Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
Compare cell phone plans using Wirefly's innovative plan comparison tool ×
Medicine Government Security The Internet United States

DHS Investigates 24 Potentially Lethal IoT Medical Devices 79

An anonymous reader writes: In the wake of the U.S. Food and Drug Administration's recent recommendations to strengthen security on net-connected medical devices, the Department of Homeland Security is launching an investigation into 24 cases of potential cybersecurity vulnerabilities in hospital equipment and personal medical devices. Independent security researcher Billy Rios submitted proof-of-concept evidence to the FDA indicating that it would be possible for a hacker to force infusion pumps to fatally overdose a patient. Though the complete range of devices under investigation has not been disclosed, it is reported that one of them is an "implantable heart device." William Maisel, chief scientist at the FDA's Center for Devices and Radiological Health, said, "The conventional wisdom in the past was that products only had to be protected from unintentional threats. Now they also have to be protected from intentional threats too."
This discussion has been archived. No new comments can be posted.

DHS Investigates 24 Potentially Lethal IoT Medical Devices

Comments Filter:
  • Fine, but... (Score:3, Insightful)

    by Jonifico ( 3799211 ) on Wednesday October 22, 2014 @09:48AM (#48203055)
    Of course, it's always good to see patient safety is encouraged. I hope making it public does push towards fixing the issues and not people panicking.
    • Unless panic is warranted!

      A hacker could hack the hospital doors and windows and everybody would die of starvation sooner or later!

      • Unless panic is warranted!

        A hacker could hack the hospital doors and windows and everybody would die of starvation sooner or later!

        Can you picture the carnage as people waste away as they vainly dance around and wave their arms at the little motion detector that was destroyed by the hacker, never realizing they could simply throw stuff at the glass in the sliding doors to make it break, thus freeing themselves from the hell they're in?

        • Unless panic is warranted!

          A hacker could hack the hospital doors and windows and everybody would die of starvation sooner or later!

          Can you picture the carnage as people waste away as they vainly dance around and wave their arms at the little motion detector that was destroyed by the hacker, never realizing they could simply throw stuff at the glass in the sliding doors to make it break, thus freeing themselves from the hell they're in?

          Already covered by history's greatest hero: https://www.youtube.com/watch?... [youtube.com]
          I recommend watching the whole episode (and series).

      • There is no situation that panic cannot make worse.

        In the immortal words of Douglas Adams, Don't Panic.

    • is that the Government is actually doing something sensible.

      Like airing the vulnerability, launching an investigation, and giving off a signal that the *manufacturers* should pay attention to security and at least make a reasonable effort to make their kit tamper-resistant

      It would be in total accordance with a certain political outlook to suppress the news, pose as being "tough on crime" by imposing ridiculous penalties on offences that could be construed as breaking into medical equipment, and criminal

  • At last... (Score:3, Insightful)

    by Anonymous Coward on Wednesday October 22, 2014 @09:52AM (#48203085)

    William Maisel, chief scientist at the FDA's Center for Devices and Radiological Health, said, "The conventional wisdom in the past was that products only had to be protected from unintentional threats. Now they also have to be protected from intentional threats too."

    This statement comes so late... The security community has been saying that for years! What happened to forward-thinking?

    • This statement comes so late... The security community has been saying that for years! What happened to forward-thinking?

      In the engineering community that is so standard it entered into the common usage. "Fail safe", meaning that for any failure you need to go to the safe option. A gate or switch or lock should either fail open or closed, which one is safe depends on the circumstances.

      On a more prophetic note, the story two weeks ago predicting the first online murder by the end of the year [slashdot.org] seems that much closer. The reports nearly give explicit instructions.

      Seems like this Billy Rios researcher identified the problem

      • Looks like it is out in more than just the report. More news agencies are publishing extra details.

        The news agencies are pointing out the brand (Hospira) and the exact models of devices that are Internet-controllable. They mention the type of signals that need to be sent (multiple commands to infuse the drug) and they discuss the security measures already in place.

