The “Internet of Things” Gets Hacked To Smithereens

Nothing is secure, not even drug infusion pumps in hospitals.

You see, the Internet of Things is the rapidly arriving era when all things are connected to each other and everything else via the Internet, from your Nest thermostat that measures and transmits everything that’s going on inside your house to your refrigerator that’s connected to Safeway and automatically transmits the shopping list, to be delivered by a driverless Internet-connected car with an Internet-connected robot that can let itself into your house and drop off the Internet-connected groceries while you’re at work.

Convenient? Convenient for hackers.

OK, someone hacking into your fridge and fiddling with the temperature setting to freeze your milk is one thing…. But we already had the first hacking and remote takeover of a car.

Researchers hacked into a Chrysler Cherokee via its Internet-connected radio system and issued commands to its engine, steering, and brakes until it ran into the ditch. Thankfully this exploit wasn’t published until after Chrysler was able to work out a fix. It then recalled 1.4 million vehicles. The “recall” was done just like the hackers had done it: via the Internet. So if Chrysler can modify the software via the Internet, hackers can too.

That was a week ago. Today, the National Highway Traffic Safety Administration warned that Chrysler’s supplier sold these hackable radio systems to “a lot of other manufacturers.” NHTSA head Mark Rosekind told reporters: “A lot of our work now is trying to find out how broad the vulnerability could be.”

Maybe better not drive your Internet-connected car for a while.

And yesterday, researchers demonstrated (video) how hackers could exploit a security flaw in a mobile app for GM’s OnStar vehicle communications system.

To top off the week, the Food and Drug Administration warned today that hospitals and other healthcare facilities should stop using Hospira’s Symbiq Infusion System, a computerized pump that continuously delivers medication into the bloodstream because it’s vulnerable to hacking.

The FDA explained that the system communicates with a Hospital Information System (HIS) via a wired or wireless connection. The HIS is connected to the Internet. And thus, this pump is just one more thing on the Internet of Things.

“We strongly encourage” hospitals to “discontinue use of these pumps,” and do so “as soon as possible,” the FDA said.

The Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (in government alphabet soup: ICS-CERT) is also “aware” of these cybersecurity vulnerabilities.

Hospira and an independent researcher confirmed that Hospira’s Symbiq Infusion System could be accessed remotely through a hospital’s network. This could allow an unauthorized user to control the device and change the dosage the pump delivers, which could lead to over- or under-infusion of critical patient therapies.

So this could be deadly. Thank goodness, the “FDA and Hospira are currently not aware of any patient adverse events or unauthorized access of a Symbiq Infusion System….”

The first essential step “to reduce the risk of unauthorized system access”: “Disconnect the affected product from the network.”

In other words, there is no fix. Hence, unplug the thing from the Internet of Things, and then deal with the ensuing “operational impacts.”

“Cyber security” is a figment of marketing imagination. There is no such thing as a connected device that is secure. The best security measures only make a hacker’s job harder and more time-consuming, but not impossible.

We’ve already accepted, despite occasional outbursts, that we live in a seamless surveillance society. But the Internet of Things goes beyond surveillance; so this won’t be the only story of a cyber-vulnerability of a potentially life-threatening kind. But hey, greet the Internet of Things, and all the Silicon Valley hype and money that is sloshing around it, with open arms. We get it. This is going to be good for us.

And there is hope. Consumers are finally “getting on with their lives” (as Credit-Card Debt Slaves), according to Equifax. Read… This is What We’ve Been Waiting for, the True Recovery of the American Economy

Enjoy reading WOLF STREET and want to support it? You can donate. I appreciate it immensely. Click on the beer and iced-tea mug to find out how:

Would you like to be notified via email when WOLF STREET publishes a new article? Sign up here.

  18 comments for “The “Internet of Things” Gets Hacked To Smithereens

  1. Neil Dunn says:

    If I am not mistaken, in Cliff Stoll’s “The Cuckoo’s Egg”, the hacker entered the system at least once via a Radiology department piece of equipment. The Wikipedia link is below but this is not mentioned.

