Ransomware Expected To Hit 'Lifesaving' Medical Devices In 2016 (forrester.com) 108
An anonymous reader writes: A surge in ransomware campaigns is expected to hit the medical sector in 2016, according to a recent report published by forecasters at Forrester Research. The paper 'Predictions 2016: Cybersecuirty Swings To Prevention' suggests that the primary hacking trend of the coming year will be "ransomware for a medical device or wearable," arguing that cybercriminals would only have to make mall modifications to current malware to create a feasible attack. Pacemakers and other vital health devices would become prime targets, with attackers toying with their stability and potentially threatening the victim with their own life should the ransom demands not be met.
I'm careful about using the term "Evil" (Score:5, Insightful)
Mall changes? (Score:2)
Would that be Darth Mall where I do my holiday shopping for medical truth extraction bots? What changes are they making?
Re: (Score:2, Insightful)
Anyone who willingly and knowingly infects a medical device with the purpose of causing harm is deserving of the death penalty. Full stop. These people are already a true menace, but medical equipment? This goes beyond the pale. Hang them from neck until dead in public.
Re: (Score:1)
Re: (Score:1)
And then find out the guy was stitched up by the government and turned out to be innocent. Well done.
Re: (Score:2)
Dear God! What is that thing?
Re: (Score:1)
Re: (Score:2)
Anyone who willingly and knowingly infects a medical device with the purpose of causing harm is deserving of the death penalty. Full stop. These people are already a true menace, but medical equipment? This goes beyond the pale. Hang them from neck until dead in public.
At the very least, classify the programmer of the malware as a terrorist, sikk Seal Team Six on him/her and send them to Gitmo.
Re: (Score:1)
Really? You cannot Google this for yourself? Why defend any fascist islamist, even obliquely? They all deserve what they get. I agree with the Chechen leader: let's strap all captured terrorists to drones and drop them on the heads of their accomplices. Sounds like a really decent plan. I'd also drop pig guts and blood over their mosques, pay huge bounties for informants to turn on their own people, use snipers to literally kill their morale.
Re: (Score:1)
Not every person in gitmo is a terrorist and the number that get released, that then decide to become (or continue being) terrorists is not general knowledge.
Doing a cursory Google search points to a far lower percentage (than 50%), and has further decreased over the years.
http://www.cbsnews.com/news/18... [cbsnews.com]
http://www.theguardian.com/us-... [theguardian.com]
So again I say "Citation needed"
Re: (Score:2)
"We have infected your implanted pacemaker with a virus. Your pacemaker will stop within 24 hours. Please send $100,000 by Western Union to the following bank account and we will remove the virus".
Re: (Score:2)
Re: (Score:2)
But that would qualify.
Which, making life-critical devices which are vulnerable to hackers to save money on security, or to ask people with insecure devices for money?
Re: (Score:2)
Besides, in the case of implanted medical devices it takes years and years of testing to get them to market. I had a relative in the industry whose company basically went bankrupt for that reason. They spent years testing in Germany with good success but eventually they ran out of money.
Adding proper security is probably a small portion of the total cost of development and I
Re: (Score:2)
I consider a willful act of doing harm to be worse than negligence.
Only on a case-by-case basis. For example, I'd consider widespread willful negligence that results in the deaths of thousands do be way more serious a crime than a serial killer who's reaching his second dozen victims.
Adding proper security is probably a small portion of the total cost of development and I doubt many device manufactures would knowingly skimp in that area knowing how vulnerable they are to lawsuits. What is more likely to happen is that attacks get more sophisticated over time and products that did have reasonable security when implanted in your body 5 years ago, don't anymore.
That's not how security works, except security by obscurity. Bugs don't mysteriously appear in old code; they have always been there and are merely discovered. You can build code that is and will forever be resistant to network attacks (unless they find your password). I understand it's possib
Re: (Score:2)
I consider a willful act of doing harm to be worse than negligence.
Only on a case-by-case basis. For example, I'd consider widespread willful negligence that results in the deaths of thousands do be way more serious a crime than a serial killer who's reaching his second dozen victims.
You are talking about the severity and magnitude of outcomes. I'm talking about evil. Though they can be related, they aren't the same, at least not in my mind.
In your examples, the second is a worse outcome for sure but evil is strongly tied to intent. A guy who drives drunk and ends up killing 4 people is negligent and responsible. He should be punished and it would be quite understandable if the family of the victims hated him and never forgave him. He demonstrated exceptionally bad judgement and self
Re: (Score:2)
sounds like 1st degree capital murder to me (Score:2)
jury full of doctors, and a hanging judge, three cameras, and a satellite channel would make a real good reality show for hackers. I'll run sound or lighting for free, experience in local TV, prefer weekends so I can get back to my day job...
