I’m so excited to share my insights of future technology, security and privacy. In today’s world, we more connected than two decades ago and we exchange tons of sensitive information in the internet, via WiFi or BluTooth.
“If We’re Going To Be Connected, Then We Need To Be Protected”
Last January, 2015 President Obama said, he wants the federal government to do more to prevent cyber attacks. He outlined a series of proposals designed to safeguard personal data.
Recognizing the direct risk to the economic security of not only to United State of America but also the whole-wide connected world. Realizing the grim reality of our world today, the technology we use everyday like smartphones, smart cars and smart medical devices. oh yeah, if you’re not aware of your car capability or the medical devices that your sick family member have been using for many years like pacemaker — you should start to asking question:
How about your Implantable Medical Device (IMD) start connecting wirelessly and start transmitting data and receiving instruction?
Or your moderately modern car start acting weird and start driving by itself (Self-parking feature – Active Park Assist)?
“we shouldn’t have to forfeit our basic privacy when we go online to do our business”
When it comes to privacy, security and risks, businesses have had to make some significant shifts with the advent of new technologies and computing paradigms. Twenty years ago, security was like an M&M or Tootsie Pop. But the newest hurdle may be the toughest one of all to clear. Forget about networked printers and iPhones.
What do you do when the coffee maker and refrigerator in the break room come equipped with hidden spambots and WiFi access? or A Researchers have already hacked a building control system at Google’s Australia office. Does that make you think twice about installing a Nest thermostat on your premises? What happens when workers’ watches and glasses—even their suit coats and dress shoes–are connected to the Net?
That’s the Internet of Things— the “network of physical objects that contain embedded technology to communicate and sense or interact with their internal states or the external environment,” according to Gartner–and it is expected to be the greatest challenge facing organizations during the next decade.
“Now, it is still early when it comes to the Internet of Things, but it is clear that change is afoot,” said Edith Ramirez, chairwoman of the Federal Trade Commission, at the FTC’s November Internet of Things workshop. “Five years ago, for the first time, more things than people connected to the Internet.”
Today we are going to find out how our future look like in the next 5 to 10 years
One of the are we going to discussed is the Medical Industry and its advancement. Protecting implantable medical devices against attack without compromising patient health requires balancing security and privacy goals with traditional goals such as safety and utility.
Implantable medical devices monitor and treat physiological conditions within the body. These devices—including pacemakers, implantable cardiac defibrillators (ICDs), drug delivery systems, and neurostimulators—can help manage a broad range of ailments, such as cardiac arrhythmia, diabetes, and Parkinson’s disease (see the “Pacemakers and Implantable Cardiac Defibrillators” sidebar).
Implantable Medical Devices (IMDs) pervasiveness continues to swell, with upward of 25 million US citizens and tens of millions more world wide currently reliant on them for life critical functions. Growth is spurred by geriatric care of the aging baby-boomer generation, and new therapies continually emerge for chronic conditions ranging from pediatric type 1 diabetes to anorgasmia and other sexual dysfunctions.
Moreover, the latest IMDs support delivery of telemetry for remote monitoring over long-range, high-bandwidth wireless links, and emerging devices will communicate with other inter-operating IMDs. Despite these advances in IMD technologies, our understanding of how device security and privacy interact with and affect medical safety and treatment efficacy is still limited.
Established methods for providing safety and preventing unintentional accidents (such as ID numbers and redundancy) don’t prevent intentional failures and other security and privacy problems (such as replay attacks). Balancing security and privacy with safety and efficacy will become increasingly important as IMD technologies evolve. To quote Paul Jones from the US Food and Drug Administration, “The issue of medical device security is in its infancy.
This is because, to date, most devices have been isolated from networks and do not interoperate. This paradigm is changing now, creating new challenges in medical device design”.
“you can create a software that will shut off the pacemaker or ICD, or reading and writing to the memory of the device…”
Today’s IMDs technologies are entrusted with vital tasks in terms of medical care: delivering insulin or painkillers at proper rates, measuring and collecting data on the vital signs and passing it on to doctors and nurses, and direct stimulation of an organ’s critical function, as the case is with pacemakers.
IMDs are like computers or your smartphone that not only have hardware but also have an elaborated software core at their disposal: “A pacemaker may depend on more than 80,000 lines of code to keep it going, and a magnetic-resonance imaging (MRI) scanner more than 7m lines.”
These mechanisms are considered de facto essentially embedded PCs, the biggest question of security pops up in an instant – are these devices secure? In a way, their proximity to computing devices exposes them to all security flaws characteristic of mainstream technology. Incidents are inevitable. Sometimes they entail grievous and fatal consequences, as the case was in the 1980s when the bad software design supporting one kind of radiotherapy machine caused emission of massive overdoses of radiation rays on several patients, taking the life of at least five of them. In a more recent case, security researchers exposed software vulnerabilities in modern X-ray machines. On the other hand, sabotage is a possibility to be reckoned with, especially given how so many devices today are interconnected and remotely configurable.
Pacemakers as IMDs have been around since 1958, but their evolution took a dramatic turn around 2009 when they became part of the Internet of things. IMD such as insulin pumps and defibrillators possess wireless connections for doctors and technicians to download data (e.g., timing of insulin doses; frequency of heart-shocks) or make updates or modifications without requiring surgery.
The wireless feature of IMDs is useful from a medical point of view. Without it, these apparatuses cannot be fixed remotely, nor can they start up their warning function to alert a medical person if it is out of order; let’s say there is a burned wire or short circuit.
Another reason why all implantable devices are open to the radio controlled systems is simple—alternative methods like passwords would not prove time-efficient in the event of emergency, for instance, if the person with the device is unconscious.
Although there is a clear security risk, the benefits outweigh the small chances of someone with bad intentions subverting the connectivity embedded in these life-sustaining gadgets.
Medical hacking is a relatively new topic that entered the public space only recently. In 2011, IBM computer security expert Jay Radcliffe made a presentation on how an insulin pump can be manipulated to disperse a lethal amount of insulin.
As part of the reconnaissance phase, Radcliffe performed a check-up of the manual for his personal insulin device. From there he acquired the exact frequency and modulation method his apparatus operates on, the size of the packet, and the frequency of the transmissions. In addition, the Federal Communication Commission (FCC) ID of the device found also in the manual allowed him to obtain the patent documents for the device – an abundant source of invaluable data on the functionality and composition of the device.
His findings resulted in the purchase of the Arduino module, a wireless peripheral, which utilized similar frequencies to those of the insulin pump he owned. The command codes and message formatting were easily discoverable on Google, although the manufacturer had not disclosed this information. The wireless peripheral device can scan for insulin pumps in the vicinity of 100 to 200 feet. Once a pump is on sight, changing configuration settings would only take seconds. However, the attacker needs to know first the serial number of the targeted insulin pump and for that he would have to have physical access to the device prior to its wireless hacking.
A step forward in the evolution of hacking insulin pumps was made two months later. Initially famous for breaking into ATMs, Barnaby Jack from McAfee succeeded in taking control of both an insulin pump’s radio control and vibrating alert safety mode. Jack’s hacking kit included a special piece of software and a custom-built antenna that has a scan range of 300 feet and for which the operator does not need to know the serial number. Therefore, the latest models of Medtronic insulin pumps, equipped with small radio transmitters allowing medics to adjust function, can become easy prey to this hacking invention that scans around for insulin pumps. Once the hacker sets foot in the targeted machine, he can then disable the warning function or/and make it disperse 45 days worth of insulin all at once – a dose that will potentially kill the patient.