Consumer Device Hacking Concerns Getting Lost In Translation 100
ancientribe writes "Hackers who hack insulin pumps, heart monitors, HVAC systems, home automation systems, and cars are finding some life-threatening security flaws in these newly networked consumer devices, but their work is often dismissed or demonized by those industries and the policymakers who govern their safety. A grass-roots movement is now under way to help bridge this dangerous gap between the researcher community and consumer product policymakers and manufacturers. The security experts driving this effort appealed to the DEF CON 21 hacking conference audience to help them recruit intermediaries who can speak both hacker and consumer product and policy."
This just in... (Score:5, Funny)
People in positions of power generally don't have a clue how things work... since they never, you know, work. I'm sure if we hopped in the TARDIS and went back to when the Egyptians were building the pyramids, the foreman in charge of positioning the bricks was constantly complaining about the idiot Pharaoh putting down the wrong dimensions in the foundation, and telling them to use unwoven rope because he read in Pharaoh Times (the premier Pharaoh trade stone tablet!) that it would improve efficiency. He probably also randomly decided to outsource 30% of his slaves because "leading experts" said it was universally a great idea.
*cough* People at the top not having a clue is a problem as old as humanity.
Re: (Score:3)
"Let them eat cake"
'nuff said.
Re: (Score:1)
Actually, never said.
http://en.wikipedia.org/wiki/Let_them_eat_cake [wikipedia.org]
Re: (Score:2)
Do you want to bet that today someone would?
Comment removed (Score:5, Insightful)
Re: (Score:2)
Ok, I have some pointers here.
1) Don't call yourselves "hackers". It's a scary label. Don't do it. Be "security experts", "specialists", "programmers", "investigators", or anything but hackers. It's even better if you can somehow title yourself researcher, CEO, or something that commands respect.
2) Don't expose flaws with your own face and name. You think you will get praise, you won't. ( Yes, you should get praise, but that's not how the world works)
3) Companies reverse engineer & try to find faults fr
Re: (Score:3, Insightful)
Re: (Score:2)
Re: (Score:2)
Pretty much, yes. Unless you think you can correct the people/media of course. I think that's an uphill battle, to be honest.
Re: (Score:3)
You should accept that language evolves and that you're on the losing side of this one. Decide if you want to be understood, or be "right".
Re: (Score:3)
4) Use the flaw. If it causes damage you can be sure it will be fixed. Just don't do anything really stupid and don't get caught.
Never. Ever. Do. This.
The moment you do this you lose any moral ground you had, which is all you have if the law doesn't support you.
Re: (Score:2)
Indeed TFA makes the assumption that those in power don't understand, so that they demonize hackers. Which is incredibly naive, because people in power are usually *better* than the average at getting and rating information.
Once they get this information, they reason like: "how is this going to affect my career?" and take the necessary steps to profit from the information, just like parent said.
Re:This just in... (Score:4, Insightful)
Those in power usually *don't* understand. They have people for that. I've worked for a few Fortune 500 companies in IT; at one, the CEO's password was the name of the company and set to never expire. At another, when I tried to educate a user on how to avoid a particular problem (so that the problem wouldn't happen again, and lead to their loss of productivity and an increase in my workload) and was dismissed with a wave of the hand and a "Oh, I don't have to know that."
They don't understand. They don't WANT to understand. And when your job title has a "Chief" at the beginning of it, IT goes along with whatever insecure, dangerous, counterproductive nonsense you want.
Re: (Score:2)
You are assuming the CIO knows infromation rather than (or in addition to) management. That is sometimes a correct assumption.
Re: (Score:2)
The problem is communications. I'm not sure if it's just a biased point of view, but it seems the IT industry is f
Re: (Score:2)
If Nader published "Unsafe at any speed" today he would probably be heckled by the press, sued by the corps, and have a dozen charges on him cooked up by the feds.
Most of that has happened to Nader at one time or another.
In early March 1966, several media outlets, including The New Republic and The New York Times, reported that GM had tried to discredit Nader, hiring private detectives to tap his phones and investigate his past, and hiring prostitutes to trap him in compromising situations
source: http://en.wikipedia.org/wiki/Ralph_Nader#Automobile_safety_activism [wikipedia.org]
Hey, Look what I can do! (Score:1)
Re: (Score:1)
nah just hack millions of pacemakers and blackmail their hosts into your own private army... to go fight the sharks with "lasers"
Re: (Score:3)
Re:Hey, Look what I can do! (Score:5, Insightful)
Since that is an approach almost universally rejected by said "company or governing body" in recent history, I assume the context of the article is "what to do after the most responsible approach fails because said company or governing body is actually completely irresponsible."