Re: (Score:2)
Re: (Score:2)
I assume the criminals who would do this have risen to a new level of evil, and there's a measurably higher reward to offset the high likelihood they'll get caught eventually.
I am imaging "Ransomware" evolves into "Racketeeringware"
Instead of "pay us this ransom ...." to infected users, they launch a campaign getting people to "Pay 400BTC in Exchange for protection"
The explanation being... the evil device hackers are killing people left and right, But if you pay this "protection charge", Your
"Mall modifications"? (Score:4, Funny)
I suppose it's inevitable that these devices would become a Target at some point. Security is a Hot Topic these days. Sak's to be a victim.
Also, Walmart.
Re: (Score:1)
Modifications to wearable tech wont be restricted to victims' PCs, it will be able to effect them in their Bed, Bath, and Beyond. Will a computer be even necessary? Or will people who don't even own PCs, like cookie-baking Mrs. Field's get a letter some day asking her to send a MoneyPak to some obscure location, lest her pacemaker start having "issues" one Tuesday Morning. Security has been through obscurity for so long with these devices, perhaps now that attacks are imminent we can stop blurring the lines
Re: (Score:2)
Smells like FUD (Score:4, Interesting)
Re:Smells like FUD (Score:5, Interesting)
Easily automated from anywhere in the world, hard to trace, and exploiting utterly useless security.
Honestly, this was pretty much inevitable.
The security of most consumer devices is pathetic and useless. The security of medical devices has known to be almost non-existent for years now.
Humans are not intrinsically honest. It's time to stop pretending they are.
Re: (Score:2)
These kinds of devices should not run conventional operating systems that can run third-party software. They should probably use a model more like Cisco's where the OS and all software are contained in a single package, but taken a step further where better sanity-checking makes it even harder to crack.
Re:Smells like FUD (Score:4, Insightful)
I don't expect every company to build an OS .. that would pretty much mean we don't get any new devices and software ever.
But I do expect that companies not be so damned lazy when it comes to writing security, and that they be required to support OS updates and fix security holes ... you can't just say "nope, you have to stay on an ancient and unpatched OS because we can't confirm our stuff still works". And if you can't, you should lose any certifications the device has.
I've been saying for years the makers of consumer electronics need to be held to a higher standard when it comes to security, and to actually have some liability for it.
The makers of medical devices and cars and the like need to be held to a significantly higher standard than that.
But companies just rush some crap out the door and walk away.
Re: (Score:3, Interesting)
Re: (Score:3)
Re: (Score:1)
Re: (Score:2)
This would be an ideal test of the idea we keep hearing that bitcoin is traceable through the blockchain. Ransomware as it exists today is already worthy of intense law-enforcement focus because it targets business and government. Having it target medical devices would throw he effort into overdrive,
Re: (Score:1)
I have heard from more than one PM the saying, "the only profit a lock ever made was for the lock maker".
The problem with security is that companies can get away with breaches without much, if any penalties. Look at the stock value six months after a major breach, and it usually is untouched, if not up slightly due to the "we are more secure than ever" PR the company slings. Even though it might be that the "more secure than ever" just means the Windows admin forced a change on all users across the AD for
Re: (Score:2)
Still it's a valid point as far as risk vs payoff...
easily infect 100k+ computers most of which will be used for entertainment many of which will never be reported to law enforcement or taken seriously if they are reported.
or a more difficult to infect life preserving device where almost 100% will be reported immediately w/ every report taken seriously and every report intensifying the search for the perpetrator.
Re: (Score:2)
The security of most consumer devices is pathetic and useless. The security of medical devices has known to be almost non-existent for years now.
Agreed. And there have been exactly zero attempts to exploit that. Or at least so close to zero, it can successfully be concealed from the entire public. So no, not inevitable. This smells like FUD. The authors of malware take great pride in knowing about zero-day exploits. That's where the money is, generally speaking. This is the polar opposite. This is a 5 year exploit. Or possibly even older. And yet it hasn't been exploited. So what's going to be different in 2016? Short answer: nothing. T
Re: (Score:2)
I guess it is hard to do actually any blackmail of a specific person, as if it is known that a medical device is hacked, the owner of the medical device could just call medical service, and then they can survive it, unless of course the attacker also controls the devices of the ambulance etc. So it can really only be used for targeted murder, or for a less specific blackmail of the form "I have hacked 100 medical devices of people in your city. If you don't pay, I'll kill them one by one." sent to majors or
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
I think its a question of how likely are you to get caught and do you fear the consequences. Look at some of the historic mobsters for example. They had little concern about taking their illegal gambling, moonshine, and drug running into the realm of murder. Most of those guy knew they either would not be caught because they had resources equal to those working to contain them. That or they simply 'own' a large portion of the authorities via corruption.
