my condition (syncope issues)
      I'd prefer the doc not require a scalpel every time we need to communicate with my pacemaker.

    13. Re:DJ Kardio and the Beatskippers by Anonymous Coward · · Score: 0

      "Really, what "ransom" is to had from a dead person?"

      The ransom comes from the device maker or hospital. "Pay $1M or we kill 100 of your patients."

    14. Re:DJ Kardio and the Beatskippers by Anonymous Coward · · Score: 0

      How about we don't put a network chip on a pacemaker, dumbasses.

      Why would you ever need to communicate with it? Is there ever a time when you want your heart not to beat?

      There is actually a significant amount of post-implantation programming that needs to be done, as well as tweaking of settings during check ups to make a pacemaker work correctly. People are not machines, and thinking that there's just some spec that works for everyone, or that even one spec will continue to work for a dynamic human being for the rest of their life is somewhat shortsighted. In addition, pacemakers record heart rhythms, particularly irregular ones. Interrogating one can give a ER physician or internist valuable information when a patient needs to be admitted to the hospital. This is all done wireless for what I hope are obvious reasons. The inherent danger of wireless attack must be weighed against the advantages of not needing to open someone up for each checkup, or not leaving an opening in the skin for a control/communication wire with the inherent increased risk of infection.

      Source: Am a physician

    15. Re:DJ Kardio and the Beatskippers by KGIII · · Score: 1

      I've a sibling with a pace maker but it's not in her heart - it's actually meant to keep her stomach gurgling. (She has a rare health issue with a name I am not going to try to spell.)

      I don't think you know how these things work? They don't just walk into a room. They go into a room, a technician meanders over with a cart, and puts a device physically on the body and then still has to move this device in order to get it close enough to be connected.

      Now, I don't want to speculate that all these pacemaker devices are the same but the single one that I'm familiar with works just like that. I'd like to imagine that the rest are similar. Which leads me to this...

      So, now the bad guys have stolen the device, or reverse engineered the communication and built their own device, they've captured and restrained their victim - while knowing exactly which device they have and have targeted it's unique software, and have developed some malware for this...

      Why didn't they just send them a letter saying we'll shoot you if you don't comply? It seems needlessly complicated.

      --
      "So long and thanks for all the fish."
  7. Mall changes? by goombah99 · · Score: 1

    Would that be Darth Mall where I do my holiday shopping for medical truth extraction bots? What changes are they making?

    --
    Some drink at the fountain of knowledge. Others just gargle.
  8. Murder by machine. by Anonymous Coward · · Score: 0

    Something like what Wikipedia administrators would do to innocent editors that they revert. Also the medical devices would be updated to use systemD.

  9. "small Modifications" by Anonymous Coward · · Score: 0

    I think it is supposed to be small vs mall. That is unless they plan on targeting mall walkers.

  10. ignoramus question here... by Anonymous Coward · · Score: 0

    Why in hell is a pacemaker something accessible in any way to a random malware distributor?

    It's a bloody pacemaker. It goes into your chest cavity. They've been around since the 1950's and have never had the ability or need to talk to the internet. Why would anyone design one with this vulnerability, when it could potentially mean the death of the person using it?

    1. Re:ignoramus question here... by tibit · · Score: 3, Insightful

      Why in hell is a pacemaker something accessible in any way to a random malware distributor?

      Because it's a programmable electronic device and they are all accessible to sufficiently sophisticated malware by definition. There's no way around that unless everything that ever accessed the device was completely air-gapped, self-contained and hardened. Note that this would also preclude any sort of data I/O with PCs etc., making the whole thing almost useless.

      have never had the ability or need to talk to the internet

      They still don't. Read the original article carefully, and be able to rationally separate wheat from chaff, or, as it is here, sensationalist bullshit.

      --
      A successful API design takes a mixture of software design and pedagogy.
  11. just use robots.txt by Anonymous Coward · · Score: 0

    Nothing a 13 GB HOSTS file can't solve.

  12. I Bet This Article Will Do As Much Damage... by ComputerGeek01 · · Score: 3, Insightful

    I bet articles like these are going to do more damage to people than any actual malware infections. How many people do you think are going to actually be walking around with an infected pacemaker? It's not like you can open up your chest and run Malwarebytes on the damn thing. So when some hospitals patient files gets hacked, and Joe Shmoe gets a phone call or an Email implying that if he doesn't pay up his heart will explode, he's going to be breaking out his checkbook just to be safe.

    On the other hand, this is really just another reason to go with an external pacemaker.

    1. Re:I Bet This Article Will Do As Much Damage... by tibit · · Score: 3, Insightful

      I'm almost certain that the article is in fact a set up piece that is there only to plant a seed of doubt in the hive mind of public opinion. I'm sure that if we do the due diligence it'll turn out that the article has been, very indirectly of course, made to be by the people who will later reap the benefits of extortion schemes that center on those with implanted medical devices. I'm not implying that the author is necessarily knowingly involved in this in any way, but merely has been artfully played by those who see the big picture. You don't need to actually do anything to the devices themselves, just steal a patient list or two from a poorly secured system somewhere, and send a bulk extortion email with a link to the fine article (and others like that) to bolster the legitimacy of the threat. If the author hasn't been played in any way, then the damage is still done: the scammers just got a great idea they'll no doubt literally capitalize on.