Re:Hey, Look what I can do! (Score:5, Interesting)
If the information gets public though, they can't deny knowledge of the problem and become liable. I do believe companies should get a warning and some time to find a proper solution, not for them, but for those affected by their products, but that warning should include a deadline.
Oh and I consider it completely irresponsible, stupid and dangerous to go after the hackers and charge them with computer crimes.
evidence suggests that's rare, headline grabbing (Score:5, Interesting)
To me, that sounds a lot like saying "couples facing divorce almost always murder each other" because those that end in murder are the ones you still hear about years later. (Reiser, for example.). That ignores the hundred divorce cases every day that are either amicable or simply not newsworthy because nothing interesting happens.
My own experience with reporting a few issues matches what I see in the CVEs - they've been addressed quickly and professionally. The BIG one I found had replacement Debian packages out within 48 hours. Wikipedia was patched to fix the vulnerability I found within 24 hours.
Re: (Score:3)
The BIG one I found had replacement Debian packages out within 48 hours. Wikipedia was patched to fix the vulnerability I found within 24 hours.
Both non-profit. 'nuf said.
Re: (Score:3)
It's trivially easy to change a file and upload it to a website. It's significantly tougher and more expensive to roll out embedded firmware running in 1.5 million cars across multiple countries, let alone 200,000 pacemakers that would require major surgery to update or replace.
Microsoft, Adobe have never issued a security upda (Score:2)
All of those updates you see every day don't magically appear from nowhere. They come from the standard process of reporting and handling issues that most people follow. Selfish attention whores report maybe 0.5% of the issues. The other 99.5% are reported and fixed with no drama.
Re: (Score:2)
Selfish attention whores report maybe 0.5% of the issues. The other 99.5% are reported and fixed with no drama.
From whence do these statistics come?
So Microsoft, Adobe, et al have never issued any security updates, ever?
No one said anything of the kind, but there are plenty of cases of them being, how do I say this nicely, not as prompt and responsive as they might be. Like sitting on known issues for months, and/or letting the NSA have fun with them first. Furthermore, Adobe and Microsoft make software for general purpose computers. The focus here is on embedded devices, which are harder to update and have a worse track record.
Lastly, the personal experiences you cite are both with non
7,567,000 not reported on Slashdot. Newsworthy (Score:2)
The million or so that aren't reported on Slashdot are the ones handled properly through the standard process. All of those security updates you see every day don't magically appear from nowhere, they are generated through a fairly standardized process.
The newsworthy stories are by definition not the normal case. Take those newsworthy cases and put some propaganda spin on them and you get
Re: (Score:2)
The million or so that aren't reported on Slashdot are the ones handled properly through the standard process.
How do you know that?
my daily work. check any major CVE list (Score:2)
A few times per year, a dead body is found in a trash bag. So it's true that "every trash bag covered on the news has a dead body or something in it".
Re: (Score:2)
Just to both.
Tell the company, and inform them that in six months you will be presenting this dicovery at a conference. That way they have plenty of time to deploy a patch.
That, or they might just say that if you ever go public they'll sue you so hard your grandchildren will still be paying the legal fees.
Re: (Score:1)
You mean "they have plenty of time to take out a gagging order".
It's been done in both the UK and US, so don't go bleating about "freedom of speech" saving you.
If you find an exploit, and want to ensure it's fixed, the only approach is to publish a polished weaponized 0day attack.
Re:Hey, Look what I can do! (Score:4, Insightful)
And what do you do if the companies and governing bodies (at best) ignore you?
The most responsible thing to do is try to get it fixed as safely as possible.
If that doesn't work, the most responsible thing to do is try method with as little risk as possible.
Continue trying to get it fixed and you may have to end up publishing it at a security conference.
yay,lawyers (Score:3)
Nothing will really change - the people in charge of these things will simply fall back on their marketing departments to say "all is well" to their customers.
Its not until someone sues one of them for billions of dollars that that company's board will sit down and actually decide that spending some money on security, and more on marketing of course, is a good thing to do.
In the meantime, I'd say that a letter directly addressed to the CEO explaining how easy his devices are to compromise, and pointing out the massive financial implications to his company (and therefore his bonus and possibly even job) will be the only realistic way of getting through to these people. Remember most of them don't really care about what the company does, they only care about running that company. They're businessmen who "do business", and so you have to appeal to that aspect.
