Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Security Technology

Consumer Device Hacking Concerns Getting Lost In Translation 100

ancientribe writes "Hackers who hack insulin pumps, heart monitors, HVAC systems, home automation systems, and cars are finding some life-threatening security flaws in these newly networked consumer devices, but their work is often dismissed or demonized by those industries and the policymakers who govern their safety. A grass-roots movement is now under way to help bridge this dangerous gap between the researcher community and consumer product policymakers and manufacturers. The security experts driving this effort appealed to the DEF CON 21 hacking conference audience to help them recruit intermediaries who can speak both hacker and consumer product and policy."
This discussion has been archived. No new comments can be posted.

Consumer Device Hacking Concerns Getting Lost In Translation

Comments Filter:
  • by girlintraining ( 1395911 ) on Friday August 09, 2013 @02:25AM (#44517931)

    People in positions of power generally don't have a clue how things work... since they never, you know, work. I'm sure if we hopped in the TARDIS and went back to when the Egyptians were building the pyramids, the foreman in charge of positioning the bricks was constantly complaining about the idiot Pharaoh putting down the wrong dimensions in the foundation, and telling them to use unwoven rope because he read in Pharaoh Times (the premier Pharaoh trade stone tablet!) that it would improve efficiency. He probably also randomly decided to outsource 30% of his slaves because "leading experts" said it was universally a great idea.

    *cough* People at the top not having a clue is a problem as old as humanity.

    • "Let them eat cake"

      'nuff said.

    • Comment removed (Score:5, Insightful)

      by account_deleted ( 4530225 ) on Friday August 09, 2013 @03:45AM (#44518209)
      Comment removed based on user account deletion
      • by Anonymous Coward

        Ok, I have some pointers here.

        1) Don't call yourselves "hackers". It's a scary label. Don't do it. Be "security experts", "specialists", "programmers", "investigators", or anything but hackers. It's even better if you can somehow title yourself researcher, CEO, or something that commands respect.
        2) Don't expose flaws with your own face and name. You think you will get praise, you won't. ( Yes, you should get praise, but that's not how the world works)
        3) Companies reverse engineer & try to find faults fr

        • 4) Use the flaw. If it causes damage you can be sure it will be fixed. Just don't do anything really stupid and don't get caught.

          Never. Ever. Do. This.

          The moment you do this you lose any moral ground you had, which is all you have if the law doesn't support you.

      • Indeed TFA makes the assumption that those in power don't understand, so that they demonize hackers. Which is incredibly naive, because people in power are usually *better* than the average at getting and rating information.

        Once they get this information, they reason like: "how is this going to affect my career?" and take the necessary steps to profit from the information, just like parent said.

        • Re:This just in... (Score:4, Insightful)

          by BVis ( 267028 ) on Friday August 09, 2013 @08:08AM (#44519089)

          Those in power usually *don't* understand. They have people for that. I've worked for a few Fortune 500 companies in IT; at one, the CEO's password was the name of the company and set to never expire. At another, when I tried to educate a user on how to avoid a particular problem (so that the problem wouldn't happen again, and lead to their loss of productivity and an increase in my workload) and was dismissed with a wave of the hand and a "Oh, I don't have to know that."

          They don't understand. They don't WANT to understand. And when your job title has a "Chief" at the beginning of it, IT goes along with whatever insecure, dangerous, counterproductive nonsense you want.

        • by tlhIngan ( 30335 )

          Indeed TFA makes the assumption that those in power don't understand, so that they demonize hackers. Which is incredibly naive, because people in power are usually *better* than the average at getting and rating information.

          Once they get this information, they reason like: "how is this going to affect my career?" and take the necessary steps to profit from the information, just like parent said.

          The problem is communications. I'm not sure if it's just a biased point of view, but it seems the IT industry is f

      • If Nader published "Unsafe at any speed" today he would probably be heckled by the press, sued by the corps, and have a dozen charges on him cooked up by the feds.

        Most of that has happened to Nader at one time or another.

