Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ransomware Expected To Hit 'Lifesaving' Medical Devices In 2016 (forrester.com)

Posted by Soulskill on from the whatever-can-be-hacked-will-be-hacked dept.

An anonymous reader writes: A surge in ransomware campaigns is expected to hit the medical sector in 2016, according to a recent report published by forecasters at Forrester Research. The paper 'Predictions 2016: Cybersecuirty Swings To Prevention' suggests that the primary hacking trend of the coming year will be "ransomware for a medical device or wearable," arguing that cybercriminals would only have to make mall modifications to current malware to create a feasible attack. Pacemakers and other vital health devices would become prime targets, with attackers toying with their stability and potentially threatening the victim with their own life should the ransom demands not be met.

15 of 108 comments (clear)

  1. I'm careful about using the term "Evil" by unimacs · · Score: 4, Insightful

    But that would qualify.

    1. Re:I'm careful about using the term "Evil" by Anonymous Coward · · Score: 2, Insightful

      Anyone who willingly and knowingly infects a medical device with the purpose of causing harm is deserving of the death penalty. Full stop. These people are already a true menace, but medical equipment? This goes beyond the pale. Hang them from neck until dead in public.

  2. "Mall modifications"? by Anonymous Coward · · Score: 4, Funny

    I suppose it's inevitable that these devices would become a Target at some point. Security is a Hot Topic these days. Sak's to be a victim.

    Also, Walmart.

  3. Smells like FUD by The+MAZZTer · · Score: 3, Interesting

    It's my understanding that when you're committing a crime, the last thing you want to do is break even worse laws that will get you a worse sentence if caught. Ransoming encrypted computer files is one thing. Murder is something else.

    1. Re:Smells like FUD by gstoddart · · Score: 4, Interesting

      Easily automated from anywhere in the world, hard to trace, and exploiting utterly useless security.

      Honestly, this was pretty much inevitable.

      The security of most consumer devices is pathetic and useless. The security of medical devices has known to be almost non-existent for years now.

      Humans are not intrinsically honest. It's time to stop pretending they are.

      --
      Lost at C:>. Found at C.
    2. Re:Smells like FUD by gstoddart · · Score: 3, Insightful

      I don't expect every company to build an OS .. that would pretty much mean we don't get any new devices and software ever.

      But I do expect that companies not be so damned lazy when it comes to writing security, and that they be required to support OS updates and fix security holes ... you can't just say "nope, you have to stay on an ancient and unpatched OS because we can't confirm our stuff still works". And if you can't, you should lose any certifications the device has.

      I've been saying for years the makers of consumer electronics need to be held to a higher standard when it comes to security, and to actually have some liability for it.

      The makers of medical devices and cars and the like need to be held to a significantly higher standard than that.

      But companies just rush some crap out the door and walk away.

      --
      Lost at C:>. Found at C.
    3. Re:Smells like FUD by Anonymous Coward · · Score: 3, Interesting

      I'm in the Healthcare industry and I'm working with a vendor who has said "We're not saying not to patch your device. We're saying that if you do, it will impact the speed at which we can resolve any issues that arise with it." Our doctors and staff here that and tell us not to patch it. That's crazy to me and I've heard from nearby hospitals that the same thing happens there.

    4. Re:Smells like FUD by TWX · · Score: 2

      They might not need to write an OS from scratch, but they can choose from any of a number of non-commodity operating systems or kernels on which to build their software. These are single-purpose machines. They don't need an OS that's capable of running a word processor.

      --
      Do not look into laser with remaining eye.
  4. DJ Kardio and the Beatskippers by Pseudonymous+Powers · · Score: 5, Insightful

    How about we don't put a network chip on a pacemaker, dumbasses.

    Why would you ever need to communicate with it? Is there ever a time when you want your heart not to beat?

    1. Re:DJ Kardio and the Beatskippers by cdrudge · · Score: 4, Informative

      Communication with an implant isn't uncommon. Diagnostics, monitoring, tweaking for optimal operation, etc. It's a lot easier to do checkups and make adjustments on a person when you don't need to open up the chest cavity.

    2. Re:DJ Kardio and the Beatskippers by tibit · · Score: 4, Interesting

      How about we don't put a network chip on a pacemaker, dumbasses.

