Cyber security flaws can kill

Internet of Things is going to affect more and more our everyday life. All kinds of devices have got or are getting network connectivity. It seems that the IoE is inevitable. We must expect a rapidly growing number of devices to be rendered “smart” and thence to become interconnected.

Internet of Everything’ (IoE) – the dawning era of technological interconnectedness represents a whole new attack vector for criminals. The rapidly evolving Internet of Everything will leave us more vulnerable to cyber criminals, according to a worried Europol. EU law enforcement outfit Europol, in its Internet Organised Crime Threat Assessment (iOCTA) report, predicts that the rise of the Internet of Things (IoT) – where internet enabled physical devices such as heart monitoring implants, self-driving cars, home surveillance systems, smart thermostat systems, and fridgeswill create new attack vectors for serious crime.

This connectivity includes also many medical devices. Medical device cyber security issues seems to be coming to spotlight. Connecting medical devices have many benefits, but can have dangers if the devices are not secure: Even if the devices are normally connected to network separated from public Internet, someone can accidentally or intentionally connect a hostile PC to it or arrange connection to Internet. Medical devices security is in a big question, because malfunction in medical device can be very dangerous (in worst case can lead to someone dying) and traditionally cyber-security issues have not seem to be high on the medical device development priority list.

US ‘probes hackable flaws’ in medical devices article tells that US officials have revealed they are investigating about two dozen suspected examples of medical equipment vulnerable to hack attacks, potentially putting patients’ lives at risk. The products include heart implants and drug infusion pumps, according to a report by the Reuters news agency. Reuters discovered that the devices under investigation include implantable heart devices made by Medtronic and St. Jude Medical.

Feds are examining medical devices for fatal cybersecurity flaws: Investigators were concerned that flaws in the kit could be used to cause heart attacks and drug overdoses. The inquiry is reportedly being co-ordinated by the US Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-Cert). It is said to also cover medical imaging equipment and hospital networking systems. The Department of Homeland Security’s (DHS) Industrial Control Systems-Cyber Emergency Response Team (ICS-CERT) works directly with the Food and Drug Administration (FDA) and medical devices manufacturers, health care professionals, and facilities to investigate and address cyber vulnerabilities.

Without naming companies, the Industrial Control Systems-Cyber Emergency Response Team announced last year that a vast array of heart defibrillators, drug infusion pumps, and other medical devices contain backdoors that make them vulnerable to potentially life-threatening hacks. The advisory said some 300 medical devices were affected from 40 vendors. Situation has seen so bad that FDA issues new rules on medical device cybersecurity: The rules are technically nonbinding, but experts say companies could face consequences for ignoring them if devices are later hacked or infected with malware.

Hackers don’t appear to have exploited such cyber vulnerabilities in medical devices so far. The EU’s chief criminal intelligence agency warms that the threat of “online murder” is set to rise, with cyber criminals increasingly targeting victims with internet technology.

The idea of cyber muder was widely popularized by the US spy TV drama Homeland, in which terrorists hacked into the pacemaker (computer security researchers managed to hack to pacemaker in 2008). The former US vice-president Dick Cheney revealed last year that the wireless function had been disabled on his implanted defibrillator because of security concerns. US security firm IID that predicted the first murder via “hacked internet-connected device” by the end of 2014, and based on that  the Europol threat assessment warned of the first murder via “hacked internet-connected device” by the end of 2014.

IoT murder does not have to come though medical devices. The European Police Office (Europol) said governments are ill-equipped to counter the menace of “injury and possible deaths” spurred by hacking attacks on critical safety equipment. Different There are very many Internet conected device controlling critical infrastructure. agents such as terrorists, state-sponsored hackers or hacktivists could be interested in attack control systems within a critical infrastructure, the possible impact could be considerable under different perspectives (governments, homeland security, society). Public health, energy production, telecommunication are all sectors exposed to serious risks. Article titled “Shodan Search Engine Project Enumerates Internet-Facing Critical Infrastructure Devices” tells on the possibility to use the public available info to identify Critical Infrastructure devices.

Electrical power distribution is very important to  the modern society – messing with it can lead to direct or indirect deaths. U.S. power grid is quite defenseless from physical and cyber attacks. Infracritical remotely identified over 2.2 million unique IP addresses linked to industrial control systems at energy-related sites including electrical substations, wind farms, and water purification plants. Electric, natural gas and major water companies and regional distribution systems in Connecticut have been penetrated by hackers and other cyber attackers. Water distirbution has already been damaged with cyber attack.

Other potential dangers are in transportation: many new cars are Internet connected and potentially vulnerable, SCADA Systems in Railways Vulnerable to Attack and Airline bosses ignore cyber security concerns at their peril. In all of those fields there are lots of areas to address when it comes to cyber security. For example the airline industry relies on computer systems extensively in their ground and flight operations. Some systems are directly relevant to the safety of aircraft in flight, others are operationally important, and many directly impact the service, reputation and financial health of the industry. In car attacker can take advantage of a vulnerability in a vehicle’s infotainment system or exploit the telematics system and wirelessly compromise the vehicle, including safety critical systems like the ABS and Engine Electronic Control Units (ECUs).