        In early March 1966, several media outlets, including The New Republic and The New York Times, reported that GM had tried to discredit Nader, hiring private detectives to tap his phones and investigate his past, and hiring prostitutes to trap him in compromising situations

        source: http://en.wikipedia.org/wiki/Ralph_Nader#Automobile_safety_activism [wikipedia.org]

  • Of course you're going to be shamed when you showcase a fatal flaw in a pacemaker to a bunch of people at a convention. It may not be the easiest thing to do, but the most responsible thing to do is to go to the company or governing body and explain things
    • nah just hack millions of pacemakers and blackmail their hosts into your own private army... to go fight the sharks with "lasers"

    • by Narcocide ( 102829 ) on Friday August 09, 2013 @02:46AM (#44517991) Homepage

      Since that is an approach almost universally rejected by said "company or governing body" in recent history, I assume the context of the article is "what to do after the most responsible approach fails because said company or governing body is actually completely irresponsible."

      • by azalin ( 67640 ) on Friday August 09, 2013 @03:06AM (#44518059)
        I have to agree to that. I large companies it is rather hard to find someone to listen to you AND in a position to actually change something. Even if the company knows about the problem, they will probably either ignore it, or find the cheapest way to make it disappear. Probably a new software module in the 2016 model.
        If the information gets public though, they can't deny knowledge of the problem and become liable. I do believe companies should get a warning and some time to find a proper solution, not for them, but for those affected by their products, but that warning should include a deadline.
        Oh and I consider it completely irresponsible, stupid and dangerous to go after the hackers and charge them with computer crimes.
        • by raymorris ( 2726007 ) on Friday August 09, 2013 @06:12AM (#44518515) Journal
          Looking at any major CVE list, it seems most significant issues are fixed rather quickly. When a researcher or self-centered asshole doesn't get quite the response they want, those are the cases that get a headline on Slashdot a few times per year. Slashdot doesn't report on the 20 or so per day that go through the standard process and are resolved appropriately.

          To me, that sounds a lot like saying "couples facing divorce almost always murder each other" because those that end in murder are the ones you still hear about years later. (Reiser, for example.). That ignores the hundred divorce cases every day that are either amicable or simply not newsworthy because nothing interesting happens.

          My own experience with reporting a few issues matches what I see in the CVEs - they've been addressed quickly and professionally. The BIG one I found had replacement Debian packages out within 48 hours. Wikipedia was patched to fix the vulnerability I found within 24 hours.
          • The BIG one I found had replacement Debian packages out within 48 hours. Wikipedia was patched to fix the vulnerability I found within 24 hours.

            Both non-profit. 'nuf said.

            • Not only that, but I'm betting he's never tried reporting a found vulnerability in any embedded product.

              It's trivially easy to change a file and upload it to a website. It's significantly tougher and more expensive to roll out embedded firmware running in 1.5 million cars across multiple countries, let alone 200,000 pacemakers that would require major surgery to update or replace.
            • So Microsoft, Adobe, et al have never issued any security updates, ever?
              All of those updates you see every day don't magically appear from nowhere. They come from the standard process of reporting and handling issues that most people follow. Selfish attention whores report maybe 0.5% of the issues. The other 99.5% are reported and fixed with no drama.
              • Selfish attention whores report maybe 0.5% of the issues. The other 99.5% are reported and fixed with no drama.

                From whence do these statistics come?

                So Microsoft, Adobe, et al have never issued any security updates, ever?

                No one said anything of the kind, but there are plenty of cases of them being, how do I say this nicely, not as prompt and responsive as they might be. Like sitting on known issues for months, and/or letting the NSA have fun with them first. Furthermore, Adobe and Microsoft make software for general purpose computers. The focus here is on embedded devices, which are harder to update and have a worse track record.

                Lastly, the personal experiences you cite are both with non

      • Just to both.

        Tell the company, and inform them that in six months you will be presenting this dicovery at a conference. That way they have plenty of time to deploy a patch.