  2. CrazyCooter says:

    If a device is connected to a network, then it implies the device “talks” to the network. By fact of doing so, there is a distinct combination of bits that will produce a behavior/outcome on the attached device. Discovering which combination of bits does what on the device could be thought of as “hacking”, depending on the intent.

    My point is *everything* on the network is hackable. Just like walking down the street means you are “muaggable”. Maybe it never happens, but it could. The point at issue is how long does it take to get hacked (mugged) and at that point, what could be accomplished.

    A secure system might only be compromised once in a long period of time, but the nature of the beast is that security is down the list of priorities in most cases and society relies on lots of technology that isn’t really secure. Hell, many technologies MONETIZE insecurity, such as cell phones where the users are the product (and they think the phone is the product).

    Personally I am surprised we haven’t had more issues nationally than we have had. As a professional engineer in the “technology” industry, I like pen/paper type solutions and avoid as much complexity as I can. Sometimes the greatest joy is a nice walk in the rain forest out of cell range. It reminds me how beautiful the world could be after we are done screwing it up and long gone.



    P.S. Posted with 99% renewable electricity – at least my bit. :-)

    • Petunia says:

      As a software professional I have issues with the internet of things. Assuming that the internet of things becomes secure, they are collecting a lot of totally useless data. Do they really need to know how many times I open my refrigerator? Maybe. So, when they know that on average a person opens their refrigerator 20 times a day, and they know how much energy it actually uses, and maybe what is in it. The question then becomes was it worth all the energy, bandwidth, data storage capacity, and analysis? I don’t think so.

      The tech industry is accumulating data because it can and not because it makes any sense. Just like the govt. In the long run they are degrading all the network infrastructure with unnecessary crap. When vital information needs to compete with data from toasters you land up with highly unreliable networks.

    • Vespa P200E says:

      My 2nd job out of college after co-op stint at breast implant company and BK’ed storage head company was working for at the time very innovative and compact 3-channel IV pump in the late 80’s. We hooked up clunky Toshiba laptop with black/white LCD screen to each pump to program and test it. Even back then we knew that anyone with laptop with parallel or RS232 port can hack it. I’m sure its worse now if the pump is connected to hospital/clinic network and program the pump to 999 ml/hr otherwise known as “runaway”…

  3. MC says:

    One thing I see continuously is how low in the scale of priorities cyber security ranks, especially for firms which stand to lose a lot from information theft.

    GE had to be prodded into action by US authorities: after all, as a key defense contractor, nobody wants their secrets to fall into Chinese hands as Lockheed’s did.

    You see, the bulk of hacking is not aimed at obtaining juicy gossip or immense volumes of data. Most of it is aimed at something very specific: internal memo on a firm’s financial and commercial plans, R&D data on a single project, vulnerabilities inside a product a firm know and is trying to keep from the public etc.

    Part of this activity is conducted directly by intelligence agencies or by individual hackers with their own authorities’ blessings: Israel and China practice this art with particular gusto to allow their own firms to gain a hedge over foreign competitors.

    But the rest is conducted by independents, inevitably for the same reason: money.
    Some hackers operate under what can be called a contract: they are tasked by Firm X to steal some of their competitor’s, Firm Y, secrets.

    But the bulk are freelancers. They patiently worm their way through corporate networks and look for material that can be sold to the highest bidder.

    The beating heart of this market is Bangkok: here information pilfered from corporate networks (mostly by hackers, but employees out for a quick buck are also well represented) is bought and sold, sometimes for enormous sums of money. A hacker that can pull a couple of good coups can retire and live the rest of his life in comfort without working a single day again.

    Thai authorities have proven unable or unwilling to crack down on this shady market. Corporations themselves are ambiguous to say the least: on one side, nobody likes his networks pried open and secrets stolen, but on the other this sort of intelligence can give a massive hedge over rivals.