        It seems the only thing they left out of news stories is the actual payload.

  • by Overzeetop ( 214511 ) on Wednesday October 22, 2014 @09:56AM (#48203115) Journal

    ...when referring to connected/connectable devices as IoT dies.

    • by arth1 ( 260657 )

      It's the buzzword of the year. Give it 3-4 years to die out.

      Words that have peaked and are on the way down and out include freemium, cloud, neet, big data, crowd[anything], agile and emoji.
      Slightly worrying is that [anything]gate has not petered out yet.

      The good things about the buzzwords is that they serve to positively identify those who use them as sheep, not wolves.

      • It's the buzzword of the year. Give it 3-4 years to die out.

        Please let me know when all the companies with "-ly" names are expected to die off.

        Embedly, Nextly, Locately, Drizly, Intelligent.ly, Delightfully, Crowdly, Bitly, Attentive.ly, etc
        I cannot wait to bid you goodbye.

        /I also hold a special hatred for adf.ly and their link shortening interstitial ad-pages.

    • ...when referring to connected/connectable devices as IoT dies.

      What's wrong with Internet of Toilets? I like mine to tweet the weight and offensiveness of every poop.

    • by sjames ( 1099 )

      Whenever I see that, I think of the Illuminates of Thanateros though the device one probably doesn't have nearly as much magick in the chaos.

  • As I pointed out a few weeks ago, most implants with electronics or metal can be "hacked" by targeting them with microwaves. Sure, so can the human body but you don't need as much power to disable a possibly-life-sustaining electronic device as you to do cook flesh. Even metal parts will heat up (and cook adjacent living tissue) with less power than the human body.

    However, if my heart is dying and I have a choice between getting an implantable artificial heart even knowing that I could be killed by someone

  • Well ... duh! (Score:4, Insightful)

    by gstoddart ( 321705 ) on Wednesday October 22, 2014 @10:01AM (#48203153) Homepage

    If you are going to connect things to the internet, you pretty much need to harden them against malicious attacks.

    So many of these things are done with the very naive "what could possibly go wrong?" kind of attitude where there's pretty much no attempt at security.

    So many companies (especially some of the medical companies) treat security as something they don't need to worry about. The problem is if something is accessible, and people can muck about with it, they will simply because it's there.

    It may sound like a movie plot, but if I know you have a particular kind of internet-enabled implant ... it's far easier to go after you from a distance than up close.

    Sadly, while they're looking at the medical stuff, I'm betting there will still be a huge list of other "IoT' devices for which security is a complete joke, if not outright non-existent.

    Which is why I have no interest at all in the Internet of Things. At present, it's marketing hype, which hasn't even begun to address basic security and privacy issues.

    • Re: (Score:3, Informative)

      by gurps_npc ( 621217 )
      I disagree. You don't have to harden your internet connected refrigerator against malicious attacks.

      Why? Because when you ask "what could possibly go wrong?" the answer is your food will spoil, and you will have to throw it out. It's not like spoiled food is not instantly recognizable.

      But when you ask that company about medical equipment, the answer is PEOPLE WILL DIE.

      The problem is obvious, it just takes half a second to think and you know you need security.

      Actually, the real problem is that idiot

      • Re: (Score:2, Insightful)

        by Anonymous Coward

        Depends entirely on what is in the fridge.

        Turning off the fridge containing your supply of insulin can make the insulin go bad. Hide the fact the fridge has been off that long by turning it back on.

        If you take the dosage before realizing the fridge has been off that long could kill you.

      • by Anonymous Coward

        Another problem is that people who develop software with security defects are quite often also not competent enough to develop software without other kind of defects.

      • Re:Well ... duh! (Score:4, Interesting)

        by gstoddart ( 321705 ) on Wednesday October 22, 2014 @10:20AM (#48203317) Homepage

        You don't have to harden your internet connected refrigerator against malicious attacks. Why? Because when you ask "what could possibly go wrong?" the answer is your food will spoil, and you will have to throw it out. It's not like spoiled food is not instantly recognizable.

