Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
Compare cell phone plans using Wirefly's innovative plan comparison tool ×
Security Medicine

Ransomware Expected To Hit 'Lifesaving' Medical Devices In 2016 (forrester.com) 108

An anonymous reader writes: A surge in ransomware campaigns is expected to hit the medical sector in 2016, according to a recent report published by forecasters at Forrester Research. The paper 'Predictions 2016: Cybersecuirty Swings To Prevention' suggests that the primary hacking trend of the coming year will be "ransomware for a medical device or wearable," arguing that cybercriminals would only have to make mall modifications to current malware to create a feasible attack. Pacemakers and other vital health devices would become prime targets, with attackers toying with their stability and potentially threatening the victim with their own life should the ransom demands not be met.
This discussion has been archived. No new comments can be posted.

Ransomware Expected To Hit 'Lifesaving' Medical Devices In 2016

Comments Filter:
  • by unimacs ( 597299 ) on Monday November 23, 2015 @10:43AM (#50985019)
    But that would qualify.
    • Would that be Darth Mall where I do my holiday shopping for medical truth extraction bots? What changes are they making?

    • Re: (Score:2, Insightful)

      by Anonymous Coward

      Anyone who willingly and knowingly infects a medical device with the purpose of causing harm is deserving of the death penalty. Full stop. These people are already a true menace, but medical equipment? This goes beyond the pale. Hang them from neck until dead in public.

      • Anyone who willingly and knowingly infects a medical device with the purpose of causing harm is deserving of the death penalty. Full stop. These people are already a true menace, but medical equipment? This goes beyond the pale. Hang them from neck until dead in public.

        At the very least, classify the programmer of the malware as a terrorist, sikk Seal Team Six on him/her and send them to Gitmo.

      • by mikael ( 484 )

        "We have infected your implanted pacemaker with a virus. Your pacemaker will stop within 24 hours. Please send $100,000 by Western Union to the following bank account and we will remove the virus".

    • Isn't this often the case with the pharmaceutical and medical industry charging prices waaay beyond cost.
    • But that would qualify.

      Which, making life-critical devices which are vulnerable to hackers to save money on security, or to ask people with insecure devices for money?

      • by unimacs ( 597299 )
        The latter of course. There is a broad spectrum of misdeeds. I consider a willful act of doing harm to be worse than negligence.

        Besides, in the case of implanted medical devices it takes years and years of testing to get them to market. I had a relative in the industry whose company basically went bankrupt for that reason. They spent years testing in Germany with good success but eventually they ran out of money.

        Adding proper security is probably a small portion of the total cost of development and I
        • I consider a willful act of doing harm to be worse than negligence.

          Only on a case-by-case basis. For example, I'd consider widespread willful negligence that results in the deaths of thousands do be way more serious a crime than a serial killer who's reaching his second dozen victims.

          Adding proper security is probably a small portion of the total cost of development and I doubt many device manufactures would knowingly skimp in that area knowing how vulnerable they are to lawsuits. What is more likely to happen is that attacks get more sophisticated over time and products that did have reasonable security when implanted in your body 5 years ago, don't anymore.

          That's not how security works, except security by obscurity. Bugs don't mysteriously appear in old code; they have always been there and are merely discovered. You can build code that is and will forever be resistant to network attacks (unless they find your password). I understand it's possib

          • by unimacs ( 597299 )

            I consider a willful act of doing harm to be worse than negligence.

            Only on a case-by-case basis. For example, I'd consider widespread willful negligence that results in the deaths of thousands do be way more serious a crime than a serial killer who's reaching his second dozen victims.

            You are talking about the severity and magnitude of outcomes. I'm talking about evil. Though they can be related, they aren't the same, at least not in my mind.