      --
      A successful API design takes a mixture of software design and pedagogy.
    2. Re: I Bet This Article Will Do As Much Damage... by Anonymous Coward · · Score: 0

      Right. You don't even need the malware, just a list of patents who have pacemakers. Send them all a ransom demand, I'll bet 80% might call your bluff, but 20% would pay. If you demand $10k, you just cleared $200k. Of course, you just end up giving it to your lawyers when you're caught, but still...

    3. Re:I Bet This Article Will Do As Much Damage... by gstoddart · · Score: 1

      Are you seriously suggesting that highlighting the fact there are gaping security holes in these devices will make the problem worse? And you're suggesting that pretending it's not happening and not highlighting that the existing security is utterly pathetic is somehow better?

      I seriously hope you don't work in computer security.

      These things are already insecure, whether we talk about it or not. At least talking about it might cause someone to actually do something about it.

      --
      Lost at C:>. Found at C.
    4. Re:I Bet This Article Will Do As Much Damage... by mcrbids · · Score: 1

      If the author hasn't been played in any way, then the damage is still done: the scammers just got a great idea they'll no doubt literally capitalize on.

      If you think that anybody who's written or executed ransomware hasn't already thought about ransoming medical devices, you have an astonishingly low opinion of others. Just how smart do you think you are?

      Anybody who's spent the time necessary to write ransomware and attempt to profit from it has had more than enough time to consider the all reasonable possibilities, even if it took somebody as *brilliant* as you 5 minutes to come up with this idea. This isn't some global super-conspiracy; this is as brilliant as banging chips off a rock with another rock.

      --
      I have no problem with your religion until you decide it's reason to deprive others of the truth.
  13. Sure way to be caught by the FBI. by Anonymous Coward · · Score: 0

    The problem with hacking medical devices, if such thing is possible at all, that cybercrimes are usually ignored by authorities, even the FBI says it's better pay up, but murder cannot be ignored. The FBI will need to investigate those cases until the perpetrators are identified and brought to justice in the USA. Even if that takes co-axing the CIA and NSA into the investigation. The FBI depends on the people liking them for the financing they receive via representatives and thus needs to solve cases that scare people.

  14. Editing, please? by Anonymous Coward · · Score: 0

    The paper 'Predictions 2016: Cybersecuirty Swings To Prevention'

    Editors, is it too much to ask that you do your job - that you actually edit submissions?

  15. This prediction is a piece of bullshit by Anonymous Coward · · Score: 0

    The effectiveness of ransomware is that it can lock you out of your files in an effective way.
    That's not true in case of medical / wearable devices - all you have to do is reflash the firmware.

  16. Ransomware? by Anonymous Coward · · Score: 0

    I think the subscription fee of $499 to read the actual article should make this Ransomware.

  17. For the love of $Diety by Anonymous Coward · · Score: 0

    Put a "revert firmware" Big Red Switch on all of it, have backup procedures in place for data, and don't pay one penny for "tribute" or "Dane geld" to those SOBs. Problem solved.

  18. Meh by Anonymous Coward · · Score: 0

    It hasnt stopped Humana

    How many thousands (millions?) of murders have they committed in the pursuit of their pyramid scheme?

  19. sounds like 1st degree capital murder to me by swschrad · · Score: 1

    jury full of doctors, and a hanging judge, three cameras, and a satellite channel would make a real good reality show for hackers. I'll run sound or lighting for free, experience in local TV, prefer weekends so I can get back to my day job...

    --
    if this is supposed to be a new economy, how come they still want my old fashioned money?
  20. Three Words by jenningsthecat · · Score: 1

    Near. Field. Communications.

    It seems pretty irresponsible to me that pacemakers and other implantable medical devices are accessible via WiFi and/or cellular data. Communication with the device in question should require a proximity measured in inches. Yes, it might still be possible with a strong transmitter and a sensitive receiver to extend that range to some tens of feet; but in that case the success of the attack is way less likely than one which can be launched from almost anywhere in the world.

    --
    'The Economy' is a giant Ponzi scheme whose most pitiable suckers are the youngest among us and the yet-unborn.
  21. Is there a CERT for medical devices? by Zeorge · · Score: 1

    I know there is US-CERT, and then ICS-CERT, anything dedicated to just medical devices?

  22. Yeah, you'd think that ... by Ungrounded+Lightning · · Score: 1

    It's my understanding that when you're committing a crime, the last thing you want to do is break even worse laws that will get you a worse sentence if caught.

    Yeah, you'd think that. And some of them actually do think of that.

    But many criminals don't think very well, or very far ahead. Not thinking about being caught is common. Not expecting to be seriously inconvenienced if they ARE caught is common also.

    Think about it: How is "Send me a bitcoin or your insulin pump will deliver a fatal dose!" different from armed robbery for a fat wallet? "Give me a bunch of money or I shoot you!" And a bunch of them DO shoot - (VERY) often even if they GOT the money.

    The threat of law-enforcement escalation for murder doesn't seem to have stopped up-front-and-personal armed robbery. Why should it stop distant-and-anonymous ransomware?

    --
    Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
  23. Already exists by Anonymous Coward · · Score: 1

    Medical ransomware already exists. It is euphemistically called "hospital billing system."

  24. That'll teach grandma... by undecim11 · · Score: 1

    to look at porn on her pacemaker.

  25. Not seeing it happen by Anonymous Coward · · Score: 0

    on Linux though.

  26. The manufacturers of those devices should be... by Casandro · · Score: 1

    ... required to pay for all of the damages caused by their stupidity.

    Seriously this could only work if you connected medical devices (incompetently) to a network. It could only work if you used some completely overcomplex operating system with far more features than you need.