I guess the other problem is that your average CEO doesn't even know defcon exists.
Re:yay,lawyers (Score:5, Insightful)
Just point out "You make medical devices. Medical devices that sick people need. Most sick people are old. Congressmen and other people that have influence on laws being passed tend to be in the upper age bracket of the population. Do you think it's a good idea to build devices that are insecure and mostly used by rich, influential people?"
Re: (Score:2)
If YOU or I do it, we'll probably just vanish from the earth.
Re: (Score:1)
oh, just like the guy who was going to report on medical hackable devices. Tell us which ones are hackable now and in the future. because the corollary of what you said happened. This defcon, a researcher was to present a paper on hackable devices, a follow-up of a paper from, if I remember correctly Oregon state. About hackable med devices from about 2002. Part of his paper was on induced heart attacks, with no medical devices. He died prior to the conference from a heart attack. Huh? I wish the paper were
Just because we can, should we... (Score:1)
network everything?
The bad guys out there are having a field day with all sorts of devices. Eventually (if not already) people are gonna die.
Then the lawsuits will start to flow.
The ISP
The Doctor(in the case of an insulin pump)
The hospital
The kit maker
Every company that makes something that goes into the device, even something as innocent as a screw.
Uncle tom cobbly and all
and not forgetting the cleaner at the hospital.
Why don't we stop networking everything in sight until it is properly hardened against at
Re:Just because we can, should we... (Score:4, Insightful)
Problem is some things *need* networking.
Pacemakers usually require tuning, both when first installed and later on. And since you can't take it out and plug it into a diagnostic machine you need to be able to connect to it to run tests too.
That doesn't mean connecting it to the Internet, Wi-fi etc is a good idea... but you do need to connect to it somehow and even if it's an obscure type of network that means that someone nearby with the correct networking hardware could try to access it.
Re: (Score:2)
While the need to be "remotely" accessible, there's no good reason for "remotely" to be any further away than 6 inches. Probably less.
Re: (Score:3)
Everything is networked because doctors want it that way. 'Networked' has an 'ooh shiny' factor that doctors love. That's bad enough, but when you combine it with the fact that nobody is stingier or dumber with IT resources than hospitals, you get a recipe for disaster.
Quality and Safety (Score:2)
Is there a governing body testing the safety and quality of electronic medical devices? According to this BBC documentary http://www.youtube.com/watch?v=H3BBjzVQhe0 [youtube.com] , there isn't for medical utensils. Is it the same for electronic devices?
Re: (Score:2)
Fine. Let them. (Score:2)
And let them deal with the fallout when (not if) the first people is being killed by such a hack. This will CERTAINLY make headline news and people will CERTAINLY listen for maybe the first time something "computerish" is unsafe, because now it is their life that's hanging on it. And watch how people will DEMAND rigid standards, far more rigid than you could possibly want to implement. And no donations to Washington will drive that white elephant out of the room because people will keep watching it, and the
Re: (Score:3)
Re:Fine. Let them. (Score:4, Insightful)
Are you kidding? If I was to kill someone, this would be THE way to go. The perfect crime. No visible traces, the autopsy would just conclude that the device malfunctioned and I'm off the hook.
It's not that it wasn't easier to kill someone in different ways, of course there are far easier ways to kill someone, that's a given. But they are invariably more "visible". A bullet hole or one a knife cuts is a dead giveaway to foul play. There is almost no way to hide poison in this time and age if there is at least a hint of reason to test for it. Air bubbles are harder to find but also far from impossible.
But this is just a medical device that malfunctioned. The manufacturer will blame it on the patient's error or try to weasel out any other way, the relative who actually offed the geezer will easily agree to get the case closed quickly and everyone's happy. Well, at least everyone still alive.
Re: (Score:2)
First, if you wanted to kill Gary specifically. You have some grudge or vendetta. Would you give up because he didn't have an insulin pump of the particular model vulnerable to this attack? No, you would use some other method from my list. So Gary isn't saved here by having a password on his insulin pump.
Second, you just want to kill someone for the thrill of it. There's so many ways to do this. If you were this sort of person, would you do the work to learn
Re: (Score:2)
I thought the subject was vulnerabilities of medical devices and other things and that the bulk of the discussion concerned disclosing and getting fixed those vulnerabilities. I don't understand how papering something over with a password would fix anything, and that wasn't even something discussed until you brought it up.