            In your examples, the second is a worse outcome for sure but evil is strongly tied to intent. A guy who drives drunk and ends up killing 4 people is negligent and responsible. He should be punished and it would be quite understandable if the family of the victims hated him and never forgave him. He demonstrated exceptionally bad judgement and self

            • by unimacs ( 597299 )
              Sorry, meant to say that the thousands dying is a worse outcome, but a worse outcome is not always the result of more "evil" act.
    • jury full of doctors, and a hanging judge, three cameras, and a satellite channel would make a real good reality show for hackers. I'll run sound or lighting for free, experience in local TV, prefer weekends so I can get back to my day job...

    • It would also qualify as "stupid". The basic rule of thumb in internet crime is "do only that which isn't worth tracking you down for". Basic financial fraud is a nightmare to handle across juridictions, and no-one gets physically "hurt", so it rarely gets prosecuted. But serial killers tend to come up pretty high on Interpol's hit list, and if you're hacking pacemakers and insulin pumps, that's basically what you are.
      • by mysidia ( 191772 )

        I assume the criminals who would do this have risen to a new level of evil, and there's a measurably higher reward to offset the high likelihood they'll get caught eventually.

        I am imaging "Ransomware" evolves into "Racketeeringware"

        Instead of "pay us this ransom ...." to infected users, they launch a campaign getting people to "Pay 400BTC in Exchange for protection"

        The explanation being... the evil device hackers are killing people left and right, But if you pay this "protection charge", Your

  • by Anonymous Coward on Monday November 23, 2015 @10:45AM (#50985025)

    I suppose it's inevitable that these devices would become a Target at some point. Security is a Hot Topic these days. Sak's to be a victim.

    Also, Walmart.

    • by SeaFox ( 739806 )

      Modifications to wearable tech wont be restricted to victims' PCs, it will be able to effect them in their Bed, Bath, and Beyond. Will a computer be even necessary? Or will people who don't even own PCs, like cookie-baking Mrs. Field's get a letter some day asking her to send a MoneyPak to some obscure location, lest her pacemaker start having "issues" one Tuesday Morning. Security has been through obscurity for so long with these devices, perhaps now that attacks are imminent we can stop blurring the lines

    • Look here, my pacemaker can play an obviously pirated copy of Super Mario by streaming RF radiation directly into my TV antennae. Downside: it requires me to play non-stop to stay alive. In hindsight, perhaps I shouldn't have bought it at that mall kiosk... the surgery was free though, so it was hard to say no.
  • Smells like FUD (Score:4, Interesting)

    by The MAZZTer ( 911996 ) <megazzt@gmaNETBSDil.com minus bsd> on Monday November 23, 2015 @10:45AM (#50985029) Homepage
    It's my understanding that when you're committing a crime, the last thing you want to do is break even worse laws that will get you a worse sentence if caught. Ransoming encrypted computer files is one thing. Murder is something else.
    • Re:Smells like FUD (Score:5, Interesting)

      by gstoddart ( 321705 ) on Monday November 23, 2015 @10:49AM (#50985047) Homepage

      Easily automated from anywhere in the world, hard to trace, and exploiting utterly useless security.

      Honestly, this was pretty much inevitable.

      The security of most consumer devices is pathetic and useless. The security of medical devices has known to be almost non-existent for years now.

      Humans are not intrinsically honest. It's time to stop pretending they are.

      • by TWX ( 665546 )
        It's only inevitable because the people creating these devices are using commodity operating systems that allow someone else's software to run on them.

        These kinds of devices should not run conventional operating systems that can run third-party software. They should probably use a model more like Cisco's where the OS and all software are contained in a single package, but taken a step further where better sanity-checking makes it even harder to crack.
        • Re:Smells like FUD (Score:4, Insightful)

          by gstoddart ( 321705 ) on Monday November 23, 2015 @11:13AM (#50985259) Homepage

          I don't expect every company to build an OS .. that would pretty much mean we don't get any new devices and software ever.

          But I do expect that companies not be so damned lazy when it comes to writing security, and that they be required to support OS updates and fix security holes ... you can't just say "nope, you have to stay on an ancient and unpatched OS because we can't confirm our stuff still works". And if you can't, you should lose any certifications the device has.

