It’s always interesting to observe what was once thought to be a far-fetched idea in a work of fiction become reality. Some say Arthur C. Clarke predicted the iPad with in his 1968 novel, “2001: A Space Odyssey,” when he named an electronic news source the “Newspad.” In his short story, “Solution Unsatisfactory,” some think sci-fi writer Robert Heinlein predicted the timeline for developing nuclear weapons and the resulting Cold War that lasted decades.
In a recent episode of Arrow, the team used the GPS function on an alderman’s pacemaker to track his location. In 2012 Hollywood created a worst-case scenario in an episode of Heartland, when a terrorist plotted to kill the vice president by manipulating his pacemaker.
The idea of an evil mastermind controlling someone’s medical device and manipulating their life might seem to be only in the realm of fiction, but could it happen in real life?
Though no known cases of death involving the hack of a connected medical device have been documented, researchers have demonstrated live attacks. For example, in 2011, Jerome Radcliffe hacked his insulin pump using an Arduino module that cost less than $20. In 2012, Barnaby Jack demonstrated the ability to assassinate a victim by hacking his pacemaker. Jack remarked that doing so was easier than a popular television series had made it seem and remarked,“TV is so ridiculous! You don’t need a serial number!”
A 2013 FDA report identified 300 medical devices at risk of crippling attacks, including insulin pumps, implantable cardioverter defibrillators, anesthesia devices, drug infusion pumps, ventilators, and pacemakers. According to the FDA, some of these devices could be accessed via the Internet. In most cases, any attacks (though no reports were given of actual attacks) would be hard to detect.
Across the board, concerns lie in the lack of capability in firmware to meet evolving security threats as well as a lack of security built into the manufacturing process. In some cases, devices come with pre-configured settings that are difficult to adjust and lack basic security protections.
The phenomenon of connecting more and more devices to the Internet is called the Internet of Things (IoT). Experts predict the number of connected devices to grow by at least 10 times by 2020. With the opportunity to provide data that improves our lifestyle, medical care, and home security, why would we not take advantage of this modern technology? However, the convenience may not be worth it if manufacturers fail to incorporate appropriate information security practices into the design and build of these smart objects and systems.
We have to start by addressing the fundamental forces that lead to inadequate security in many of the devices on the market today. Principally, we need to bring together two divergent cultures.
Mechanical and electrical engineers driving the design, build-out, and maintenance of devices and connected systems (such as those using SCADA) are primarily are concerned with switches, motors, and the like, to make sure the devices operate. This is understandable. If someone’s home alarm system stays on, the dampers open, and fill a room with heat in the winter, or the factory runs at optimum levels, their efforts are successful. In manufacturing, if a gadget functions properly, all is won.
Information security is a newer phenomenon and part of an increasingly connected world, but traditionally a fundamental part of these professionals’ work processes. It’s also not what keeps them employed. At the same time, manufacturing has a bottom line to meet and a constant pressure to reduce R&D costs.
On the flipside, those of us in the security space are very tuned in to the growing and evolving threats of data storage and transit. We’re not focused on switches and making sure they work. We might take the work needed to make machines turn on for granted because of the success rate of manufacturing engineers. Instead, we’re analyzing the minute detail of data flow and using a malicious mindset to break systems and patch them before the attackers find the vulnerabilities. We don’t dress the same as mechanical engineers and we don’t talk the same lingo. Our priorities are different than engineering. Increasingly, though, connectivity and sophisticated attackers are leading to greater convergence of infosecurity and engineering.
In order to bridge the gap, it’s up to us in the infosec community to reach out, to better relate to engineering and manufacturing, to help them understand security risks and best practices without coming across as the young know-it-all. We need to listen more. We need to engage in conversation. We need to gain a seat at the table so that security is not an afterthought in the era of connectivity.
If we don’t succeed in getting more integrated in the R&D process, the bad guys will win.