Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ransomware Expected To Hit 'Lifesaving' Medical Devices In 2016 (forrester.com)

Posted by Soulskill on from the whatever-can-be-hacked-will-be-hacked dept.

An anonymous reader writes: A surge in ransomware campaigns is expected to hit the medical sector in 2016, according to a recent report published by forecasters at Forrester Research. The paper 'Predictions 2016: Cybersecuirty Swings To Prevention' suggests that the primary hacking trend of the coming year will be "ransomware for a medical device or wearable," arguing that cybercriminals would only have to make mall modifications to current malware to create a feasible attack. Pacemakers and other vital health devices would become prime targets, with attackers toying with their stability and potentially threatening the victim with their own life should the ransom demands not be met.

63 of 108 comments (clear)

  1. I'm careful about using the term "Evil" by unimacs · · Score: 4, Insightful

    But that would qualify.

    1. Re:I'm careful about using the term "Evil" by Anonymous Coward · · Score: 2, Insightful

      Anyone who willingly and knowingly infects a medical device with the purpose of causing harm is deserving of the death penalty. Full stop. These people are already a true menace, but medical equipment? This goes beyond the pale. Hang them from neck until dead in public.

    2. Re:I'm careful about using the term "Evil" by bev_tech_rob · · Score: 1

      Anyone who willingly and knowingly infects a medical device with the purpose of causing harm is deserving of the death penalty. Full stop. These people are already a true menace, but medical equipment? This goes beyond the pale. Hang them from neck until dead in public.

      At the very least, classify the programmer of the malware as a terrorist, sikk Seal Team Six on him/her and send them to Gitmo.

      --
      You're messin' with my Zen Thing, man.....
    3. Re:I'm careful about using the term "Evil" by mikael · · Score: 1

      "We have infected your implanted pacemaker with a virus. Your pacemaker will stop within 24 hours. Please send $100,000 by Western Union to the following bank account and we will remove the virus".

      --
      Vintage computer adverts: http://www.vintageadbrowser.com/computers-and-software-ads
    4. Re:I'm careful about using the term "Evil" by Sperbels · · Score: 1

      Isn't this often the case with the pharmaceutical and medical industry charging prices waaay beyond cost.

    5. Re:I'm careful about using the term "Evil" by penguinoid · · Score: 1

      But that would qualify.

      Which, making life-critical devices which are vulnerable to hackers to save money on security, or to ask people with insecure devices for money?

      --
      Don't waste your vote! Vote for whoever you want, unless you live in a swing state it won't matter anyways
    6. Re:I'm careful about using the term "Evil" by unimacs · · Score: 1

      The latter of course. There is a broad spectrum of misdeeds. I consider a willful act of doing harm to be worse than negligence.

      Besides, in the case of implanted medical devices it takes years and years of testing to get them to market. I had a relative in the industry whose company basically went bankrupt for that reason. They spent years testing in Germany with good success but eventually they ran out of money.

      Adding proper security is probably a small portion of the total cost of development and I doubt many device manufactures would knowingly skimp in that area knowing how vulnerable they are to lawsuits. What is more likely to happen is that attacks get more sophisticated over time and products that did have reasonable security when implanted in your body 5 years ago, don't anymore.

    7. Re:I'm careful about using the term "Evil" by c4757p · · Score: 1

      You write like you probably orgasmed at least once while thinking that shit up.

    8. Re:I'm careful about using the term "Evil" by Half-pint+HAL · · Score: 1

      It would also qualify as "stupid". The basic rule of thumb in internet crime is "do only that which isn't worth tracking you down for". Basic financial fraud is a nightmare to handle across juridictions, and no-one gets physically "hurt", so it rarely gets prosecuted. But serial killers tend to come up pretty high on Interpol's hit list, and if you're hacking pacemakers and insulin pumps, that's basically what you are.