          I've been saying for years the makers of consumer electronics need to be held to a higher standard when it comes to security, and to actually have some liability for it.

          The makers of medical devices and cars and the like need to be held to a significantly higher standard than that.

          But companies just rush some crap out the door and walk away.

          • Re: (Score:3, Interesting)

            by Anonymous Coward
            I'm in the Healthcare industry and I'm working with a vendor who has said "We're not saying not to patch your device. We're saying that if you do, it will impact the speed at which we can resolve any issues that arise with it." Our doctors and staff here that and tell us not to patch it. That's crazy to me and I've heard from nearby hospitals that the same thing happens there.
          • by TWX ( 665546 )
            They might not need to write an OS from scratch, but they can choose from any of a number of non-commodity operating systems or kernels on which to build their software. These are single-purpose machines. They don't need an OS that's capable of running a word processor.
      • by fuzzyf ( 1129635 )
        Hard to trace? Just follow the money.
      • by Anonymous Coward

        I have heard from more than one PM the saying, "the only profit a lock ever made was for the lock maker".

        The problem with security is that companies can get away with breaches without much, if any penalties. Look at the stock value six months after a major breach, and it usually is untouched, if not up slightly due to the "we are more secure than ever" PR the company slings. Even though it might be that the "more secure than ever" just means the Windows admin forced a change on all users across the AD for

      • Still it's a valid point as far as risk vs payoff...

        easily infect 100k+ computers most of which will be used for entertainment many of which will never be reported to law enforcement or taken seriously if they are reported.

        or a more difficult to infect life preserving device where almost 100% will be reported immediately w/ every report taken seriously and every report intensifying the search for the perpetrator.

      • The security of most consumer devices is pathetic and useless. The security of medical devices has known to be almost non-existent for years now.

        Agreed. And there have been exactly zero attempts to exploit that. Or at least so close to zero, it can successfully be concealed from the entire public. So no, not inevitable. This smells like FUD. The authors of malware take great pride in knowing about zero-day exploits. That's where the money is, generally speaking. This is the polar opposite. This is a 5 year exploit. Or possibly even older. And yet it hasn't been exploited. So what's going to be different in 2016? Short answer: nothing. T

    • I guess it is hard to do actually any blackmail of a specific person, as if it is known that a medical device is hacked, the owner of the medical device could just call medical service, and then they can survive it, unless of course the attacker also controls the devices of the ambulance etc. So it can really only be used for targeted murder, or for a less specific blackmail of the form "I have hacked 100 medical devices of people in your city. If you don't pay, I'll kill them one by one." sent to majors or

      • It also is much harder to figure out the specific person who carries the hacked pacemaker. With normal ransomware, you don't have to know anything about the person who owns the hacked computer, since the same computer is delivering the ransom note. It does make a lot more sense to hold a city, a hospital, or the manufacturer to ransom.
    • by Maritz ( 1829006 )
      What I don't see in this instance is what is actually being ransomed. What files do you encrypt on a pacemaker?
    • by DarkOx ( 621550 )

      I think its a question of how likely are you to get caught and do you fear the consequences. Look at some of the historic mobsters for example. They had little concern about taking their illegal gambling, moonshine, and drug running into the realm of murder. Most of those guy knew they either would not be caught because they had resources equal to those working to contain them. That or they simply 'own' a large portion of the authorities via corruption.

      The other case is you are already looking at very l

    • You would think these assholes are smart enough not to try this. One sure way to ramp up the investigations of these things is to switch from inconveniencing idiots that don't backup to murder.

    • But you know, when terrorist that explode themselves are there, this is really a dangerous issue.

      For them human life is not so important as what they can ask from it.
    • TlL criminals are rational users of game theory who carefully evaluate the payoff tables.
    • It's my understanding that when you're committing a crime, the last thing you want to do is break even worse laws that will get you a worse sentence if caught.

      Yeah, you'd think that. And some of them actually do think of that.

      But many criminals don't think very well, or very far ahead. Not thinking about being caught is common. Not expecting to be seriously inconvenienced if they ARE caught is common also.

