Nothing is secure, not even drug infusion pumps in hospitals.
You see, the Internet of Things is the rapidly arriving era when all things are connected to each other and everything else via the Internet, from your Nest thermostat that measures and transmits everything that’s going on inside your house to your refrigerator that’s connected to Safeway and automatically transmits the shopping list, to be delivered by a driverless Internet-connected car with an Internet-connected robot that can let itself into your house and drop off the Internet-connected groceries while you’re at work.
Convenient? Convenient for hackers.
OK, someone hacking into your fridge and fiddling with the temperature setting to freeze your milk is one thing…. But we already had the first hacking and remote takeover of a car.
Researchers hacked into a Chrysler Cherokee via its Internet-connected radio system and issued commands to its engine, steering, and brakes until it ran into the ditch. Thankfully this exploit wasn’t published until after Chrysler was able to work out a fix. It then recalled 1.4 million vehicles. The “recall” was done just like the hackers had done it: via the Internet. So if Chrysler can modify the software via the Internet, hackers can too.
That was a week ago. Today, the National Highway Traffic Safety Administration warned that Chrysler’s supplier sold these hackable radio systems to “a lot of other manufacturers.” NHTSA head Mark Rosekind told reporters: “A lot of our work now is trying to find out how broad the vulnerability could be.”
Maybe better not drive your Internet-connected car for a while.
And yesterday, researchers demonstrated (video) how hackers could exploit a security flaw in a mobile app for GM’s OnStar vehicle communications system.
To top off the week, the Food and Drug Administration warned today that hospitals and other healthcare facilities should stop using Hospira’s Symbiq Infusion System, a computerized pump that continuously delivers medication into the bloodstream because it’s vulnerable to hacking.
The FDA explained that the system communicates with a Hospital Information System (HIS) via a wired or wireless connection. The HIS is connected to the Internet. And thus, this pump is just one more thing on the Internet of Things.
“We strongly encourage” hospitals to “discontinue use of these pumps,” and do so “as soon as possible,” the FDA said.
The Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (in government alphabet soup: ICS-CERT) is also “aware” of these cybersecurity vulnerabilities.
Hospira and an independent researcher confirmed that Hospira’s Symbiq Infusion System could be accessed remotely through a hospital’s network. This could allow an unauthorized user to control the device and change the dosage the pump delivers, which could lead to over- or under-infusion of critical patient therapies.
So this could be deadly. Thank goodness, the “FDA and Hospira are currently not aware of any patient adverse events or unauthorized access of a Symbiq Infusion System….”
The first essential step “to reduce the risk of unauthorized system access”: “Disconnect the affected product from the network.”
In other words, there is no fix. Hence, unplug the thing from the Internet of Things, and then deal with the ensuing “operational impacts.”
“Cyber security” is a figment of marketing imagination. There is no such thing as a connected device that is secure. The best security measures only make a hacker’s job harder and more time-consuming, but not impossible.
We’ve already accepted, despite occasional outbursts, that we live in a seamless surveillance society. But the Internet of Things goes beyond surveillance; so this won’t be the only story of a cyber-vulnerability of a potentially life-threatening kind. But hey, greet the Internet of Things, and all the Silicon Valley hype and money that is sloshing around it, with open arms. We get it. This is going to be good for us.
And there is hope. Consumers are finally “getting on with their lives” (as Credit-Card Debt Slaves), according to Equifax. Read… This is What We’ve Been Waiting for, the True Recovery of the American Economy
Would you like to be notified via email when WOLF STREET publishes a new article? Sign up here.