        See, anything which would allow a remote attacker to destroy your property and cause you to spend money is an indication than in internet enabled fridge is either a really stupid idea, or that it needs to be hardened.

        So, other than some moronic social experiment of "information wants to be free so if you see what's in my fridge what's the harm" ... what the hell would I want one for? What benefit does it give me? It's just another stupid, insecure application which wants to tie into a smart phone so I can feel all hip and cool.

        If some asshole hacking my fridge and spoiling my food (or, possibly my medication) is the price of having an internet connected fridge ... then why would I even consider owning one? What is the upside here for me?

        You sound like you're willing to give manufacturers of fridges some kind of free pass to be incompetent/indifferent to security. I'm saying any manufacturer which is either of those two things doesn't deserve to get my money.

        The same goes for my thermostat. And my lights. And my stove. And my freezer. If you're not taking security seriously, I'm not taking your fscking product seriously.

        So, if the internet of things is predicated on terrible security, or being indifferent to it altogether ... then the internet of things is a bad joke doomed to failure. And, of course, things which are that bad at security make additional risks for other things.

        If I have to firewall my fridge to make it useful, I won't connect it to the internet at all. If it pokes holes in my security and provides an access point to attack other things ... then I really don't want it.

        To me there is no scenario in which I'm willing to accept companies being too damned lazy to care about security. Because that pretty much makes the devices not trustworthy from the start.

        • So, other than some moronic social experiment of "information wants to be free so if you see what's in my fridge what's the harm" ... what the hell would I want one for? What benefit does it give me?

          A good question. I've heard a few answers that make some sense, mostly revolving around service and maintentance. I leave it as an exercise to you to determine whether these uses are actually of any value.

          1) An internet connected device can notify maintenance services in the event of equipment failure automatically. You could have a service contract whereby the "health" of the machine is monitored by qualified service companies and service scheduled as needed possibly even before failure.

          2) It would allo

        • The same goes for my thermostat. And my lights. And my stove. And my freezer. If you're not taking security seriously, I'm not taking your fscking product seriously.

          The entire industrial control world is completely indifferent to security. Things like HMI applications may implement user-level restrictions, but ultimately the hardware they interface with is usually just open access over OPC or HTML. This works in general when you're on an isolated industrial network, of course these networks are typically not completely isolated, allowing remote access for maintenance and support. Even when completely isolated, you still have the issue of operators connecting infecte

        • So, other than some moronic social experiment of "information wants to be free so if you see what's in my fridge what's the harm" ... what the hell would I want one for? What benefit does it give me? It's just another stupid, insecure application which wants to tie into a smart phone so I can feel all hip and cool.

          Well you may not want it due to security issues. But there are many who would just buy it because its has one latest and greatest feature available on market(even if useless/unwanted) or simply because its the most expensive thing available.

          Look I can turn off my fridge light with this app. Its off now. Now on. Now off.
          Go to see open door, it should be off, oh well..

          On the other side if I am manufacturer and can charge a premium for showing your spam mails on fridge, I will make sure my marketing team

      • I disagree. You don't have to harden your internet connected refrigerator against malicious attacks.

        Why? Because when you ask "what could possibly go wrong?" the answer is your food will spoil, and you will have to throw it out. It's not like spoiled food is not instantly recognizable.

        If I turn off your fridge for 8 hours during the day and spoil your mayo or other like food that may be very difficult to discern is bad or not, and then turn your fridge back on before you get home, you have no damn idea the dangers that could be lurking in the spoiled food that you were unaware had been exposed to dangerously high temps for several hours.

        The CDC estimates that 1 in 6 Americans are affected by a foodborne illness each year, resulting in 3,000 fatalities. So yeah, PEOPLE DIE

        Funny thing ab

      • by rjforster ( 2130 )

        I disagree. You don't have to harden your internet connected refrigerator against malicious attacks.