      Think about it: How is "Send me a bitcoin or your insulin pump will deliver a fatal dose!" differen

    • by KGIII ( 973947 )

      It's Forrester and, for reasons, a long time ago we used to pay for some of their papers as well as some from Gartner. I've never compiled the data but I concluded that they were actually wrong more often than they were right when it came to their ability to make predictions.

  • by Pseudonymous Powers ( 4097097 ) on Monday November 23, 2015 @10:51AM (#50985081)

    How about we don't put a network chip on a pacemaker, dumbasses.

    Why would you ever need to communicate with it? Is there ever a time when you want your heart not to beat?

    • There is programming that go into some of these devices, including pacemakers. I suspect it has to do with everyone's bodies being just a bit different and thus things like electrical signals/frequencies/etc are different and need to be accounted for to produce a monitoring pattern that is correct.
    • by cdrudge ( 68377 ) on Monday November 23, 2015 @10:57AM (#50985131) Homepage

      Communication with an implant isn't uncommon. Diagnostics, monitoring, tweaking for optimal operation, etc. It's a lot easier to do checkups and make adjustments on a person when you don't need to open up the chest cavity.

      • by Anonymous Coward

        Communication with an implant isn't uncommon. Diagnostics, monitoring, tweaking for optimal operation, etc. It's a lot easier to do checkups and make adjustments on a person when you don't need to open up the chest cavity.

        Oh, that makes perfect sense to me. What I question is why you'd do something like put a wifi or bluetooth chip in a medical device. It seems to me like this would be something that you'd want to use near field communication for, and NOT leave the authentication set to a factory default.

        • by tibit ( 1762298 )

          you'd do something like put a wifi or bluetooth chip in a medical device

          If you're talking about pacemakers specifically, you're just making shit up. Please stop.

    • by ebh ( 116526 )

      C|N>K

      And me without mod points. :(

    • Is there ever a time when you want your heart not to beat?

      I feel that way when X-factor comes on and I don't have the remote.

    • by tibit ( 1762298 ) on Monday November 23, 2015 @11:55AM (#50985635)

      How about we don't put a network chip on a pacemaker, dumbasses.

      How about you don't take stupid fear-mongering from an inept "journalist" at face value? Pacemakers don't have a "network" chip or anything like that. They have a near-field communications system that can communicate with dedicated programming/data capture terminal. It makes little sense for any kind of ransomware on what amounts to a mostly offline device, where the owner doesn't have any means of accessing the data link or exposing it as an on-line node.

    • Why would you ever need to communicate with it?

      Well, think about it ... if making any fine-tuning adjustments to the damned thing can be done via some form of wireless connection, or by way of open heart surgery ... which would you choose?

      Honestly, having the ability to have it communicate with the outside world makes perfect sense. Having the damned thing have zero security on that path, that's utterly ridiculous.

      The problem is so many of these things are just slapped in with no security, and just assume

    • by canajin56 ( 660655 ) on Monday November 23, 2015 @01:05PM (#50986093)

      The problem is that people see "wireless" and think "wireless network a.k.a. WiFi". These devices are programmable using wireless communication, but they are not on WiFi. They communicate with a "programmer", a device that is placed on the patient and used to change the treatment protocols. The issue is that this communication is not encrypted and it is vulnerable to a replay attack. That means with a USRP module and a some GNU Radio know-how, you can mimic the programmer device from a long way away. This lets you send commands like "disable treatment 1". The reason this is potentially lethal is that while the pacemaker cannot be turned off by the programmer, this is part of the UI, not part of the pacemaker! So if treatment 1 was the only one currently enabled, the UI would not let the doctor send "disable treatment 1" but the pacemaker would still accept that command should it receive it. But that's a slow kind of lethal. It just means that if the patient has an issue that needs correcting, the pacemaker won't correct it. This particular model has another thing it can do. It has a built in defibrillator. That way of the patient needs zapping, the pacemaker can be told to do it, rather than needing paddles (which would potentially fry the pacemaker). This mode is also activated by a wireless command. One that can be sent using a replay attack. Normally after a shock, the pacemaker would reestablish rhythm. But not if all treatment protocols are turned off.