        That, or they might just say that if you ever go public they'll sue you so hard your grandchildren will still be paying the legal fees.

        • by Anonymous Coward

          You mean "they have plenty of time to take out a gagging order".

          It's been done in both the UK and US, so don't go bleating about "freedom of speech" saving you.

          If you find an exploit, and want to ensure it's fixed, the only approach is to publish a polished weaponized 0day attack.

    • by mwvdlee ( 775178 ) on Friday August 09, 2013 @03:07AM (#44518065) Homepage

      And what do you do if the companies and governing bodies (at best) ignore you?

      The most responsible thing to do is try to get it fixed as safely as possible.
      If that doesn't work, the most responsible thing to do is try method with as little risk as possible.
      Continue trying to get it fixed and you may have to end up publishing it at a security conference.

  • by gbjbaanb ( 229885 ) on Friday August 09, 2013 @02:51AM (#44518003)

    Nothing will really change - the people in charge of these things will simply fall back on their marketing departments to say "all is well" to their customers.

    Its not until someone sues one of them for billions of dollars that that company's board will sit down and actually decide that spending some money on security, and more on marketing of course, is a good thing to do.

    In the meantime, I'd say that a letter directly addressed to the CEO explaining how easy his devices are to compromise, and pointing out the massive financial implications to his company (and therefore his bonus and possibly even job) will be the only realistic way of getting through to these people. Remember most of them don't really care about what the company does, they only care about running that company. They're businessmen who "do business", and so you have to appeal to that aspect.

    I guess the other problem is that your average CEO doesn't even know defcon exists.

    • Re:yay,lawyers (Score:5, Insightful)

      by Opportunist ( 166417 ) on Friday August 09, 2013 @03:00AM (#44518037)

      Just point out "You make medical devices. Medical devices that sick people need. Most sick people are old. Congressmen and other people that have influence on laws being passed tend to be in the upper age bracket of the population. Do you think it's a good idea to build devices that are insecure and mostly used by rich, influential people?"

  • by Anonymous Coward

    network everything?

    The bad guys out there are having a field day with all sorts of devices. Eventually (if not already) people are gonna die.
    Then the lawsuits will start to flow.
    The ISP
    The Doctor(in the case of an insulin pump)
    The hospital
    The kit maker
    Every company that makes something that goes into the device, even something as innocent as a screw.
    Uncle tom cobbly and all
    and not forgetting the cleaner at the hospital.

    Why don't we stop networking everything in sight until it is properly hardened against at

    • by Anonymous Coward on Friday August 09, 2013 @03:06AM (#44518061)

      Problem is some things *need* networking.

      Pacemakers usually require tuning, both when first installed and later on. And since you can't take it out and plug it into a diagnostic machine you need to be able to connect to it to run tests too.

      That doesn't mean connecting it to the Internet, Wi-fi etc is a good idea... but you do need to connect to it somehow and even if it's an obscure type of network that means that someone nearby with the correct networking hardware could try to access it.

      • by HiThere ( 15173 )

        While the need to be "remotely" accessible, there's no good reason for "remotely" to be any further away than 6 inches. Probably less.

    • by BVis ( 267028 )

      Everything is networked because doctors want it that way. 'Networked' has an 'ooh shiny' factor that doctors love. That's bad enough, but when you combine it with the fact that nobody is stingier or dumber with IT resources than hospitals, you get a recipe for disaster.

  • Is there a governing body testing the safety and quality of electronic medical devices? According to this BBC documentary http://www.youtube.com/watch?v=H3BBjzVQhe0 [youtube.com] , there isn't for medical utensils. Is it the same for electronic devices?