The other case is you are already looking at very l
Re: (Score:2)
You would think these assholes are smart enough not to try this. One sure way to ramp up the investigations of these things is to switch from inconveniencing idiots that don't backup to murder.
Re: (Score:1)
For them human life is not so important as what they can ask from it.
Re: (Score:2)
Yeah, you'd think that ... (Score:2)
It's my understanding that when you're committing a crime, the last thing you want to do is break even worse laws that will get you a worse sentence if caught.
Yeah, you'd think that. And some of them actually do think of that.
But many criminals don't think very well, or very far ahead. Not thinking about being caught is common. Not expecting to be seriously inconvenienced if they ARE caught is common also.
Think about it: How is "Send me a bitcoin or your insulin pump will deliver a fatal dose!" differen
Re: (Score:2)
It's Forrester and, for reasons, a long time ago we used to pay for some of their papers as well as some from Gartner. I've never compiled the data but I concluded that they were actually wrong more often than they were right when it came to their ability to make predictions.
DJ Kardio and the Beatskippers (Score:5, Insightful)
How about we don't put a network chip on a pacemaker, dumbasses.
Why would you ever need to communicate with it? Is there ever a time when you want your heart not to beat?
Re: (Score:2)
Re:DJ Kardio and the Beatskippers (Score:5, Informative)
Communication with an implant isn't uncommon. Diagnostics, monitoring, tweaking for optimal operation, etc. It's a lot easier to do checkups and make adjustments on a person when you don't need to open up the chest cavity.
Re: (Score:1)
Communication with an implant isn't uncommon. Diagnostics, monitoring, tweaking for optimal operation, etc. It's a lot easier to do checkups and make adjustments on a person when you don't need to open up the chest cavity.
Oh, that makes perfect sense to me. What I question is why you'd do something like put a wifi or bluetooth chip in a medical device. It seems to me like this would be something that you'd want to use near field communication for, and NOT leave the authentication set to a factory default.
Re: (Score:2)
you'd do something like put a wifi or bluetooth chip in a medical device
If you're talking about pacemakers specifically, you're just making shit up. Please stop.
Re: (Score:1)
C|N>K
And me without mod points. :(
Re: (Score:2)
Is there ever a time when you want your heart not to beat?
I feel that way when X-factor comes on and I don't have the remote.
Re:DJ Kardio and the Beatskippers (Score:5, Interesting)
How about we don't put a network chip on a pacemaker, dumbasses.
How about you don't take stupid fear-mongering from an inept "journalist" at face value? Pacemakers don't have a "network" chip or anything like that. They have a near-field communications system that can communicate with dedicated programming/data capture terminal. It makes little sense for any kind of ransomware on what amounts to a mostly offline device, where the owner doesn't have any means of accessing the data link or exposing it as an on-line node.
Re: (Score:2)
I've a sibling with a pace maker but it's not in her heart - it's actually meant to keep her stomach gurgling. (She has a rare health issue with a name I am not going to try to spell.)
I don't think you know how these things work? They don't just walk into a room. They go into a room, a technician meanders over with a cart, and puts a device physically on the body and then still has to move this device in order to get it close enough to be connected.
Now, I don't want to speculate that all these pacemaker dev
Re: (Score:2)
Well, think about it ... if making any fine-tuning adjustments to the damned thing can be done via some form of wireless connection, or by way of open heart surgery ... which would you choose?
Honestly, having the ability to have it communicate with the outside world makes perfect sense. Having the damned thing have zero security on that path, that's utterly ridiculous.
The problem is so many of these things are just slapped in with no security, and just assume
Re:DJ Kardio and the Beatskippers (Score:4, Informative)
The problem is that people see "wireless" and think "wireless network a.k.a. WiFi". These devices are programmable using wireless communication, but they are not on WiFi. They communicate with a "programmer", a device that is placed on the patient and used to change the treatment protocols. The issue is that this communication is not encrypted and it is vulnerable to a replay attack. That means with a USRP module and a some GNU Radio know-how, you can mimic the programmer device from a long way away. This lets you send commands like "disable treatment 1". The reason this is potentially lethal is that while the pacemaker cannot be turned off by the programmer, this is part of the UI, not part of the pacemaker! So if treatment 1 was the only one currently enabled, the UI would not let the doctor send "disable treatment 1" but the pacemaker would still accept that command should it receive it. But that's a slow kind of lethal. It just means that if the patient has an issue that needs correcting, the pacemaker won't correct it. This particular model has another thing it can do. It has a built in defibrillator. That way of the patient needs zapping, the pacemaker can be told to do it, rather than needing paddles (which would potentially fry the pacemaker). This mode is also activated by a wireless command. One that can be sent using a replay attack. Normally after a shock, the pacemaker would reestablish rhythm. But not if all treatment protocols are turned off.