      So although these devices are hackable, it's not a remote hack unless you happen to hack a computer that's close to the patient, and that has a radio you can control with GNU Radio.

      That's not to say these devices don't touch WiFi at all. To avoid frequent doctor's appointments, the hospital can give you a device that will connect to your home network and act as a relay. This doesn't let them reprogram the pacemaker remotely, what it does is transmit telemetry remotely so the doctor can check up on you daily without needing to schedule an appointment. As I understand it, this relay runs Windows XP and is full of holes (but I repeat myself). This lets hackers potentially access lots of confidential medical data, but doesn't let them kill you.

  • by ComputerGeek01 ( 1182793 ) on Monday November 23, 2015 @11:22AM (#50985349)

    I bet articles like these are going to do more damage to people than any actual malware infections. How many people do you think are going to actually be walking around with an infected pacemaker? It's not like you can open up your chest and run Malwarebytes on the damn thing. So when some hospitals patient files gets hacked, and Joe Shmoe gets a phone call or an Email implying that if he doesn't pay up his heart will explode, he's going to be breaking out his checkbook just to be safe.

    On the other hand, this is really just another reason to go with an external pacemaker.

    • by tibit ( 1762298 ) on Monday November 23, 2015 @12:03PM (#50985697)

      I'm almost certain that the article is in fact a set up piece that is there only to plant a seed of doubt in the hive mind of public opinion. I'm sure that if we do the due diligence it'll turn out that the article has been, very indirectly of course, made to be by the people who will later reap the benefits of extortion schemes that center on those with implanted medical devices. I'm not implying that the author is necessarily knowingly involved in this in any way, but merely has been artfully played by those who see the big picture. You don't need to actually do anything to the devices themselves, just steal a patient list or two from a poorly secured system somewhere, and send a bulk extortion email with a link to the fine article (and others like that) to bolster the legitimacy of the threat. If the author hasn't been played in any way, then the damage is still done: the scammers just got a great idea they'll no doubt literally capitalize on.

      • by mcrbids ( 148650 )

        If the author hasn't been played in any way, then the damage is still done: the scammers just got a great idea they'll no doubt literally capitalize on.

        If you think that anybody who's written or executed ransomware hasn't already thought about ransoming medical devices, you have an astonishingly low opinion of others. Just how smart do you think you are?

        Anybody who's spent the time necessary to write ransomware and attempt to profit from it has had more than enough time to consider the all reasonable possibilities, even if it took somebody as *brilliant* as you 5 minutes to come up with this idea. This isn't some global super-conspiracy; this is as brillia

    • Are you seriously suggesting that highlighting the fact there are gaping security holes in these devices will make the problem worse? And you're suggesting that pretending it's not happening and not highlighting that the existing security is utterly pathetic is somehow better?

      I seriously hope you don't work in computer security.

      These things are already insecure, whether we talk about it or not. At least talking about it might cause someone to actually do something about it.

  • Near. Field. Communications.

    It seems pretty irresponsible to me that pacemakers and other implantable medical devices are accessible via WiFi and/or cellular data. Communication with the device in question should require a proximity measured in inches. Yes, it might still be possible with a strong transmitter and a sensitive receiver to extend that range to some tens of feet; but in that case the success of the attack is way less likely than one which can be launched from almost anywhere in the world.

  • I know there is US-CERT, and then ICS-CERT, anything dedicated to just medical devices?
  • by Anonymous Coward

    Medical ransomware already exists. It is euphemistically called "hospital billing system."

  • to look at porn on her pacemaker.
  • ... required to pay for all of the damages caused by their stupidity.

    Seriously this could only work if you connected medical devices (incompetently) to a network. It could only work if you used some completely overcomplex operating system with far more features than you need.

The brain is a wonderful organ; it starts working the moment you get up in the morning, and does not stop until you get to work.

Working...