      --
      Got them moderator blues I blieve I walk out the do', With these mod-points I been gettin', I 'most never post no mo'
    9. Re:I'm careful about using the term "Evil" by Anonymous Coward · · Score: 1

      Really? You cannot Google this for yourself? Why defend any fascist islamist, even obliquely? They all deserve what they get. I agree with the Chechen leader: let's strap all captured terrorists to drones and drop them on the heads of their accomplices. Sounds like a really decent plan. I'd also drop pig guts and blood over their mosques, pay huge bounties for informants to turn on their own people, use snipers to literally kill their morale.

    10. Re:I'm careful about using the term "Evil" by sce7mjm · · Score: 1

      And then find out the guy was stitched up by the government and turned out to be innocent. Well done.

    11. Re:I'm careful about using the term "Evil" by Khashishi · · Score: 1

      Dear God! What is that thing?

    12. Re:I'm careful about using the term "Evil" by penguinoid · · Score: 1

      I consider a willful act of doing harm to be worse than negligence.

      Only on a case-by-case basis. For example, I'd consider widespread willful negligence that results in the deaths of thousands do be way more serious a crime than a serial killer who's reaching his second dozen victims.

      Adding proper security is probably a small portion of the total cost of development and I doubt many device manufactures would knowingly skimp in that area knowing how vulnerable they are to lawsuits. What is more likely to happen is that attacks get more sophisticated over time and products that did have reasonable security when implanted in your body 5 years ago, don't anymore.

      That's not how security works, except security by obscurity. Bugs don't mysteriously appear in old code; they have always been there and are merely discovered. You can build code that is and will forever be resistant to network attacks (unless they find your password). I understand it's possible to build provably secure code, it's just very expensive.

      --
      Don't waste your vote! Vote for whoever you want, unless you live in a swing state it won't matter anyways
    13. Re:I'm careful about using the term "Evil" by mysidia · · Score: 1

      I assume the criminals who would do this have risen to a new level of evil, and there's a measurably higher reward to offset the high likelihood they'll get caught eventually.

      I am imaging "Ransomware" evolves into "Racketeeringware"

      Instead of "pay us this ransom ...." to infected users, they launch a campaign getting people to "Pay 400BTC in Exchange for protection"

      The explanation being... the evil device hackers are killing people left and right, But if you pay this "protection charge", Your medical device will get added to a list of devices that they won't attack

      A short bit later, they change into a monthly protection fee to be paid by the device manufacturer.

      And a long while later, they recast themselves as an "antivirus company" that releases proof of concept malware to the public, for devices whose manufacturers are not customers.

    14. Re:I'm careful about using the term "Evil" by unimacs · · Score: 1

      I consider a willful act of doing harm to be worse than negligence.

      Only on a case-by-case basis. For example, I'd consider widespread willful negligence that results in the deaths of thousands do be way more serious a crime than a serial killer who's reaching his second dozen victims.

      You are talking about the severity and magnitude of outcomes. I'm talking about evil. Though they can be related, they aren't the same, at least not in my mind.

      In your examples, the second is a worse outcome for sure but evil is strongly tied to intent. A guy who drives drunk and ends up killing 4 people is negligent and responsible. He should be punished and it would be quite understandable if the family of the victims hated him and never forgave him. He demonstrated exceptionally bad judgement and selfishness. But I wouldn't call him evil.

      Let's say another man kidnaps and tortures a couple of kids for the fun of it, but they eventually escape and in time fully recover. That guy is more evil than the drunk even though the outcome is not as severe.

      Adding proper security is probably a small portion of the total cost of development and I doubt many device manufactures would knowingly skimp in that area knowing how vulnerable they are to lawsuits. What is more likely to happen is that attacks get more sophisticated over time and products that did have reasonable security when implanted in your body 5 years ago, don't anymore.

      That's not how security works, except security by obscurity. Bugs don't mysteriously appear in old code; they have always been there and are merely discovered. You can build code that is and will forever be resistant to network attacks (unless they find your password). I understand it's possible to build provably secure code, it's just very expensive.