        Why? Because when you ask "what could possibly go wrong?" the answer is your food will spoil, and you will have to throw it out. It's not like spoiled food is not instantly recognizable.

        Unless your fridge has the capability of re-ordering food that you've run out of. Or ordering all the ingredients from a menu you scan with your smartphone. Or whatever.
        Then it can be hacked to order really expensive stuff. If it normally needs human approval then that is just another bump to cross before it can be hacked to be done without your approval.

        Why would anyone do this other than as a prank? Well what if I order something from a company with a policy of "if it's listed as in stock but we can't del

      • by Khyber ( 864651 )

        " It's not like spoiled food is not instantly recognizable. "

        As former head chef of Jack's Bar and Grill, BULLSHIT.

        And this, ladies and gentlemen, is why some states require licensing for food handling jobs, even if you're working for McDonald's as a janitor.

      • by crbowman ( 7970 )

        I'm not sure this is true. If you could hack my fridge to control the temperature then it would be fairly easy to turn it off right after I leave for work and turn it back on before I return at the end of a long day. Many foods in my fridge like liquids (excluding milk) and condiments wouldn't go back in a noticeable way, but it could leave me at increased risk for salmonella from the chicken or eggs.

      • Problem is, you gave the wrong answer to the question "what could possibly go wrong?" The right answer includes the possibility that a compromised refrigerator could be the foot in the door that allows an attacker into the network, which can then be used to compromise other devices on the network, which can in turn be used for any number of bad things. Same with internet-connected light bulbs, which was a real item in the news not long ago. So, yes, even an internet-connected refrigerator should be desig
  • by MitchDev ( 2526834 ) on Wednesday October 22, 2014 @10:01AM (#48203157)

    Anything computerized with a network connection can (and most likely WILL) be hacked...

    Screw this stupid "Internet of Things"

    • by naasking ( 94116 )

      Anything computerized with a network connection can (and most likely WILL) be hacked...

      Not if you take appropriate precautions, like using a safe programming language.

      • Anything computerized with a network connection can (and most likely WILL) be hacked...

        Not if you take appropriate precautions, like using a safe programming language.

        Last I checked, programming languages are designed and implemented by human beings. Even if a programming language can decrease your attack surface, there could still be an exploit associated with the interpreter/compiler or a mistake in implementation of the language. When an omniscient being develops your language and its corresponding dev tools, I would say you may have a meaningful point.

        • by naasking ( 94116 )

          Last I checked, programming languages are designed and implemented by human beings. Even if a programming language can decrease your attack surface, there could still be an exploit associated with the interpreter/compiler or a mistake in implementation of the language.

          That's what theorem provers are for. The seL4 microkernel was just formally verified as correct, we have verified C compilers, we have C verification tools (Frama-C for instance), and we have higher level, safer languages even at the systems l

          • My point is that you can't depend on the language to protect you. I'm not saying you should ignore good technology choices because you know better than those crazy compiler people. But I do not believe that it is possible to create something that is completely unhackable. Perhaps you can create something that is non-trivial to exploit, or that is unexploitable using known techniques, but that doesn't mean that you can create a software/hardware combination that is completely foolproof. There will always
            • by naasking ( 94116 )

              My point is that you can't depend on the language to protect you. I'm not saying you should ignore good technology choices because you know better than those crazy compiler people. But I do not believe that it is possible to create something that is completely unhackable.

              With a theorem prover like Coq, you can statically check any property you want. So you'll have to more precisely define "unhackable" before "it is impossible to create something that is completely unhackable" can have a truth value.

              If used

              • by arth1 ( 260657 )

                With a theorem prover like Coq, you can statically check any property you want.

                And that you know of. The problem is that you do not know everything.

                And no matter how safe a programming language is isn't going to stop programmers from making mistakes like saving input that's later used by another app that trusts the input, or set up a database or filesystem with too wide privileges, or any other kind of things that are outside the language itself.
                You won't be safe just because the language is safe. That's foolish thinking.

                • by naasking ( 94116 )

                  And that you know of. The problem is that you do not know everything.