    • In the USA, the FDA does this. In a way this is one contributor to the problem, the effort and time to recertify a device after substantive changes is considerable. It depends on the scope of a change though, certain types of maintenance don't require recertification.
  • And let them deal with the fallout when (not if) the first people is being killed by such a hack. This will CERTAINLY make headline news and people will CERTAINLY listen for maybe the first time something "computerish" is unsafe, because now it is their life that's hanging on it. And watch how people will DEMAND rigid standards, far more rigid than you could possibly want to implement. And no donations to Washington will drive that white elephant out of the room because people will keep watching it, and the

    • There are plenty of easier ways to kill someone. The threat of someone going out of their way to hack the insulin pump is so near zero that any cost to fix it is not justified. If the flaw were something that could be triggered accidentally or by a simple fumbling around they would be more likely to act on it. As it is, we can't patch for a person's vulnerability to poison, gunshot, bludgeoning, air bubble injections, etc. so the existence of one more extremely improbable attack isn't worrying people who ha
      • Re:Fine. Let them. (Score:4, Insightful)

        by Opportunist ( 166417 ) on Friday August 09, 2013 @07:42AM (#44518881)

        Are you kidding? If I was to kill someone, this would be THE way to go. The perfect crime. No visible traces, the autopsy would just conclude that the device malfunctioned and I'm off the hook.

        It's not that it wasn't easier to kill someone in different ways, of course there are far easier ways to kill someone, that's a given. But they are invariably more "visible". A bullet hole or one a knife cuts is a dead giveaway to foul play. There is almost no way to hide poison in this time and age if there is at least a hint of reason to test for it. Air bubbles are harder to find but also far from impossible.

        But this is just a medical device that malfunctioned. The manufacturer will blame it on the patient's error or try to weasel out any other way, the relative who actually offed the geezer will easily agree to get the case closed quickly and everyone's happy. Well, at least everyone still alive.

        • Let's make two broad categories of threats.

          First, if you wanted to kill Gary specifically. You have some grudge or vendetta. Would you give up because he didn't have an insulin pump of the particular model vulnerable to this attack? No, you would use some other method from my list. So Gary isn't saved here by having a password on his insulin pump.

          Second, you just want to kill someone for the thrill of it. There's so many ways to do this. If you were this sort of person, would you do the work to learn
          • I thought the subject was vulnerabilities of medical devices and other things and that the bulk of the discussion concerned disclosing and getting fixed those vulnerabilities. I don't understand how papering something over with a password would fix anything, and that wasn't even something discussed until you brought it up.

            I certainly agree, though, that if you have an implanted device that needs monitoring or adjusting remotely there has to be a way to authenticate the identities and verify the authority t

            • The "password" was really just a shorthand for any sort of access control or other cost paid in trying to make the device immune to malicious tampering. Time spent hardening device software is not free, this needs to be taken into account when deciding whether a control is appropriate. You make a fair point though, the 'might need emergency access' argument is perhaps not that strong. I would bet that part of that argument is simply doctor's hatred for anything that costs them extra time that they view as s
              • Thanks; I'm a bit dense and didn't know where you were coming from with that. This stuff is well above my pay grade - and I'm retired. (Below, a poster notes that pacemakers apparently can be over-ridden/stopped by powerful magnet - I have to wonder if that's part of EM techs' kit.

                My stupid idea would be that the security holes would be closed by the makers (better, they should not exist at all) - and I don't think it all that likely until someone important dies, as others have said. As you point out, pa

    • by HiThere ( 15173 )

      Who will know why they died? I don't consider fallout very likely, unless there are failed attacks against rather paranoid people who are also powerful. Even then I'd rate it as low probability.

  • by Anonymous Coward
    True, "hack insulin pumps, heart monitors, HVAC systems, home automation systems, and cars" are consumer devices. But so are WiFi routers, mobile phones, etc.
    My point: TFT(itle) would have sounded better as "Life threatening hacking concerns [etc]"
  • by Ihlosi ( 895663 ) on Friday August 09, 2013 @03:20AM (#44518117)
    ... that making them hack-proof is equivalent to locking a fire extinguisher in a secure cabinet. Sure it's secured against misuse, but it's also no longer easily available when it's needed in an emergency.

