Crossing A Line: When Hacking Threatens Lives
Overshadowed by the release of another report into hacking allegations, the FDA released their long-awaited report, “Postmarket Management of Cybersecurity in Medical Devices”, on Dec 28, 2016.
The report was initially released for industry comment in draft form in January 2016. The complete report explains the need for proactive security developments throughout a product’s lifecycle, procedure for vulnerability notification and the value of continuous threat modelling, as well as confirmation that the issuance of security patches does not necessitate further recertification.
For those who may be thinking that this all sounds far-fetched, former US Vice-President Dick Cheney’s doctors famously disabled the wireless functions of his pacemaker in 2007 – a whole decade ago – “to thwart potential assassination attempts”, whilst the late Barnaby Jack, an eminent security researcher, demonstrated in 2012 a hacked drug pump which could be programmed to deliver vastly incorrect dosages, and was found dead just days before he could demonstrate a successfully hacked pacemaker live onstage in Las Vegas.
The medical device market has long been plagued by allegations of poor security, and the FDA’s hand in this does require a mention. The agency has only just this year confirmed that “in most cases, updates made to strengthen cybersecurity do not require recertification”. The certification process is lengthy and expensive and manufacturers have understandably been reluctant to issue security patches if it means reapplying for certification.
This bodes well for device vendors issuing new products, but what about the hundreds of thousands, or millions, who have had connected pacemakers, insulin pumps or other devices implanted already with no support for firmware updates? Jon Miller, from Cylance, points out that another form of attack could be looking to reduce the battery life of these devices: “even light encryption on a pacemaker could decrease its battery life from about a decade to as little as a few years or even a few months because the device is not designed to sustain those operations. The more resource intensive the encryption, the more dire the situation” .
In their report, the FDA outline some scenarios of what they consider to be acceptable levels of risk, including one example of open ports on a device that could theoretically permit installation of unauthorised firmware. Thankfully so far no such hack has been successful, probably in large part because of the need to be in close physical proximity to the device in question.
As the Internet swarms with reports of huge IoT botnets capable of 600Gbps+ DDos attacks, what is next for IoT medical device security?