I certainly agree, though, that if you have an implanted device that needs monitoring or adjusting remotely there has to be a way to authenticate the identities and verify the authority t
Re: (Score:2)
Re: (Score:2)
Thanks; I'm a bit dense and didn't know where you were coming from with that. This stuff is well above my pay grade - and I'm retired. (Below, a poster notes that pacemakers apparently can be over-ridden/stopped by powerful magnet - I have to wonder if that's part of EM techs' kit.
My stupid idea would be that the security holes would be closed by the makers (better, they should not exist at all) - and I don't think it all that likely until someone important dies, as others have said. As you point out, pa
Re: (Score:2)
Who will know why they died? I don't consider fallout very likely, unless there are failed attacks against rather paranoid people who are also powerful. Even then I'd rate it as low probability.
(OT) Terminology?? (Score:1)
My point: TFT(itle) would have sounded better as "Life threatening hacking concerns [etc]"
The problem with some of these devices is ... (Score:4, Interesting)
You can "hack" any pacemaker with a strong enough magnet, for example. It's the standard method for putting the things in their emergency mode. "Securing" this mode would make it more complicated to activate in case of a real emergency and kill people this way.
The problem with security. (Score:3)
"The problem with some of these devices is that making them hack-proof is equivalent to locking a fire extinguisher in a secure cabinet. Sure it's secured against misuse, but it's also no longer easily available when it's needed in an emergency.
You can "hack" any pacemaker with a strong enough magnet, for example. It's the standard method for putting the things in their emergency mode. "Securing" this mode would make it more complicated to activate in case of a real emergency and kill people this way."
I thi
We've known this for a while (Score:1)
It has taken the computer industry years to stop prosecuting every "security researcher" ("hacker"? not applicable, not even with hats and "ethical" attached), the SCADA bunch haven't learned even after stuxnet, and now the medicos...?
Of course not. Worse yet, these "security researchers" haven't learned either. They're still using their bogeyman moniker for everything, lawful or not, and make it a habit to regularly blog or issue press releases with juicy tidbits to stay in the spotlights and spread some m
Re: (Score:1)
Because You can threaten them remotely and kill them practically without leaving any traces? Because it will not be construed as a murder, but just a problem of faulty apparatus? Because in the event of a war, somebody could just kill a few generals (like Collin Powell, who's so dependant on such an apparatus, that he doesn't have any pulse), without even any bullets, with a nondescript piece of machinery?
Everybody knows how a gun looks. How does a machine that kills people with pacemakers look? Could i
Re:What are you afraid of? (Score:5, Interesting)
Murder is easy. Getting away with it is hard. If the old guy with a heart condition drops dead from apparent heart failure, who is going to even suspect murder?
Re: (Score:2)
When you care about security, you start by looking at the possible targets (a persons life), then you look at the possible attacks and identify those that are most likely. You don't look at a possible attack and go OMG and lose you
It's not just about security by obscurity (Score:2)
Re:It's not just about security by obscurity (Score:5, Insightful)
You assume that the attackers would be basement hackers. Not a good assumption. There have been plenty of government assassinations in even recent history. Do you think Russia or China would be above killing, say, a US senator who keeps voting against their interests? Because I'm sure they would be willing, if they could be absolutly sure of not being caught. I wouldn't even trust the US with it - they already use drone strikes against suspected terrorists without trial, but drones are messy and lead to bad PR. And if Iran gets hold of the hack... they'd probably set up a virus that transmits the 'drop dead' command from any device with a bluetooth interface and US-English language setting.
Pacemakers need replacement every seven years or so anyway as the batteries go flat. You can just install one without the vulnerability then. It's a routine procedure.
Re: (Score:2)
Forgot something:
"...Russia or China" or Big PhaRMA or AHIP (America's Health Insurance Plans) or the NRA or...
Re: (Score:3)
Russia is a good example because we know they still assassinate. Alexander Litveninko. That one wasn't even a cover-up: He was poisoned with polonium, an isotope that would be impossible for all but a few governments to obtain - it has no uses in medicine and scant few in industry, and those uses require only the tiniest amount. Presumably the Russian government used a method so obviously pointing back to them in order to intimidate anyone else who might think to leave the country and leak intelligence info
Re: (Score:2)
You assume that the attackers would be basement hackers. Not a good assumption. There have been plenty of government assassinations in even recent history. Do you think Russia or China would be above killing, say, a US senator who keeps voting against their interests?