      Exploiting bugs are not the only form of attack. Encryption schemes get broken, the tools available to hackers get more sophisticated and social engineering continues to be a problem. Even air gapped systems have been compromised. Given time and money, just about any system can be hacked. Do you doubt that?

      It's not always about negligence. Sometimes that blame lies strictly with the perpetrator.

    15. Re:I'm careful about using the term "Evil" by unimacs · · Score: 1

      Sorry, meant to say that the thousands dying is a worse outcome, but a worse outcome is not always the result of more "evil" act.

    16. Re:I'm careful about using the term "Evil" by Zaowulf · · Score: 1

      And then the public gets to pay for their ongoing care. Brilliant!

    17. Re:I'm careful about using the term "Evil" by AntiAntagonist · · Score: 1

      "around 50% of them end up back in terrorist camps"
      Not every person in gitmo is a terrorist and the number that get released, that then decide to become (or continue being) terrorists is not general knowledge.

      Doing a cursory Google search points to a far lower percentage (than 50%), and has further decreased over the years.
      http://www.cbsnews.com/news/18...
      http://www.theguardian.com/us-...

      So again I say "Citation needed"

  2. "Mall modifications"? by Anonymous Coward · · Score: 4, Funny

    I suppose it's inevitable that these devices would become a Target at some point. Security is a Hot Topic these days. Sak's to be a victim.

    Also, Walmart.

    1. Re:"Mall modifications"? by Howitzer86 · · Score: 1

      Look here, my pacemaker can play an obviously pirated copy of Super Mario by streaming RF radiation directly into my TV antennae. Downside: it requires me to play non-stop to stay alive. In hindsight, perhaps I shouldn't have bought it at that mall kiosk... the surgery was free though, so it was hard to say no.

  3. Smells like FUD by The+MAZZTer · · Score: 3, Interesting

    It's my understanding that when you're committing a crime, the last thing you want to do is break even worse laws that will get you a worse sentence if caught. Ransoming encrypted computer files is one thing. Murder is something else.

    1. Re:Smells like FUD by gstoddart · · Score: 4, Interesting

      Easily automated from anywhere in the world, hard to trace, and exploiting utterly useless security.

      Honestly, this was pretty much inevitable.

      The security of most consumer devices is pathetic and useless. The security of medical devices has known to be almost non-existent for years now.

      Humans are not intrinsically honest. It's time to stop pretending they are.

      --
      Lost at C:>. Found at C.
    2. Re:Smells like FUD by NotInHere · · Score: 1

      I guess it is hard to do actually any blackmail of a specific person, as if it is known that a medical device is hacked, the owner of the medical device could just call medical service, and then they can survive it, unless of course the attacker also controls the devices of the ambulance etc. So it can really only be used for targeted murder, or for a less specific blackmail of the form "I have hacked 100 medical devices of people in your city. If you don't pay, I'll kill them one by one." sent to majors or other authorities.

    3. Re:Smells like FUD by Maritz · · Score: 1

      What I don't see in this instance is what is actually being ransomed. What files do you encrypt on a pacemaker?

      --
      I do not want your cheap brainburning drugs. They are useless for work. And I am a working man today.
    4. Re:Smells like FUD by TWX · · Score: 1

      It's only inevitable because the people creating these devices are using commodity operating systems that allow someone else's software to run on them.

      These kinds of devices should not run conventional operating systems that can run third-party software. They should probably use a model more like Cisco's where the OS and all software are contained in a single package, but taken a step further where better sanity-checking makes it even harder to crack.

      --
      Do not look into laser with remaining eye.
    5. Re:Smells like FUD by fuzzyf · · Score: 1

      Hard to trace? Just follow the money.

    6. Re:Smells like FUD by DarkOx · · Score: 1

      I think its a question of how likely are you to get caught and do you fear the consequences. Look at some of the historic mobsters for example. They had little concern about taking their illegal gambling, moonshine, and drug running into the realm of murder. Most of those guy knew they either would not be caught because they had resources equal to those working to contain them. That or they simply 'own' a large portion of the authorities via corruption.

