In March, the U.S. Department of Homeland Security issued an alert about vulnerabilities in 16 different models of Medtronic implantable defibrillators, including several that are still for sale around the world today. The vulnerabilities, which also affect bedside monitors that read data from the devices and programming computers used by doctors, include improper access control and cleartext transmission of sensitive information. Quite frankly, it's surprising it took so long for the issue of biohacking to start to be taken seriously.
Researchers discovered vulnerabilities in the Medtronic Maximo, one of the models listed in the alert, more than a decade ago in 2008. Then in 2012, the Showtime series Homeland depicted terrorists remotely tampering with a pacemaker, resulting in a character's demise. While the specifics in the show were somewhat far-fetched, the concept and vulnerability in such devices was not. Articles written about it at the time concluded that while the specifics may have been exaggerated a bit with the remoteness of the attack, the susceptibility of such devices was entirely plausible given the shift from requiring direct contact to reprogram devices to integration of wireless calibration for convenience.'Quite frankly, it's surprising it took so long for the issue of #biohacking to start to be taken seriously.' @Barracuda researcher Jonathan Tanner #InternetofHumans #HealthTech #BarracudaBlogClick To Tweet
Securing the Internet of Humans
The Internet of Humans is fast becoming a reality as medical device manufacturers look to improve convenience and the ease with which their devices are used and configured. Unfortunately, the manufacturers seem about as adept at security as the IoT and router industries—a very dangerous situation considering it now becomes a person's life on the line rather than just their data, devices, and privacy.
Just like with IoT, the security community is taking up the torch to try to spread awareness about biohacking. The Biohacking Village at DefCon has been a regular sight for the past three conferences, covering topics from medical devices to homemade implantable devices to internet-connected adult toys.
Unfortunately, such information seems to fall on deaf ears with many manufacturers as they seek to bring products to market as quickly and inexpensively as possible at the cost of security. Even with the manufacturers who do take vulnerability disclosures seriously, many tend to do so in a reactive manner—addressing vulnerabilities as they are reported—rather than investing in their own researchers and security practitioners to make devices more secure from the start.As #InternetofHumans manufacturers seek to bring products to market as quickly and inexpensively as possible, it's often at the cost of #security Click To Tweet
It seems that the IoH industry has not learned from the IoT and router industries, though, considering that in the IoT market it would currently be almost unthinkable for many companies to implement unauthenticated, unencrypted communications in their devices as Medtronic has with their defibrillators. Perhaps this incident will help spur greater accountability across all three markets, but only if people choose to start taking such security flaws more seriously and actually hold the manufacturers accountable.
However, this may not even be enough considering the talent shortage the security industry faces. Even if device manufacturers did seek out security professionals to better secure their devices, there is no guarantee they could find the talent they seek. Thus, it falls on everyone—especially designers and developers—to become better at and more knowledgeable about security.