      How about you don't take stupid fear-mongering from an inept "journalist" at face value? Pacemakers don't have a "network" chip or anything like that. They have a near-field communications system that can communicate with dedicated programming/data capture terminal. It makes little sense for any kind of ransomware on what amounts to a mostly offline device, where the owner doesn't have any means of accessing the data link or exposing it as an on-line node.

      --
      A successful API design takes a mixture of software design and pedagogy.
    3. Re:DJ Kardio and the Beatskippers by canajin56 · · Score: 3, Informative

      The problem is that people see "wireless" and think "wireless network a.k.a. WiFi". These devices are programmable using wireless communication, but they are not on WiFi. They communicate with a "programmer", a device that is placed on the patient and used to change the treatment protocols. The issue is that this communication is not encrypted and it is vulnerable to a replay attack. That means with a USRP module and a some GNU Radio know-how, you can mimic the programmer device from a long way away. This lets you send commands like "disable treatment 1". The reason this is potentially lethal is that while the pacemaker cannot be turned off by the programmer, this is part of the UI, not part of the pacemaker! So if treatment 1 was the only one currently enabled, the UI would not let the doctor send "disable treatment 1" but the pacemaker would still accept that command should it receive it. But that's a slow kind of lethal. It just means that if the patient has an issue that needs correcting, the pacemaker won't correct it. This particular model has another thing it can do. It has a built in defibrillator. That way of the patient needs zapping, the pacemaker can be told to do it, rather than needing paddles (which would potentially fry the pacemaker). This mode is also activated by a wireless command. One that can be sent using a replay attack. Normally after a shock, the pacemaker would reestablish rhythm. But not if all treatment protocols are turned off.

      So although these devices are hackable, it's not a remote hack unless you happen to hack a computer that's close to the patient, and that has a radio you can control with GNU Radio.

      That's not to say these devices don't touch WiFi at all. To avoid frequent doctor's appointments, the hospital can give you a device that will connect to your home network and act as a relay. This doesn't let them reprogram the pacemaker remotely, what it does is transmit telemetry remotely so the doctor can check up on you daily without needing to schedule an appointment. As I understand it, this relay runs Windows XP and is full of holes (but I repeat myself). This lets hackers potentially access lots of confidential medical data, but doesn't let them kill you.

      --
      ASCII stupid question, get a stupid ANSI
  5. I Bet This Article Will Do As Much Damage... by ComputerGeek01 · · Score: 3, Insightful

    I bet articles like these are going to do more damage to people than any actual malware infections. How many people do you think are going to actually be walking around with an infected pacemaker? It's not like you can open up your chest and run Malwarebytes on the damn thing. So when some hospitals patient files gets hacked, and Joe Shmoe gets a phone call or an Email implying that if he doesn't pay up his heart will explode, he's going to be breaking out his checkbook just to be safe.

    On the other hand, this is really just another reason to go with an external pacemaker.

    1. Re:I Bet This Article Will Do As Much Damage... by tibit · · Score: 3, Insightful

      I'm almost certain that the article is in fact a set up piece that is there only to plant a seed of doubt in the hive mind of public opinion. I'm sure that if we do the due diligence it'll turn out that the article has been, very indirectly of course, made to be by the people who will later reap the benefits of extortion schemes that center on those with implanted medical devices. I'm not implying that the author is necessarily knowingly involved in this in any way, but merely has been artfully played by those who see the big picture. You don't need to actually do anything to the devices themselves, just steal a patient list or two from a poorly secured system somewhere, and send a bulk extortion email with a link to the fine article (and others like that) to bolster the legitimacy of the threat. If the author hasn't been played in any way, then the damage is still done: the scammers just got a great idea they'll no doubt literally capitalize on.

      --
      A successful API design takes a mixture of software design and pedagogy.
  6. Re:ignoramus question here... by tibit · · Score: 3, Insightful

    Why in hell is a pacemaker something accessible in any way to a random malware distributor?

    Because it's a programmable electronic device and they are all accessible to sufficiently sophisticated malware by definition. There's no way around that unless everything that ever accessed the device was completely air-gapped, self-contained and hardened. Note that this would also preclude any sort of data I/O with PCs etc., making the whole thing almost useless.

    have never had the ability or need to talk to the internet

    They still don't. Read the original article carefully, and be able to rationally separate wheat from chaff, or, as it is here, sensationalist bullshit.

    --
    A successful API design takes a mixture of software design and pedagogy.