I want to do something a little different with this article, I want to take you down the rabbit hole that is IoT and the dark side that is lurking around the corner that I know is going to bare its ugly head at some point in our future. I am going to create a bit of a scene for us to imagine that will show us a situation that is soon to become common place in our world.
Picture this, it is 2022. A businessman is working in the office late at night, he is reviewing a tender for a large government contract to build defence equipment of some kind. This contract will make his company and he is really putting in the effort for this tender as he knows how critical it is that he gets this right. As he starts to wrap up the tender documents he decides to have a drink of scotch as a job well done, he is happy with how things have come together and believes his company has a really great chance at winning.
He pours his glass and looks out his window over the cityscape in front of him. Suddenly he feels a sharp jab in his chest, he instantly grabs at his chest, he can't catch his breath. The look on his face is fear he knows this could be his end, whack, another quick jab in his chest, followed by another and then another. His heart stops, his glass falls from his hand spilling its contents and he falls to the ground DEAD.
In less than 30 seconds, everything changed. If the body is autopsied, it will show a heart attack with his pacemaker shocking him as designed, to help save his life, but it just wasn't enough to save him. Let's give him a name, let's call him Jim. This seems like a really sad situation in which the stress of the tender had become too much for Jim to handle and he succumbs to the stress with a heart attack, but this situation is much more sinister than it appears, it is the first assassination conducted using a medical IoT device.
Let’s put a bit more background to this, Jim two years ago had a pacemaker installed due to irregular heart palpitations, the pacemaker was a newly developed internet connected device that would allow it to be connected to Jim's phone and send data back to his doctor about his condition. This could make it easier for him to predict issues, allowing for the treatment to be more accurate and improve Jim’s chances of a long life with the condition. The device was also designed to receive updates via this connection to ensure that it had the latest programming and efficiencies.
The digital assassin used this connection to update the pacemaker with their own modified version of the software that had a hidden remote-control function. This function was used to zap Jim's heart with the full power of available electric shock to his heart multiple times until the heart was stopped. The device was then instructed to restore the previous version of the software, erasing all traces that it had been changed, although it will just look like a heart attack with no signs of foul play. The first IoT assassination has taken place with no one any the wiser.
Jim’s competitor for the government contract was very worried about the tender and new that Jim was the front runner to win, so several weeks earlier he reached out to a criminal organisation to try and hire a hitman to take out his competition. He wanted it to look like an accident or something that wasn't suspicious but if it could be done he knew that Jim's business could not take on the contract without him, leaving them to pick it up.
A murder has been carried out with a device that was designed to save our lives, imagine what else could be capable as these medical devices get smarter and more connected? They will have the ability to save or take our lives in an instant. It really is a scary thought, with the current lack of security in IoT devices this could be a terrifying scenario for us all moving forward.
I know I went a little down the Hollywood rabbit hole in laying out this scenario, but I wanted to generate a clear picture of how medical IoT devices could be used in the future and a scenario like this could possibly take place. There are already smart pacemakers that could be manipulated by a malicious actor. Security researchers at Black Hat conference – August 2018 - Billy Rios and Jonathan Butts demonstrated such an attack. They used the pace makers programmer which controls the electrical impulses that the pacemaker sends to regulate a patient’s heartbeat. They indicated that 33,000 of these programmers are in use called a CareLink 2090.
This shows us that not only could this situation occur in the future that it may have already occurred with out anyone being any wiser of its occurrence, a perfect murder if there is such a thing. One concern about this situation is Medtronic (the company who makes the products) who had been notified of the security issue by the researchers were more concerned about protecting their company brand then their patients who are at risk.
Pacemakers are not alone in this scenario though, what about insulin pumps which automatically dispense the dosages for patients. A quick and simple way to kill off a target without ever actually touching the victim and with possibly no way of ever knowing who conducted the attack.
We could also see situations in which victims are held hostage by a malicious actor with a demand for payment or the device will be used to kill them. I am sure most people will pay anything that was asked to ensure they are not killed by a cyber assassin, it’s like the ransomware model on an all new level.
That is a thought that will keep us up at night, so let’s get our crap together and find a way to ensure that these devices are not vulnerable to remote attacks (I know that is much easier said then done but we need to find a way). We need to ensure that all medical IoT devices are developed with the highest level of security in mind, it doesn’t matter if that means they cost three times as much to manufacture/develop the cost of failure will be our lives if we get it wrong.
I seem to come up with all of the dark gloom and doom scenarios with these devices, assassination by a pacemaker, in a previous article I depicted a lovely scenario in which a smart car could be used to assassinate or kidnap one of its passengers. Death by insulin overdose and so many more scenarios. Sounds like we have a terrifying future to look forward to unless we can get the security right and to be completely honest our history of success doesn't fill me with too much confidence but doesn't mean we shouldn't try.
Hopefully one of my readers has the solution that will change this fate from ever occurring in the future and will develop an IoT security standard that will keep us all safe for millennia to come.
Till next time…