                  No, that's not how it works. You don't outlaw all possible bad behaviours, you enable only the behaviours you want to achieve the features you need. Everything is is forbidden statically.

      • by arth1 ( 260657 )

        Not if you take appropriate precautions, like using a safe programming language.

        That's the most hilariously funny comment I've read in a long time.
        I'm sure there are people out there that believe it too.

        • by naasking ( 94116 )

          I'm sure it would seem funny to someone who doesn't understand what "safe" means, in a technical sense.

      • Anything computerized with a network connection can (and most likely WILL) be hacked...

        Not if you take appropriate precautions, like using a safe programming language.

        Don't be naive... security is a deep and subtle problem, full of nasty surprises. There is no magic bullet solution... your "safe programming language" has thousands of bugs in its standard API and run-time; it won't prevent devs from concatenating SQL with user input, misusing threading primitives, or bungling up an authentication protocol; it certainly won't patch up the numerous ways of subverting https or the modern web browser. To be secure (or have a reasonably good chance at being secure), you must

        • by naasking ( 94116 )

          Don't be naive... security is a deep and subtle problem, full of nasty surprises. There is no magic bullet solution... your "safe programming language" has thousands of bugs in its standard API and run-time

          I think you should update your knowledge of this field [slashdot.org]. Then you should also realize that over 90% of security vulnerabilities in programs written in unsafe languages wouldn't have occurred with safe languages. And of the vulnerabilities among safe languages, 90% of those wouldn't have occurred if they we

          • by arth1 ( 260657 )

            Then you should also realize that over 90% of security vulnerabilities in programs written in unsafe languages wouldn't have occurred with safe languages

            Good luck starting a security company with the slogan "We provide 90% security!"

            Sorry, no, you're dead wrong. Most exploits are due to human errors they could have done in any language. Extending trust. Not seeding a rng. Leaving a developer backdoor. Not scaling.

            I do use Haskell myself for certain things, and I can tell you it's no problem creating insecure applications in Haskell. And if you count DoS as a problem, Haskell with ghc is worse than most of them. There may be other compilers that doesn

            • by naasking ( 94116 )

              Good luck starting a security company with the slogan "We provide 90% security!"

              I don't know what you're talking about. If anything, that would be "90% fewer security vulnerabilities", which sounds like perfectly good marketing.

              I do use Haskell myself for certain things, and I can tell you it's no problem creating insecure applications in Haskell.

              I never said Haskell was the perfect language, just that it provides good examples of achieving the needed safety properties, in that it can be extended to verify

          • Don't get me wrong: safer programming languages and runtimes definitely help, especially with buffer overflows (thanks C++!), but it's one aspect of many that impact security.

            it won't prevent devs from concatenating SQL with user input

            You can't do this in, say Haskell, unless you write your own SQL interface library that builds solely on strings.

            Granted, I lost interest in Haskell somewhere around hitting the Functor/Monad point, but if devs can send raw SQL to the database, they will do so [realworldhaskell.org].

            misusing threading primitives

            You can't do this in concurrent safe languages, like Concurrent ML, Rust and Haskell.

            Yes, you can [reddit.com].

            So basically, safety properties have importance on par with domain requirements, and must be subject to the same rigour that domain features get, ie. testing, verification, etc.

            Good luck spreading that attitude. Makers of device drivers, SCADA, etc., dearly need it.

            Basically, the safer the language, in the sense that the more properties can be assured at compile-time, the more features and safety properties you can verify, and the fewer security vulnerabilities.