      The other case is you are already looking at very long sentence so you don't care if its 2 consecutive life sentences or 20.

      EL Chapo is the modern example. Even when he was re-arrested he did not stay in prison for too long, and there was a massive conspiracy to get him out. I think he is still at large? Point being if he wants to 'whack someone' he does it. He knows either he won't be caught, will be helped to escape, or if the system does work his rap sheet is so long it does not matter at this point.

      So I am not sure it works like you suggest. Most criminals are not very bright bulbs. If they were they probably could work the system and make a decent life for themselves legally.

      If you look at it from a pure risk reward standpoint it should be painful clear the robbing a convince store is pretty dumb but if you was hungry and destitute enough its possible you might decide to try it. It is after all a soft target and the clerk or even the owner might have little personal interest in doing anything but cooperating with you. They probably have some kind of business continuity insurance after all. Why risk their lives trying to protect the $150 bucks in the register and a few slim jims? It could work out.

      Now add gun to mix as the criminal element often does and suddenly you have swapped larceny and simple assault for armed robbery and assault with deadly weapon (remember you don't actually have to hit or short someone for assault just credibly threaten it). You have perhaps encouraged a little more compliance from the store staff but at a cost of upping the ante for a probably 6mo - 1 year in the slam to 10+ years if caught. Totally not worth it! Yet criminals does it all the time!

      --
      Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
    7. Re:Smells like FUD by JaredOfEuropa · · Score: 1

      It also is much harder to figure out the specific person who carries the hacked pacemaker. With normal ransomware, you don't have to know anything about the person who owns the hacked computer, since the same computer is delivering the ransom note. It does make a lot more sense to hold a city, a hospital, or the manufacturer to ransom.

      --
      If construction was anything like programming, an incorrectly fitted lock would bring down the entire building...
    8. Re:Smells like FUD by gstoddart · · Score: 3, Insightful

      I don't expect every company to build an OS .. that would pretty much mean we don't get any new devices and software ever.

      But I do expect that companies not be so damned lazy when it comes to writing security, and that they be required to support OS updates and fix security holes ... you can't just say "nope, you have to stay on an ancient and unpatched OS because we can't confirm our stuff still works". And if you can't, you should lose any certifications the device has.

      I've been saying for years the makers of consumer electronics need to be held to a higher standard when it comes to security, and to actually have some liability for it.

      The makers of medical devices and cars and the like need to be held to a significantly higher standard than that.

      But companies just rush some crap out the door and walk away.

      --
      Lost at C:>. Found at C.
    9. Re:Smells like FUD by Anonymous Coward · · Score: 3, Interesting

      I'm in the Healthcare industry and I'm working with a vendor who has said "We're not saying not to patch your device. We're saying that if you do, it will impact the speed at which we can resolve any issues that arise with it." Our doctors and staff here that and tell us not to patch it. That's crazy to me and I've heard from nearby hospitals that the same thing happens there.

    10. Re:Smells like FUD by nitehawk214 · · Score: 1

      You would think these assholes are smart enough not to try this. One sure way to ramp up the investigations of these things is to switch from inconveniencing idiots that don't backup to murder.

      --
      I'm a good cook. I'm a fantastic eater. - Steven Brust
    11. Re:Smells like FUD by info6568 · · Score: 1

      But you know, when terrorist that explode themselves are there, this is really a dangerous issue.

      For them human life is not so important as what they can ask from it.

    12. Re:Smells like FUD by Cajun+Hell · · Score: 1

      TlL criminals are rational users of game theory who carefully evaluate the payoff tables.

      --
      "Believe me!" -- Donald Trump
    13. Re:Smells like FUD by Anonymous Coward · · Score: 1

      I have heard from more than one PM the saying, "the only profit a lock ever made was for the lock maker".

