Death, Injury & Supply Chain Security

The universe of non-PC devices that makes up the Internet of Things is not only too often easy to hack, but hackers can even transform some devices into actual weapons that can harm or kill people. While supply chain parties and OEMs have yet to be held responsible for a hacked device used as a weapon, there is obvious cause for concern.

A case in point is when the late Barnaby Jack showed how he could use an antenna to hack a pacemaker at the 2012 BreakPoint security conference in Melbourne and cause it to jolt a victim’s heart with a lethal shock.

During the demonstration, Jack noted that the use of a pacemaker hack to assassinate a political enemy was depicted during an episode of the hit TV series “Homeland.” However, Jack claimed that it was much easier to hack pacemakers in real life. He said, for example, that he did not even need a product serial number to remotely seize control of a pacemaker, which the characters required for their fictitious hack during the “Homeland” episode.

Jack died last year shortly before he was about to give a presentation on heart transplant hacks. Coroners recently said he died from a drug overdose, while the conspiracy theories still run unabated. However, the ease of which emergency response systems, safety-critical car components, medical devices, or other devices tied to human safety can be hacked has not gone way following Jack's death.

Awareness about medical device vulnerabilities came to the forefront in the medical community last year when the U.S. Food and Drug Administration (FDA) warned that implanted devices as well as healthcare networks were at risk of cyberattacks.

When the FDA issued its warning, no case existed when a network attack resulted in death or injury. There has also been no known hacker attack reported that resulted in bodily harm by directly causing an implantable device to malfunction. This is can be attributed to how intruders generally want to intercept data between medical devices and networks in order to steal data, instead of looking for ways to cause bodily harm without the possibility of material gain.

But while the possibility of a criminal using a hack to commit murder or to cause other bodily harm is a cause of concern, supply chain partners sill remain outside of the penal code's firing line, at least for the time being, Amichai Shulman, CTO for security firm Imperva, said.

It would even be difficult for victims or family members of victims to seek a remedy in civil court against an OEM or a supplier if a hacked device was used to physically harm someone, Shulman said.

“The reality is that no one is liable. If someone hacks my computer using a vulnerability in Internet Explorer and I were to sue Microsoft, then I probably wouldn't get too far in court,” Shulman said. “But if there is a malfunction in my pacemaker, such as a short circuit or battery drain, then are legal precedents, of course, involving the OEM and possibly suppliers.”

However, suppliers, of course, need to do better, even if they do not have to worry about going to jail if someone causes a victim bodily harm by hacking a device that is ridiculously vulnerable to hacks, Shulman said. Much of the code in embedded devices on the chip level, for example, is outdated, which data thieves can exploit.

Adopting a PC model by which security updates are installed on devices automatically over the Internet is a start, but the industry must adopt new best-practices to help to lock down devices as well, Paul Fulton, vice president product, Internet of Things for Mocana, said. Eventually, suppliers and OEMs must add firewall, encryption, and other protection to protect embedded designs despite the extra costs, especially for devices involving human safety, he said.

However, it will be a long road ahead before chip designs and devices with built-in security protection become ubiquitous. The complexity of today's supply chain will make the task all the more difficult, Fulton said.

“OEMs have production in different countries and procure components from around the world. There are also different distribution centers, two- and third-tier suppliers to manage, and so on, making it hard to tell where all of the pieces come from,” Fulton said. “Still, the supply chain really has to figure out how to make these devices secure.”

Has the push for IoT raised security concerns for you? Let us know in comments.

3 comments on “Death, Injury & Supply Chain Security

  1. Houngbo_Hospice
    May 29, 2014

    “Adopting a PC model by which security updates are installed on devices automatically over the Internet is a start, but the industry must adopt new best-practices to help to lock down devices as well”

    Excellent point. It is important that designers track software vulnerabilities and provide patches regularly. 

  2. Hailey Lynne McKeefry
    May 30, 2014

    The security (privacy) concerns created by IoT is something we don't talk about enough–and those instances when it touches healthcare and other potentially life altering/ending tech makes this discussion even more critical.

  3. Eldredge
    May 30, 2014

    One concern I have with IoT revolves around understandiing the vunerabilities. As the iterconnectivity of devices expands, do the security risks increase linearly, or as some higher power function based on number of devices (or some other metric)? Could a hacker get into a fairly  innocuous and unsecure device, and use it to provide additional access to a related, more sensitive one (defined by either data or potential for harm)? It seems like the security issues could expand exponentially.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.