    The choice of Bangkok is not incidental: Thailand has long been one of the prime hubs for Japanese companies, whose sogo shosha (literally “trading house”) also act as their eyes and ears around the world. In a way it can be said the sogo shosha were the first “corporate intelligence agencies”, with Mitsui Bussan already active in the business worldwide before WWI. I am not saying the sogo shosha themselves engage in this sort of this unsavory behavior, but it’s surely a remarkable coincidence.

    • Petunia says:

      Pretty soon the sheer volume of foreign tech workers in IT will make corporate espionage impossible to contain. I can’t wait for the new theme park to open in India just like the ones in America. Serves them right. Copyright that!

  4. Dan Romig says:

    A good case in point is the Samsung ‘Smart’ TV that is recording audio and video information as long as it is plugged into an AC power supply. My folks have a ‘Smart’ Panasonic plasma TV that’s hooked up to Netflix via WiFi, and they like the convenience, but is their privacy compromised? My four year old Panasonic plasma does what I tell it to do (quite well) and nothing more.

    The auto industry is fighting for control of who gets and owns the data from ‘Smart’ cars, and again I wonder why a driver wants/needs to have their iPhone or Android phone connected to their new BMW or Audi.

    Finally, a ‘Smart’ refrigerator? Come on people, plug in your fridge and set the thermostat manually from the inside. Why the hell does a refrigerator need to do anything more than keep your food and drinks cool?

  5. Julian the Apostate says:

    I remember a report awhile back that the Regime in Washington put out a decree that starting with the 2017 models all cars must be “smart” cars that can “converse” with each other to avoid collisions etc. (it’s ALWAYS about safety and security) I guess I won’t be buying cars new after 2016. As a 34 year driver with 4 million miles under my belt (and a million mile safe driving award) I resent the accident avoidance crap now pretty much standard on new trucks, and this truck rats me out with a Reportable Event if something happens that it doesn’t like jamming on the brakes or swerving hard because someone cuts me off. The radar is better now than when they were introduced so it’s not braking for phantoms or low bridges much any more, and I’ve learned its foibles, but I miss the dumb trucks that just did what I told them

    • Dan Romig says:

      Yes sir! My mint condition Lexus SC 400 is twenty years old, and it has ABS and traction control, but that’s about it. Turn the key, start the motor and drive. She’s paid for and I have a back-up donor parts car. I reckon I’ll keep Big Brother out of my car and motorbike damn it!

      • unit472 says:

        Ah, the days of the ‘key’. If I wanted an extra car key I could go to any key shop and have one made for $10 or less. My 2008 Nissan Titan had a chip in the key so it cost $80 to have another one made. My 2015 Mazda doesn’t have a key it has a cumbersome fob like device that costs $450 to replace ( a fact the dealer made sure I was aware of when I was refusing his $50/month deluxe warranty). So I can unlock the door from 25 feet away, how does this really help me the owner. I suppose it makes it harder for thieves to steal the car as they can’t ‘punch’ an old style keyed ignition switch and start the vehicle but that is about the only ‘advantage’ to these gizmos I can detect.

        Your car and cell phone can already convict you in court. Your airbag accelerometer will tell them how fast you were going to within 1/10 of a mph for the 3 seconds before a collision and your cellphone will tell if you were using it when the accident occurred. Just ahead is the car that will squeal on you if you are speeding or making an illegal U turn. No need for traffic cops if your car will report your violation and cite you. Oh and GPS will help your spouse determine if you really were working at the office like you said. I bought a cellphone jammer when they put those on our company vehicles a few years ago ‘for our safety’ of course but it wasn’t long before people were being called into a ‘supervisors’ office to explain why they weren’t where they were supposed to be. It showed my location was wherever I was when I turned it on. It was amusing when I’d get a call from the office asking my location because they couldn’t track me via GPS , of course ‘for my safety’. When I said I was 20 miles from where they thought I was I convinced them there must be blind spots out in the far west end where I worked which was partially true since our radios didn’t always work out there. Just between friends a good 4G cell phone jammer ( not a pocket one) will shut down a police computer too so they can’t do a warrant check on you ( not that I had any…honest) if you get pulled over. Our vehicles ( utility) had the same computer systems as the police (I’d jam mine so they couldn’t add any work to mine when I was coming back to HQ).