    You can "hack" any pacemaker with a strong enough magnet, for example. It's the standard method for putting the things in their emergency mode. "Securing" this mode would make it more complicated to activate in case of a real emergency and kill people this way.

    • "The problem with some of these devices is that making them hack-proof is equivalent to locking a fire extinguisher in a secure cabinet. Sure it's secured against misuse, but it's also no longer easily available when it's needed in an emergency.

      You can "hack" any pacemaker with a strong enough magnet, for example. It's the standard method for putting the things in their emergency mode. "Securing" this mode would make it more complicated to activate in case of a real emergency and kill people this way."

      I thi

  • by Anonymous Coward

    It has taken the computer industry years to stop prosecuting every "security researcher" ("hacker"? not applicable, not even with hats and "ethical" attached), the SCADA bunch haven't learned even after stuxnet, and now the medicos...?

    Of course not. Worse yet, these "security researchers" haven't learned either. They're still using their bogeyman moniker for everything, lawful or not, and make it a habit to regularly blog or issue press releases with juicy tidbits to stay in the spotlights and spread some m

  • Some of the exploits for these vital machines were only discovered by researchers spending months working on it, using multiple labs, and using their researcher status to gain access to information that wouldn't be available to the general public. Should we not at least address the question of whether some of this exploit research is actually creating exploits that otherwise wouldn't have cropped up for years or even decades afterwards? Jaron Lanier pointed out one such developed exploit for pacemakers wher
    • by SuricouRaven ( 1897204 ) on Friday August 09, 2013 @05:28AM (#44518429)

      You assume that the attackers would be basement hackers. Not a good assumption. There have been plenty of government assassinations in even recent history. Do you think Russia or China would be above killing, say, a US senator who keeps voting against their interests? Because I'm sure they would be willing, if they could be absolutly sure of not being caught. I wouldn't even trust the US with it - they already use drone strikes against suspected terrorists without trial, but drones are messy and lead to bad PR. And if Iran gets hold of the hack... they'd probably set up a virus that transmits the 'drop dead' command from any device with a bluetooth interface and US-English language setting.

      Pacemakers need replacement every seven years or so anyway as the batteries go flat. You can just install one without the vulnerability then. It's a routine procedure.

      • Forgot something:

        "...Russia or China" or Big PhaRMA or AHIP (America's Health Insurance Plans) or the NRA or...

        • Russia is a good example because we know they still assassinate. Alexander Litveninko. That one wasn't even a cover-up: He was poisoned with polonium, an isotope that would be impossible for all but a few governments to obtain - it has no uses in medicine and scant few in industry, and those uses require only the tiniest amount. Presumably the Russian government used a method so obviously pointing back to them in order to intimidate anyone else who might think to leave the country and leak intelligence info

      • You assume that the attackers would be basement hackers. Not a good assumption. There have been plenty of government assassinations in even recent history. Do you think Russia or China would be above killing, say, a US senator who keeps voting against their interests?

        That's supposed to be insightful? So you are saying that the most important thing for the manufacturers of pacemakers is to prevent one of the thousand possible ways to kill a US senator?

        • One of the possible ways to kill and get away with it. The killing part isn't too hard - the getting away without starting a war is.

  • I could fill that role. If they're seriously looking for someone in that role, I can pass on credentials to boot.
  • by evilviper ( 135110 ) on Friday August 09, 2013 @05:41AM (#44518453) Journal

    How did Ford and Toyota react? They publicly dismissed the research and thus far haven't committed to fixing any of the weaknesses that Miller and Valasek found. Ford described the hacks as "highly aggressive direct physical manipulation of one vehicle ... which would not be a risk to customers," while Toyota said in its statement that their work wasn't hacking. Miller, who is a security engineer at Twitter, says he isn't confident the car-makers will do anything about the flaws. Percoco says the car-hacking research was a good example of finding important security flaws in consumer products.

    If that's "a good example" I'd hate to see all the other ones. Ford and Toyota representatives were the only rational and reasonable voices, and absolutely correct that the "hacking" in this case, involved SITTING IN THE BACK SEAT AND PLUGGING IN TO THE CAR. What do we say around here about having physical access to someone else's computer?