      The problem with security is that companies can get away with breaches without much, if any penalties. Look at the stock value six months after a major breach, and it usually is untouched, if not up slightly due to the "we are more secure than ever" PR the company slings. Even though it might be that the "more secure than ever" just means the Windows admin forced a change on all users across the AD forest, with a 10 character password rather than an 8 character password.

      Even with medical devices, I have seen a number of them running Java... and Sun/Oracle has, in their EULA, the clause that Java is not to be used for medical or nuclear purposes, and is not life-safety grade.

      I'm not surprised that ransomware is going to go this route. Pay up, or they pull the virtual heart plug, especially if the victim is someone influential, will get a criminal organization a lot of gains.

      Will it be prosecuted? The will isn't there. Criminals are looked at, as figures of people smart enough to get around the system, not scumbags. If some people wind up as victims of the "remote kill" functionality, even then, there still won't be interest in security.

      If security were treated like IP infringement, things would be different, where a device maker with shitty security controls would be treated just like a HDCP 2.2 device maker that leaves a backdoor -- sued into the ground for contributory infringement. It should be that way with security, where if a device isn't up to muster with its security, the company that made it should face legal liability, and if it is a medical device, imports of it should be banned.

    14. Re:Smells like FUD by TWX · · Score: 2

      They might not need to write an OS from scratch, but they can choose from any of a number of non-commodity operating systems or kernels on which to build their software. These are single-purpose machines. They don't need an OS that's capable of running a word processor.

      --
      Do not look into laser with remaining eye.
    15. Re: Smells like FUD by Applehu+Akbar · · Score: 1

      This would be an ideal test of the idea we keep hearing that bitcoin is traceable through the blockchain. Ransomware as it exists today is already worthy of intense law-enforcement focus because it targets business and government. Having it target medical devices would throw he effort into overdrive,

    16. Re:Smells like FUD by pr0fessor · · Score: 1

      Still it's a valid point as far as risk vs payoff...

      easily infect 100k+ computers most of which will be used for entertainment many of which will never be reported to law enforcement or taken seriously if they are reported.

      or a more difficult to infect life preserving device where almost 100% will be reported immediately w/ every report taken seriously and every report intensifying the search for the perpetrator.

    17. Re:Smells like FUD by Areyoukiddingme · · Score: 1

      The security of most consumer devices is pathetic and useless. The security of medical devices has known to be almost non-existent for years now.

      Agreed. And there have been exactly zero attempts to exploit that. Or at least so close to zero, it can successfully be concealed from the entire public. So no, not inevitable. This smells like FUD. The authors of malware take great pride in knowing about zero-day exploits. That's where the money is, generally speaking. This is the polar opposite. This is a 5 year exploit. Or possibly even older. And yet it hasn't been exploited. So what's going to be different in 2016? Short answer: nothing. This is FUD.

      The types of criminals who will ransom your Word documents have already performed the calculus of risk and decided that being the test case for Murder By Remote is the very last thing they want to do. Law enforcement does exactly nothing about your Word docs. Law enforcement would pull out all the stops for that murder case, and criminals know it. Essentially all of those criminals are not psychotic. Sociopathic, yes, but not psychotic. This topic is a good illustration of the difference.

      Humans are not intrinsically honest. It's time to stop pretending they are.

      Humans in successful societies typically are intrinsically honest. The spontaneous first response is the honest response. And that's why the society works. The societies that work the most poorly are those that are the least honest. Books have been written about the reasons and the mechanisms, but that's what it boils down to.

    18. Re:Smells like FUD by KGIII · · Score: 1

      It's Forrester and, for reasons, a long time ago we used to pay for some of their papers as well as some from Gartner. I've never compiled the data but I concluded that they were actually wrong more often than they were right when it came to their ability to make predictions.

      --
      "So long and thanks for all the fish."
  4. DJ Kardio and the Beatskippers by Pseudonymous+Powers · · Score: 5, Insightful

    How about we don't put a network chip on a pacemaker, dumbasses.