While I have not yet read about a confirmed IoT murder, death by internet” was already a reality from online extortion and blackmail that has led to suicide.

4 Comments

  1. Tomi Engdahl says:

    Israeli ex-spies want to help you defend your CAR from cybercrooks
    Who needs a lock pick when you’ve got an electronic key?
    http://www.theregister.co.uk/2014/11/05/israeli_car_security_start_up/

    Security shortcomings in new cars could nurture a new branch of the infosec industry in much the same way that Windows’ security failings gave rise to the antivirus industry 20 or so years ago, auto-security pioneers hope.

    Former members of Unit 8200, the signals intelligence unit of the Israel Defense Forces, have banded together to create a start-up developing technology and services designed to protect connected cars from next generation hackers.

    Car thieves are already taking advantage of electronic car entry and ignition systems to steal cars. Recent reports suggest that insurers are refusing cover for keyless Range Rovers in London following the rise of targeted attacks on keyless cars.

    But there’s also a more subtle and less immediate hacker threat.

    Connected cars lay the groundwork for the introduction of new features, such as navigation by points of interest, music and video streaming, and also remote control of the vehicle via products and services such as GM’s OnStar and BMW’s ConnectedDrive.

    All of this extra internet-connected technology increases the number of way malicious parties might be able to hack potentially vulnerable vehicles.

    Once inside, an attacker can utilise the vehicle’s internal communication bus and take control of additional modules inside the vehicle, including safety-critical systems like the ABS and engine ECUs (electronic computing units, the embedded computing systems in cars), according to Argus.

    Reply
  2. Tomi Engdahl says:

    Coming Soon: Murder By Internet
    http://www.cio.com/article/2852589/security0/coming-soon-murder-by-internet.html

    Imagine a fleet of quad copters or drones equipped with explosives and controlled by terrorists. Or someone who hacks into a connected insulin pump and changes the settings in a lethal way. Or maybe the hacker who accesses a building’s furnace and thermostat controls and runs the furnace full bore until a fire is started.

    Those may all sound like plot material for a James Bond movie, but there are security experts who now believe, as does Jeff Williams, CTO of Contrast Security, that “the Internet of Things will kill someone.”

    Williams, whose firm provides application security, doesn’t know exactly how IoT might be used to kill someone or what device will be implicated in the nefarious scheme, but considers it a certainty that a connected device will play a role in a murder.

    Similarly, Rashmi Knowles, chief security architect at RSA, said something similar in a recent blog post, imagining criminals hacking into medical devices and starting “a complete new economy” by blackmailing victims.

    “Question is, when is the first murder?” wrote Knowles.

    Today, there is a new “rush to connect things” and “it is leading to very sloppy engineering from a security perspective, which makes … internet of things devices very attackable — the way web applications were 10 years ago,” said Williams.

    Reply
  3. Tomi Engdahl says:

    Could a wireless pacemaker let hackers take control of your heart?
    http://news.sciencemag.org/health/2015/02/could-wireless-pacemaker-let-hackers-take-control-your-heart

    In a 2012 episode of the TV series Homeland, Vice President William Walden is assassinated by a terrorist who hacks into his Internet-enabled heart pacemaker and accelerates his heartbeat until he has a heart attack. A flight of fancy? Not everyone thinks so.

    Internet security experts have been warning for years that such devices are open to both data theft and remote control by a hacker. In 2007, Vice President Dick Cheney’s cardiologist disabled the wireless functionality of his pacemaker because of just that risk. “It seemed to me to be a bad idea for the vice president to have a device that maybe somebody on a rope line or in the next hotel room or downstairs might be able to get into—hack into,” said the cardiologist, Jonathan Reiner of George Washington University Hospital in Washington, D.C., in a TV interview last year.

    Medical devices such as insulin pumps, continuous glucose monitors, and pacemakers or defibrillators have become increasingly small and wearable in recent years. They often connect with a hand-held controller over short distances using Bluetooth. Often, either the controller or the device itself is connected to the Internet by means of Wi-Fi so that data can be sent directly to clinicians. But security experts have demonstrated that with easily available hardware, a user manual, and the device’s PIN number, they can take control of a device or monitor the data it sends.

    Medical devices don’t get regular security updates, like smart phones and computers, because changes to their software could require recertification by regulators like the U.S. Food and Drug Administration (FDA). And FDA has focused on reliability, user safety, and ease of use—not on protecting against malicious attacks.

    Reply
  4. Joseph says:

    I like the you think. Great article as usual. Now a days cyber security is most important. Cause lot’s of offenses there using cyber. So need to take proper step about cyber security.

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

*

*