            That helps get us closer, certainty. The language and runtime can help catch/e

  • by koan ( 80826 )

    But don't we have an agency that is competent and less "Ministry of Information Retrievaly" than the DHS?
    https://www.youtube.com/watch?... [youtube.com]

  • The only surprise (Score:4, Insightful)

    by sinij ( 911942 ) on Wednesday October 22, 2014 @10:03AM (#48203169)
    The only surprise is that catastrophes are not commonplace. As an information security professional I can tell you based on a first-hand experience that we are metasploit module away from a major disaster. Industrial automation, medical, automotive and many other industries simply do not get information security. Chances are, your municipal water treatment system, you office building's elevators and heating, your glucose monitoring system, your car's infotainment system, your neighborhood's stoplights are trivially hackable. The only good news is that there is no money (but plenty of mayhem) to be made from compromising these systems. As such, people who can ether don't have a motivation or a conscientious enough to do that. Such miniscule margin of safety keeps me up at night.
  • Data Protocol: HL7 While 3.0 is XML based, almost everyone uses v.2 which is a multi-row Pipe (Technically is is definable, but everyone uses pipes) delimited file.

    How the data is transferred.
    There are two common ways to transfer HL7 data.
    File Drop and read,
    Push via a non encrypted TCP/IP.

    Most healthcare systems try to put in VPN and separate networks in place to minimize the damage. But if someone was on the network they could say data update new dose, on the OBX.

    We need to get technology to support encry

    • by sinij ( 911942 )
      Only liability insurance industry can force the change. Otherwise it will be impossible to put a monetary value on this effort.

      When bad things happen, the liability is covered by the insurance. The insurance industry can accurately estimate the risk, and raise premiums accordingly. They generally don't reward greatly reducing marginal risks, as such expense of completely securing medical information systems would not meaningfully reduce premiums. It is only when prevalence of compromise increases, somethin
      • Only liability insurance industry can force the change. Otherwise it will be impossible to put a monetary value on this effort.

        Only the insurance industry can force change without getting buried in lobbying and politics.

        But even then, the insurance industry will still end up negotiating the industry standards with device manufacturers.

  • by nimbius ( 983462 ) on Wednesday October 22, 2014 @10:28AM (#48203399) Homepage
    in neonatal units for example, nearly everything is wireless and unencrypted. Its why visitors and parents are frequently told to shut off cellphones as no ones entirely certain the devices wont interfere with heart rate monitors or life support systems. Its theoretically possible to create a denial of service condition in a hospital where a nurses station for an entire floor suddenly sees life-threatening conditions for every patient, or receives a nurse request page for every patient. Injection attacks can also result in patients that are dead for hours but reported as still alive.
  • A friend of mine and I were just talking about this. He has a pacemaker that they put in that also has a recorder. The doctor pulls data off of the device using a wireless connection (so he doesn't have to open him up again). The device has no security on it (the doctor actually pointed that out at one point). Depending on the device you could theoretically kill someone by "hacking" into something like that (upload a new set of heart settings that drive you into a heart attack). The problem becomes tho
    • by msauve ( 701917 )
      I just knew there was a reason for tattoos other than self-mutilation.
      • Tattoos can be damaged or destroyed. People can get your password when they video tape you undressing at a department store changing room, or even by implanting hidden cameras in your home. But I supposed if someone went to those efforts to get your pacemaker password, they would find some way to kill you.
    • You can stop a pacemaker with a magnet near the chest wall. If you are one of those ** very few ** people who need a pacer to survive, you can get temporarily paced in the ER until they can put a new one in.

      Surprisingly enough, people HAVE thought through most of this.

      ** most pacemakers work intermittently, some people need them all of the time. Pacers do fail, it's pretty rare but sometimes even the wonders of technology aren't enough to keep you alive.

  • the complete range of devices under investigation has not been disclosed, it is reported that one of them is an "implantable heart device."

    Please let it be the same one DICK Cheney uses. Though if it is on the list, he'll just switch back to yet another heart of a forsaken orphan.

    • Dick Cheney had the wireless connection to his defibrillator removed just so he couldn't be targeted wirelessly. Of course, there are supposed to be regulations to ensure privacy and security on all new wireless health devices, so the FDA is not completely napping. [fda.gov]
  • by Anonymous Coward

    .... is why this comes under the Department of Homeland Security at all???

You can not get anything worthwhile done without raising a sweat. -- The First Law Of Thermodynamics

Working...