    Why would you ever need to communicate with it? Is there ever a time when you want your heart not to beat?

    1. Re:DJ Kardio and the Beatskippers by mlw4428 · · Score: 1

      There is programming that go into some of these devices, including pacemakers. I suspect it has to do with everyone's bodies being just a bit different and thus things like electrical signals/frequencies/etc are different and need to be accounted for to produce a monitoring pattern that is correct.

    2. Re:DJ Kardio and the Beatskippers by cdrudge · · Score: 4, Informative

      Communication with an implant isn't uncommon. Diagnostics, monitoring, tweaking for optimal operation, etc. It's a lot easier to do checkups and make adjustments on a person when you don't need to open up the chest cavity.

    3. Re:DJ Kardio and the Beatskippers by ebh · · Score: 1

      C|N>K

      And me without mod points. :(

    4. Re:DJ Kardio and the Beatskippers by Anonymous Coward · · Score: 1

      Communication with an implant isn't uncommon. Diagnostics, monitoring, tweaking for optimal operation, etc. It's a lot easier to do checkups and make adjustments on a person when you don't need to open up the chest cavity.

      Oh, that makes perfect sense to me. What I question is why you'd do something like put a wifi or bluetooth chip in a medical device. It seems to me like this would be something that you'd want to use near field communication for, and NOT leave the authentication set to a factory default.

    5. Re:DJ Kardio and the Beatskippers by jandersen · · Score: 1

      Is there ever a time when you want your heart not to beat?

      I feel that way when X-factor comes on and I don't have the remote.

    6. Re:DJ Kardio and the Beatskippers by tibit · · Score: 4, Interesting

      How about we don't put a network chip on a pacemaker, dumbasses.

      How about you don't take stupid fear-mongering from an inept "journalist" at face value? Pacemakers don't have a "network" chip or anything like that. They have a near-field communications system that can communicate with dedicated programming/data capture terminal. It makes little sense for any kind of ransomware on what amounts to a mostly offline device, where the owner doesn't have any means of accessing the data link or exposing it as an on-line node.

      --
      A successful API design takes a mixture of software design and pedagogy.
    7. Re:DJ Kardio and the Beatskippers by tibit · · Score: 1

      you'd do something like put a wifi or bluetooth chip in a medical device

      If you're talking about pacemakers specifically, you're just making shit up. Please stop.

      --
      A successful API design takes a mixture of software design and pedagogy.
    8. Re:DJ Kardio and the Beatskippers by gstoddart · · Score: 1

      Why would you ever need to communicate with it?

      Well, think about it ... if making any fine-tuning adjustments to the damned thing can be done via some form of wireless connection, or by way of open heart surgery ... which would you choose?

      Honestly, having the ability to have it communicate with the outside world makes perfect sense. Having the damned thing have zero security on that path, that's utterly ridiculous.

      The problem is so many of these things are just slapped in with no security, and just assume anybody communicating when them must be authorized.

      --
      Lost at C:>. Found at C.
    9. Re:DJ Kardio and the Beatskippers by canajin56 · · Score: 3, Informative

      The problem is that people see "wireless" and think "wireless network a.k.a. WiFi". These devices are programmable using wireless communication, but they are not on WiFi. They communicate with a "programmer", a device that is placed on the patient and used to change the treatment protocols. The issue is that this communication is not encrypted and it is vulnerable to a replay attack. That means with a USRP module and a some GNU Radio know-how, you can mimic the programmer device from a long way away. This lets you send commands like "disable treatment 1". The reason this is potentially lethal is that while the pacemaker cannot be turned off by the programmer, this is part of the UI, not part of the pacemaker! So if treatment 1 was the only one currently enabled, the UI would not let the doctor send "disable treatment 1" but the pacemaker would still accept that command should it receive it. But that's a slow kind of lethal. It just means that if the patient has an issue that needs correcting, the pacemaker won't correct it. This particular model has another thing it can do. It has a built in defibrillator. That way of the patient needs zapping, the pacemaker can be told to do it, rather than needing paddles (which would potentially fry the pacemaker). This mode is also activated by a wireless command. One that can be sent using a replay attack. Normally after a shock, the pacemaker would reestablish rhythm. But not if all treatment protocols are turned off.

