This headline was all over the internet and news this weekend, with the pump in question being a medical infusion pump that automatically administers dosages of medication to patients in a hospital. A vulnerability was identified that would give ‘hackers the ability to access the pump remotely through a hospital’s network’, according to the FDA. A hacker would be able to take remote control of the device and change the dosage of medication being administered. As part of the reporting, many of the cable news shows starting showing a clip from the Showtime TV show Homeland. In the episode, terrorists hack into the Vice President’s pacemaker, force his heart rate to increase, and effectively assassinate him via remote control.
My wife and I had recently seen that episode while binge watching the show (yes, I know it’s been on 4 seasons already, we are a little behind). That particular episode had hit a little close to home. In the spirit of full disclosure, I have a pacemaker which I discussed this last year in an article on Information Week ‘Internet of Things – It’s All About the Ecosystem’. As we watched the episode, my wife had turned to me then and asked, “That can’t really happen, can it?” At a personal level, fortunately not, as my particular device is ‘old technology’ and does not connect to a network. However, I did explain that newer medical devices, being fully functioning members of the Internet of Things universe, are a different story.
It’s Not Just About the Data Anymore
Medical devices are just one of many examples of how the Internet of Things is changing the game. The game I’m talking about is the hacking game. Normally, when we hear about hackers in the news, it’s on a large macro scale. Huge amounts of data stolen from large corporations, or even the government, with the recent hack of the U.S. Office of Personnel where the information of over 21 million people were breached. Hackers attack a single location to retrieve large amounts of information, but the medical device risks discussed above are different. Those risks are on a micro scale, targeting an individual device, more so, targeting an individual. In this paradigm, the hacker is starting with a large amount of devices, looking for a single location.
Medical devices are not the only Internet of Things devices making news about this potential risk. Some recent examples include:
- Baby Monitors – Baby monitors are now wireless and have webcams built in. In April of this year, 2 separate incidents were reported by parents of someone remotely accessing their monitors, and tracking the parent’s movements in the baby’s room. One couple reported hearing a man’s voice saying “Wake up baby, daddy’s coming for you”.
- Smart Cars – Cars are probably one of the bigger ‘Things’ in the Internet of Things. Remote and wireless access to various features is becoming very popular. Then in July, a hacker remotely accessed a Jeep while it was traveling at 70 MPH, with the drivers for knowledge. Without the driver touching controls, air conditioning came on, radio changed stations, and a picture of the hackers appeared on the video display of the vehicle. It should be noted, Chrysler has now issued a recall of 4M vehicles as result of that event.
No, the Sky is Not Falling
While some of these stories, and the possibilities they discuss can be disturbing, this is not meant to be an “The Internet of Things will be the downfall of humanity’ type of discussion. I will leave that to the groups discussing things like how AI will destroy us all. I bring it up to point out, that the Internet of Things is a disruptive technology. Like any disruptive technology, it can turn existing viewpoints and paradigms on their head. We need to be prepared for that. The Internet of Things is not going anywhere anytime soon. One respected industry analyst predicts that there will be 4.9 Billion (with a B) connected ‘Things’ by the end of this year; that is up 30% from last year! They further predict that the number of ‘Things’ will exceed 25 Billion in another 5 years. No matter how you view it, that’s a lot of devices, in our homes, in our workplace, on our bodies.
As technologists, we need to look at security from a different perspective. We have to think about the potential hackers differently. In the old paradigm, it was protect the data, protect the boundaries of the data centers. That is still valid and needs to be done. In addition, we need to look at protect the individual device and its functions. Hackers may no longer just target a single point to get lots of data. They may target lots of devices just to get access to individual points. Why? Motives could be many, ranging from non-malicious ‘proving they can’ types of attacks, to malicious intent to cause harm. When designing and implementing security on these devices, we must look at it through both lens.
Users also need to be educated in the proper use of the devices they have. Last year for example, there was a website that made national news. They linked to over 73,000 security webcams worldwide. How were they able to do that? Each one of the cameras were still running with the default username/password they were shipped with! They effectively left the car parked, unlocked, with the keys in the ignition!
No Technology Negates the Need for Good Planning and Design
The Internet of Things is bringing us wonderful capabilities, services, and conveniences, some of which we may not even recognize. As with any disruptive technology, there are tradeoffs and risks associated with those conveniences. As technologists, it is up to us to help plan and design for those risks, mitigate and educate. Security in the world of technology is always a delicate balancing act between access, usability, and protection. The risks just must be understood and appropriate measures must be taken to ensure the proper balance is maintained.