So although these devices are hackable, it's not a remote hack unless you happen to hack a computer that's close to the patient, and that has a radio you can control with GNU Radio.
That's not to say these devices don't touch WiFi at all. To avoid frequent doctor's appointments, the hospital can give you a device that will connect to your home network and act as a relay. This doesn't let them reprogram the pacemaker remotely, what it does is transmit telemetry remotely so the doctor can check up on you daily without needing to schedule an appointment. As I understand it, this relay runs Windows XP and is full of holes (but I repeat myself). This lets hackers potentially access lots of confidential medical data, but doesn't let them kill you.
Re:ignoramus question here... (Score:4, Insightful)
Why in hell is a pacemaker something accessible in any way to a random malware distributor?
Because it's a programmable electronic device and they are all accessible to sufficiently sophisticated malware by definition. There's no way around that unless everything that ever accessed the device was completely air-gapped, self-contained and hardened. Note that this would also preclude any sort of data I/O with PCs etc., making the whole thing almost useless.
have never had the ability or need to talk to the internet
They still don't. Read the original article carefully, and be able to rationally separate wheat from chaff, or, as it is here, sensationalist bullshit.
I Bet This Article Will Do As Much Damage... (Score:4, Insightful)
I bet articles like these are going to do more damage to people than any actual malware infections. How many people do you think are going to actually be walking around with an infected pacemaker? It's not like you can open up your chest and run Malwarebytes on the damn thing. So when some hospitals patient files gets hacked, and Joe Shmoe gets a phone call or an Email implying that if he doesn't pay up his heart will explode, he's going to be breaking out his checkbook just to be safe.
On the other hand, this is really just another reason to go with an external pacemaker.
Re:I Bet This Article Will Do As Much Damage... (Score:4, Insightful)
I'm almost certain that the article is in fact a set up piece that is there only to plant a seed of doubt in the hive mind of public opinion. I'm sure that if we do the due diligence it'll turn out that the article has been, very indirectly of course, made to be by the people who will later reap the benefits of extortion schemes that center on those with implanted medical devices. I'm not implying that the author is necessarily knowingly involved in this in any way, but merely has been artfully played by those who see the big picture. You don't need to actually do anything to the devices themselves, just steal a patient list or two from a poorly secured system somewhere, and send a bulk extortion email with a link to the fine article (and others like that) to bolster the legitimacy of the threat. If the author hasn't been played in any way, then the damage is still done: the scammers just got a great idea they'll no doubt literally capitalize on.
Re: (Score:2)
If the author hasn't been played in any way, then the damage is still done: the scammers just got a great idea they'll no doubt literally capitalize on.
If you think that anybody who's written or executed ransomware hasn't already thought about ransoming medical devices, you have an astonishingly low opinion of others. Just how smart do you think you are?
Anybody who's spent the time necessary to write ransomware and attempt to profit from it has had more than enough time to consider the all reasonable possibilities, even if it took somebody as *brilliant* as you 5 minutes to come up with this idea. This isn't some global super-conspiracy; this is as brillia
Re: (Score:2)
Are you seriously suggesting that highlighting the fact there are gaping security holes in these devices will make the problem worse? And you're suggesting that pretending it's not happening and not highlighting that the existing security is utterly pathetic is somehow better?
I seriously hope you don't work in computer security.
These things are already insecure, whether we talk about it or not. At least talking about it might cause someone to actually do something about it.
Three Words (Score:2)
Near. Field. Communications.
It seems pretty irresponsible to me that pacemakers and other implantable medical devices are accessible via WiFi and/or cellular data. Communication with the device in question should require a proximity measured in inches. Yes, it might still be possible with a strong transmitter and a sensitive receiver to extend that range to some tens of feet; but in that case the success of the attack is way less likely than one which can be launched from almost anywhere in the world.
Is there a CERT for medical devices? (Score:1)
Already exists (Score:1)
Medical ransomware already exists. It is euphemistically called "hospital billing system."
That'll teach grandma... (Score:1)
The manufacturers of those devices should be... (Score:2)
... required to pay for all of the damages caused by their stupidity.
Seriously this could only work if you connected medical devices (incompetently) to a network. It could only work if you used some completely overcomplex operating system with far more features than you need.