      So although these devices are hackable, it's not a remote hack unless you happen to hack a computer that's close to the patient, and that has a radio you can control with GNU Radio.

      That's not to say these devices don't touch WiFi at all. To avoid frequent doctor's appointments, the hospital can give you a device that will connect to your home network and act as a relay. This doesn't let them reprogram the pacemaker remotely, what it does is transmit telemetry remotely so the doctor can check up on you daily without needing to schedule an appointment. As I understand it, this relay runs Windows XP and is full of holes (but I repeat myself). This lets hackers potentially access lots of confidential medical data, but doesn't let them kill you.

      --
      ASCII stupid question, get a stupid ANSI
    10. Re:DJ Kardio and the Beatskippers by KGIII · · Score: 1

      I've a sibling with a pace maker but it's not in her heart - it's actually meant to keep her stomach gurgling. (She has a rare health issue with a name I am not going to try to spell.)

      I don't think you know how these things work? They don't just walk into a room. They go into a room, a technician meanders over with a cart, and puts a device physically on the body and then still has to move this device in order to get it close enough to be connected.

      Now, I don't want to speculate that all these pacemaker devices are the same but the single one that I'm familiar with works just like that. I'd like to imagine that the rest are similar. Which leads me to this...

      So, now the bad guys have stolen the device, or reverse engineered the communication and built their own device, they've captured and restrained their victim - while knowing exactly which device they have and have targeted it's unique software, and have developed some malware for this...

      Why didn't they just send them a letter saying we'll shoot you if you don't comply? It seems needlessly complicated.

      --
      "So long and thanks for all the fish."
  5. Mall changes? by goombah99 · · Score: 1

    Would that be Darth Mall where I do my holiday shopping for medical truth extraction bots? What changes are they making?

    --
    Some drink at the fountain of knowledge. Others just gargle.
  6. I Bet This Article Will Do As Much Damage... by ComputerGeek01 · · Score: 3, Insightful

    I bet articles like these are going to do more damage to people than any actual malware infections. How many people do you think are going to actually be walking around with an infected pacemaker? It's not like you can open up your chest and run Malwarebytes on the damn thing. So when some hospitals patient files gets hacked, and Joe Shmoe gets a phone call or an Email implying that if he doesn't pay up his heart will explode, he's going to be breaking out his checkbook just to be safe.

    On the other hand, this is really just another reason to go with an external pacemaker.

    1. Re:I Bet This Article Will Do As Much Damage... by tibit · · Score: 3, Insightful

      I'm almost certain that the article is in fact a set up piece that is there only to plant a seed of doubt in the hive mind of public opinion. I'm sure that if we do the due diligence it'll turn out that the article has been, very indirectly of course, made to be by the people who will later reap the benefits of extortion schemes that center on those with implanted medical devices. I'm not implying that the author is necessarily knowingly involved in this in any way, but merely has been artfully played by those who see the big picture. You don't need to actually do anything to the devices themselves, just steal a patient list or two from a poorly secured system somewhere, and send a bulk extortion email with a link to the fine article (and others like that) to bolster the legitimacy of the threat. If the author hasn't been played in any way, then the damage is still done: the scammers just got a great idea they'll no doubt literally capitalize on.

      --
      A successful API design takes a mixture of software design and pedagogy.
    2. Re:I Bet This Article Will Do As Much Damage... by gstoddart · · Score: 1

      Are you seriously suggesting that highlighting the fact there are gaping security holes in these devices will make the problem worse? And you're suggesting that pretending it's not happening and not highlighting that the existing security is utterly pathetic is somehow better?

      I seriously hope you don't work in computer security.

