By Ido Sarig
Last month, I had the opportunity to take part in the Amphion Medical Forum in Minneapolis, where the theme was security challenges facing Medical devices. Amphion is a forum that brings together thought leaders from academia, business, government and technology, which was founded to provide a medium for these visionaries to define solutions to some of the issues, such as safety and security, which affect the new interconnected economy, the “internet of things”.
I participated in a panel that discussed the challenges and risks posted by the latest generation of wireless medical devices, and how proper Fuzz Testing, such as the capability offered by Wind River Test Management in conjunction with our partner Codenomicon, can help alleviate some of that risk.
What really grabbed my attention was the opening session which consisted of a demo of hacking someone's Insulin Pump. It recounted a session given by Jay Radcliffe at this year’s Black Hat conference in Las Vegas. It was an enlightening session showing how vulnerable medical devices are to remote attacks carried out wirelessly, and honed in on the fact that device manufactures have to address two conflicting design goals - ease of use and security. Features added to facilitate programming and updates of the software, such as wireless communication and remote controls, open up new attack vectors which utilize these interfaces, and enable hackers to penetrate the system using venues previously unavailable to them.
But as interesting as this presentation was, a lingering question hung in the air - Why would anyone want to hack an insulin pump? And if no-one has an incentive to do this, perhaps we should not be concerned about these security vulnerabilities?
Radcliffe did it for what could possibly be termed “fun”- he is a security researcher, with both a professional interest in seeing if it could be done, as well as personal interest – as he has such a pump implanted in his body. But could somebody attempt to do something like this for financial gain? Sadly, the answer is yes. There are several such scenarios – starting with the ominous blackmail scenario: An unethical hacker could find such an exploit, and then blackmail the manufacturer, asking for huge sums of money in exchange for divulging the exploit’s details and keeping quiet about it. Or he could sell the exploit to a competing company, figuring out they would want to publicize a vulnerability in their competitor’s devices. But it doesn’t even have to be that sinister to work. Suppose an unethical hacker finds vulnerability in a device made by a public company. All they have to do is sell short that company’s stock, then publicize the vulnerability and wait for the inevitable stock price decline that comes after the media frenzy, to make a pile of cash.
The bottom line is that neglecting to thoroughly test your medical device for security vulnerabilities, thinking that no one will go through the effort required to hack for lack of incentive it is just plain wrong. If there is money to be made – and there clearly is – someone will do it.
For additional information from Wind River, visit http://www.facebook.com/WindRiverSystems.