        I retired about 6 months after I got my jammer. I was going to tell others about my protective bubble but realized it would be best to just take my secret with me.

  6. Vespa P200E says:

    I read on SFGate (SF newspaper website) this morning that MSFT is following the “do no evil” GOOG the big brother collaborator with sort of trojan built into Win 10:

    “By default, Microsoft collects a whole bunch of information from you and anonymously shares it with advertisers. If you sift through Microsoft’s privacy statements, that includes the content of emails, instant messages, documents uploaded to OneDrive, the searches you do with Bing, and so on. ”

    Yep today young and old are so complacent about phone, PC, etc to track our movements and not appreciating privacy slowly but surely allowing the Big Bro the government to track and control the sheeple. Already happening with liberal media doing what its handler DNC want them to do.

  7. Christopher says:

    I love how the smart fridge is always the go to example (no offence to you of course Wolf, yours was satire). It’s so f*cking boring! For all their “disruption” Silicon Valley has no imagination. They get this cool technology and come up with the most mundane, consumerist applications for it.

    In terms if security, cryptos could help. What makes them secure isn’t necessarily the encryption, it’s the fact that it’s unprofitable to hack/cheat. The energy it takes to hack is less than what you get back from your hacking exploits. Perhaps the internet of things could benefit from this kind of mechanism. Or we just ditch the idea as novelty and concentrate on actually helping lives. That’s pretty alien to silicon valley though. How are photo sharing apps still being funded!?

    • Jungle Jim says:

      Careful there. Do not rely on encryption. Even accepting the premise that encryption will keep other people from reading your data, what if the idea is not to steal your data, but rather to damage or destroy it ?

      Now, you might ask who would do such a thing ? Oh, how about North Korea, ISIS, Iran, Russia, or China, and there are others too. If the political situation deteriorated, one of them might easily decide to attack the Internet itself and with it, the power grids, the air traffic control system and all sorts of other juicy and basically unprotected targets. Your refrigerator would be the least of your problems.

      The trouble is that so far, we have treated hacking as sophomoric pranks even though a lot of it wasn’t. We had damn well better wake up and smell the coffee.

      • Christopher says:

        That’s what I was saying. Encryption isn’t the smart thing about Bitcoin, it’s the economics of power consumption and value that makes it prohibitively expensive to hack or cheat. This concept perhaps could be applied to the internet of devices, or at least use crypto currencies as the base. It was a theory.

        Crypto currencies also have the ultimate security of not associating identity with usage/transactions. The only way to not get hacked is to not create the data in the first place

    • Petunia says:

      I read a story a few months back about a person who got a visit from the feds for spamming. It seems someone hijacked his smart refrigerator and used it as a relay for his spam advertising. Boring you say.

  8. JP Frogbottom says:

    Certainly, our reliance on computers came first. Security concerns came next. Do I “need” mobile banking? A “smart meter” on my electric service, a smart coffee maker, frig, toaster, or even a smart clock radio to wake up by? No, but can I AVOID them in today’s manipulated world? I try, no smart phone, a car so old it is truly ‘dumb’, and no enabled smart anything in the home.
    My fears of getting hacked, well those belong with the former employer -the US government- who has been unable to retain its own data. Jerks, but then they refunded by congress- Bigger Jerks!

  9. Mark says:

    Most of these ” smart ” items are just little more then marketing ploys to split you from your money. That’s all it is. Just like ” apps “. It’s a program people, but let’s make a shnazy name for it and market it as something cool and new.

    I think in the end the internet itself will crash. The internet is so full of useless data and nonsense that it will reach a point where the current infrastructure won’t be able to support it any longer and it will just crash. And I’m sure the conspiracy people will have a field day when that happens.

Comments are closed.