    Some idiot reporters like the NYTimes article threw-in the word "remote" to describe the attacks, when it clearly didn't belong. Though to be fair, later mentioned that, "The researchers said they did not address the question of the defenses the cars might have against remote access."

    So this being the only actual referenced example in TFA, is a lot of baseless BS fear-mongering, and we are left without any reason to believe a problem actually exists.

    • by Ihlosi ( 895663 ) on Friday August 09, 2013 @06:00AM (#44518491)
      SITTING IN THE BACK SEAT AND PLUGGING IN TO THE CAR

      In the next horror film, the hidden psycho on the back seat won't have an axe or a knife, but a laptop ...

    • If that's "a good example" I'd hate to see all the other ones. Ford and Toyota representatives were the only rational and reasonable voices, and absolutely correct that the "hacking" in this case, involved SITTING IN THE BACK SEAT AND PLUGGING IN TO THE CAR. What do we say around here about having physical access to someone else's computer?

      We say that you didn't read the fucking article, and are for some reason leaving comments about it anyway. I don't even mean this article, I mean the former article where we discussed the hack. Because in that article, they discussed that all you need is access to the bus, and there are already remote holes in automotive infotainment gear that could permit an attacker to compromise that equipment, and then through that vector compromise the vehicle itself. This is in turn because automakers are lazy cheap f

      • Good. Talk about the remote vulnerabilities all you want. Get THOSE fixed. Those would be the problem. This article however, is worthless, baseless nonsense.

        And no, I don't feel obliged to go back and check every dupe for the past 4 years to try and find a link to some less awful information.

    • by wbr1 ( 2538558 )
      It requires sitting in the car for now. What about when you build the hack in to an APK and put it on a $30 used android device hiding under the seat?

      Breaking into most cars is relatively easy, and could be done in a couple of ways.. the diversionary snatch and grab where you steal a radio and hide the device well somewhere, or a more complex break-in that is unnoticed.

      Either way, you now have physical access to the vehicle, without having to be seated in it. You could control over 3g/4g, or for the rea

      • Or you could do a MINISCULE FRACTION as much work, and just cut the brake lines. Or replace your theoretical $30 Android trojan device with a stick of TNT.

        You're not helping your case by coming up with ridiculous, irrational, paranoid fantasies, and making IT security folks look like nutjobs.

        • by wbr1 ( 2538558 )
          Explosives are monitored. Brake line failure is easily survivable, especially since a driver is likely to notice the brakes when first applying them in a low speed parking lot type situation. In addition a trained driver (often employed by those with power and privilege), know how to use parking brakes and engine braking to stop a vehicle, hell I do.

          So, it is not paranoid fantasy, it is a viable attack method.

          In addition, my method could be installed during routine maintenance/service of the vehicle (no

          • Cutting brake lines actually involves slicing them just deeply enough that they're intact until high speed hard braking ruptures it. This is easier to disguise as "maintenance" than any electronic method, and much more deadly than anything described here... Their disabling of the brakes only worked at low speed and makes a tell-tale god awful noise.

            Engine braking is not an option on a large number of vehicles, particularly the Prius in the demonstration... That just leaves the parking brake you'll also n

  • by J05H ( 5625 )

    Stop sweeping problems under it.

    If these devices are vulnerable then they will be exploited. The best solution is transparency and working consortia for both testing/verification and patching these problems before that vehicle, pacemaker or other device is used against consumers.

  • The crack assassin will be a fat, greasy, male basement-dweller covered in Cheetos dust. This will doubtless be distorted by Hollywood, to the point where the assassin in movies actually has dealings with beautiful women.

  • Link to the alluded-to grassroots community doing the work mentioned in the OP or it's not a story and you can GTFO.
  • Seems like a lot of work when you could just hack Lizzie Borden style.

Sentient plasmoids are a gas.

Working...