That's supposed to be insightful? So you are saying that the most important thing for the manufacturers of pacemakers is to prevent one of the thousand possible ways to kill a US senator?
Re: (Score:2)
Your critical thinking skills are lacking so badly I can't form a coherent response.
If you can't explain something to a five year old (or equivalent) you don't really understand it.
Re: (Score:2)
One of the possible ways to kill and get away with it. The killing part isn't too hard - the getting away without starting a war is.
Sign me up. (Score:2)
The manufacturers are correct... (Score:5, Interesting)
If that's "a good example" I'd hate to see all the other ones. Ford and Toyota representatives were the only rational and reasonable voices, and absolutely correct that the "hacking" in this case, involved SITTING IN THE BACK SEAT AND PLUGGING IN TO THE CAR. What do we say around here about having physical access to someone else's computer?
Some idiot reporters like the NYTimes article threw-in the word "remote" to describe the attacks, when it clearly didn't belong. Though to be fair, later mentioned that, "The researchers said they did not address the question of the defenses the cars might have against remote access."
So this being the only actual referenced example in TFA, is a lot of baseless BS fear-mongering, and we are left without any reason to believe a problem actually exists.
Re:The manufacturers are correct... (Score:4, Funny)
In the next horror film, the hidden psycho on the back seat won't have an axe or a knife, but a laptop ...
Re: (Score:2)
Of course not. Psychos don't die that easily. He'll run the car into just the right obstacle that it'll decapitate the person sitting in the driver's seat, and then walk away. Or drive away. In a car with a decapitated corpse in the driver's seat.
Re: (Score:3)
If that's "a good example" I'd hate to see all the other ones. Ford and Toyota representatives were the only rational and reasonable voices, and absolutely correct that the "hacking" in this case, involved SITTING IN THE BACK SEAT AND PLUGGING IN TO THE CAR. What do we say around here about having physical access to someone else's computer?
We say that you didn't read the fucking article, and are for some reason leaving comments about it anyway. I don't even mean this article, I mean the former article where we discussed the hack. Because in that article, they discussed that all you need is access to the bus, and there are already remote holes in automotive infotainment gear that could permit an attacker to compromise that equipment, and then through that vector compromise the vehicle itself. This is in turn because automakers are lazy cheap f
Re: (Score:2)
Good. Talk about the remote vulnerabilities all you want. Get THOSE fixed. Those would be the problem. This article however, is worthless, baseless nonsense.
And no, I don't feel obliged to go back and check every dupe for the past 4 years to try and find a link to some less awful information.
Re: (Score:2)
Breaking into most cars is relatively easy, and could be done in a couple of ways.. the diversionary snatch and grab where you steal a radio and hide the device well somewhere, or a more complex break-in that is unnoticed.
Either way, you now have physical access to the vehicle, without having to be seated in it. You could control over 3g/4g, or for the rea
Re: (Score:2)
Or you could do a MINISCULE FRACTION as much work, and just cut the brake lines. Or replace your theoretical $30 Android trojan device with a stick of TNT.
You're not helping your case by coming up with ridiculous, irrational, paranoid fantasies, and making IT security folks look like nutjobs.
Re: (Score:2)
So, it is not paranoid fantasy, it is a viable attack method.
In addition, my method could be installed during routine maintenance/service of the vehicle (no
Re: (Score:2)
Cutting brake lines actually involves slicing them just deeply enough that they're intact until high speed hard braking ruptures it. This is easier to disguise as "maintenance" than any electronic method, and much more deadly than anything described here... Their disabling of the brakes only worked at low speed and makes a tell-tale god awful noise.
Engine braking is not an option on a large number of vehicles, particularly the Prius in the demonstration... That just leaves the parking brake you'll also n
I can speak consumer (Score:1)
The rug (Score:2)
Stop sweeping problems under it.
If these devices are vulnerable then they will be exploited. The best solution is transparency and working consortia for both testing/verification and patching these problems before that vehicle, pacemaker or other device is used against consumers.
The Assassin of the Future (Score:2)
The crack assassin will be a fat, greasy, male basement-dweller covered in Cheetos dust. This will doubtless be distorted by Hollywood, to the point where the assassin in movies actually has dealings with beautiful women.
LINKS! FFS (Score:1)
Olde Tyme Hacking (Score:1)