      These things are already insecure, whether we talk about it or not. At least talking about it might cause someone to actually do something about it.

      --
      Lost at C:>. Found at C.
    3. Re:I Bet This Article Will Do As Much Damage... by mcrbids · · Score: 1

      If the author hasn't been played in any way, then the damage is still done: the scammers just got a great idea they'll no doubt literally capitalize on.

      If you think that anybody who's written or executed ransomware hasn't already thought about ransoming medical devices, you have an astonishingly low opinion of others. Just how smart do you think you are?

      Anybody who's spent the time necessary to write ransomware and attempt to profit from it has had more than enough time to consider the all reasonable possibilities, even if it took somebody as *brilliant* as you 5 minutes to come up with this idea. This isn't some global super-conspiracy; this is as brilliant as banging chips off a rock with another rock.

      --
      I have no problem with your religion until you decide it's reason to deprive others of the truth.
  7. Re:ignoramus question here... by tibit · · Score: 3, Insightful

    Why in hell is a pacemaker something accessible in any way to a random malware distributor?

    Because it's a programmable electronic device and they are all accessible to sufficiently sophisticated malware by definition. There's no way around that unless everything that ever accessed the device was completely air-gapped, self-contained and hardened. Note that this would also preclude any sort of data I/O with PCs etc., making the whole thing almost useless.

    have never had the ability or need to talk to the internet

    They still don't. Read the original article carefully, and be able to rationally separate wheat from chaff, or, as it is here, sensationalist bullshit.

    --
    A successful API design takes a mixture of software design and pedagogy.
  8. sounds like 1st degree capital murder to me by swschrad · · Score: 1

    jury full of doctors, and a hanging judge, three cameras, and a satellite channel would make a real good reality show for hackers. I'll run sound or lighting for free, experience in local TV, prefer weekends so I can get back to my day job...

    --
    if this is supposed to be a new economy, how come they still want my old fashioned money?
  9. Three Words by jenningsthecat · · Score: 1

    Near. Field. Communications.

    It seems pretty irresponsible to me that pacemakers and other implantable medical devices are accessible via WiFi and/or cellular data. Communication with the device in question should require a proximity measured in inches. Yes, it might still be possible with a strong transmitter and a sensitive receiver to extend that range to some tens of feet; but in that case the success of the attack is way less likely than one which can be launched from almost anywhere in the world.

    --
    'The Economy' is a giant Ponzi scheme whose most pitiable suckers are the youngest among us and the yet-unborn.
  10. Is there a CERT for medical devices? by Zeorge · · Score: 1

    I know there is US-CERT, and then ICS-CERT, anything dedicated to just medical devices?

  11. Yeah, you'd think that ... by Ungrounded+Lightning · · Score: 1

    It's my understanding that when you're committing a crime, the last thing you want to do is break even worse laws that will get you a worse sentence if caught.

    Yeah, you'd think that. And some of them actually do think of that.

    But many criminals don't think very well, or very far ahead. Not thinking about being caught is common. Not expecting to be seriously inconvenienced if they ARE caught is common also.

    Think about it: How is "Send me a bitcoin or your insulin pump will deliver a fatal dose!" different from armed robbery for a fat wallet? "Give me a bunch of money or I shoot you!" And a bunch of them DO shoot - (VERY) often even if they GOT the money.

    The threat of law-enforcement escalation for murder doesn't seem to have stopped up-front-and-personal armed robbery. Why should it stop distant-and-anonymous ransomware?

    --
    Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
  12. Already exists by Anonymous Coward · · Score: 1

    Medical ransomware already exists. It is euphemistically called "hospital billing system."

  13. That'll teach grandma... by undecim11 · · Score: 1

    to look at porn on her pacemaker.

  14. The manufacturers of those devices should be... by Casandro · · Score: 1

    ... required to pay for all of the damages caused by their stupidity.

    Seriously this could only work if you connected medical devices (incompetently) to a network. It could only work if you used some completely overcomplex operating system with far more features than you need.