"Security by obscurity is a dangerous design approach"
Indeed
But very cheap.
Although it's quite surprising medical devices are just as stupid about it as the usual IoS webcam and thermostat makers.
A global research team has hacked 10 different types of implantable medical devices and pacemakers finding exploits that could allow wireless remote attackers to kill victims. Eduard Marin and Dave Singelée, researchers with KU Leuven University, Belgium, began examining the pacemakers under black box testing conditions in …
I don't find it very surprising at all - the designers simply never considered security to be important because that's not the way that they think, they are building a device that has to get through FDA software testing which is much more concerned about reliability and ensuring that things can not go wrong. Adding security simply increases the complexity and requires additional testing/verification that offers no commercial benefit so the KISS principle rules.
Realistically this is "silly" at a basic level but assuming that you have a fail-safe design without external malevolent actors I think it's quite low risk on any individual basis. Given the cost and complexity of the attack vector, if you've really got a beef with the target it's much cheaper and easier to shoot them.
UNLESS you're trying to make it look like a heart attack, in which case money may not be an object because life insurance and a large inheritance may be at stake. People will pay to make death look like an accident since it means they get away with it.
Compounding the failure of security by obscurity was the "proprietary communication protocol".
What are the thought processes that lead to "Let's make it up ourselves", instead of "I wonder if someone has done this before."?
When is someone going to realize that in the IoT world security is a USP - something they can make money out of!
"It's wifi-enabled, and we did it securely, following open security standards"
"It's wifi-enabled, and we did it securely, following open security standards"
That's the marketing spin, but we all know that the reality is "our junior programmers tell us they did it securely, after reading the open security standards on the way home from the pub"
Time to go off and start making 'faraday vests' for the folks who have to use these devices.
I'm thinking 50% cotton and 50% steel wool. Due to the use of steel, you can't wash them as they will rust, so I'll adopt the razor blade approach of requiring a new one every week.
Profit !!!!
Seriously though when are manufacturers going to realise that there is an expected minimum in the products that they design ?
Seriously though when are manufacturers going to realise that there is an expected minimum in the products that they design ?
As soon as there is a legally enforcible expected minimum, which won't happen until someone in power is affected. Fortunately, people in power tend to be older, so are more likely to have a need for such devices, and so be affected by these vulnerabilities.
Under a strict interpretation of local weapons laws, in my area this would count as "defensive clothing" and would be illegal to wear without somehow magically getting the police to issue you a concealed firearms permit (hint: they don't unless you're wealthy and famous).
Without consequences greater than the profit being made, and the profit is huge, there will always be security problems.
Worst yet in this case the whole health industry, at least in Canada, is designed to hide and not report problems. If someone was to die as a result of the medical equipment failing to protect them from mistakes, information gathering, or even an attack the death would be blamed on the health of the patient. Finding out otherwise takes considerable effort, power and money.
Once you've seen this first hand you will know that those telling you there are systems in place to track and record such causes of death are at best misinformed or at worst complicit.
This post has been deleted by its author
Simple. Given the costs it's cheaper to bribe everyone and cover each other's kiesters when a problem DOES arise. Any attempt to use a third party (including the government itself) can have the same result because it could be THEIR turn in the hot seat next.
IOW, it's a cartel. No one wants to play by the rules because it saves mucho dinero to cheat. And with the money involved, they can play the lawyers, judges, and lawmakers to smooth over any issues.
To summarise a technically sophisticated attacker can cause serious consequences possibly death to a patient up to 5 metres away.
So what? A technically sophisticated attacker within 5 meters can kill anyone at all.
Why is this considered surprising or concerning?
A pacemaker is in the highes trisk category of medical devices (class III) and the design, risk management and testing will have been looked at in detail. The risk management will have included hacking scenarios but it was probably considered that if an attacker needed to be within 5 metres, needed special equipment and needed to be technically sophisticated the risk was acceptable. At the end of the day if any of us are targeted by a determined and sophisticated attacker who has physical access to us then we are in trouble.
They're going to have a hard job making it look like an accident when the evidence of tampering is all over the device logs.
This is one of those lovely security scares where yes, you could do something but it's complicated, specialist and expensive and leaves a lot of evidence behind.
And they fail to mention that they could use a strong magnetic field (or strong RF source) in similar conditions and obtain similar results without the evidence trail or the same complexity.
But to security researchers every problem is a security problem.
"They're going to have a hard job making it look like an accident when the evidence of tampering is all over the device logs."
Pretty sure a clever git could construe the incident and spread it out over time to hide the tampering and slip it under the radar. Or perhaps find a way to pwn the device and tamper with the logs.
"Given that pacemakers are completely enclosed in a meatbag during normal operation, the actual range may be a bit less."
Given the equipment is both a bit exotic and pretty powerful, not to mention the receptors for these things are usually just under the skin to facilitate transmission, I'm inclined to believe the range is such INSIDE a person. Outside, I think the range would be much greater.