Nowhere to hide: 9 new hacks coming to get you

The proliferation of insecure devices in every facet of our lives will have consequences far beyond the digital realm

Securitywise, the internet of things is going as badly as most computer security experts predicted. In fact, most vendors don’t fully appreciate the potential threats IoT devices pose. Anything connected to the internet and running code can be taken over for malicious purposes. Given the accelerating proliferation of internet-connected devices, we could be hurtling toward catastrophe. Personal security cameras, for example, are being used to conduct the largest denial-of-service attacks the world has ever seen, not to mention allowing strangers to spy on the very people the cameras are supposed to protect.

Worse, with IoT devices, vulnerabilities can have consequences far beyond the digital realm. The coming wave of IoT attacks include those that could injure or kill people. This isn’t hypothetical. I’m talking about real attacks that are already possible today. And no one has done anything to make these attacks less likely to happen.

Following are nine next-wave hacks that could be coming for you soon.

Your heart monitor will get hacked

Hackers have long known they can disrupt nearly any medical device that has writeable software, works wirelessly, or connects to the internet. Computer scientists and hackers have exploited heart pacemakers, heart monitors, IV drip devices, medicine dispensers, and diagnostic machinery, all of which have the potential to kill the patient. These threats come to our attention frequently.

But it’s not as if medical technology vendors aren’t worried about vulnerabilities and hackers. New medical devices take up to 10 years to create, test, and be approved. U.S. medical device manufacturers must follow guidelines and laws from nearly a dozen overlapping regulatory bodies, including the FDA, the FCC, and the Department of Health and Human Services. Moreover, medical device manufacturers specifically avoid using the latest and greatest software. By slowing down the process and using older, more proven and stable software, manufacturers feel they can better root out potential issues before their devices are released to the general public.

Despite all this, medical devices aren’t even close to being hack-proof. There have been hundreds of recalls for medical devices in the past decade, a large percentage of which are due to cybersecurity issues.

Ironically, the slow vetting process and regulations surrounding medical devices may be their undoing. Software and code can’t be significantly updated once it is introduced to the review cycle and released to the public. As a result, medical devices are always using very old technology by the time they are in operation. None can take advantage of the latest advances in computer security defense; worse, they often contain commonly known exploits that were removed from general computers many years ago. When I get paid to perform penetration tests on medical devices, I always start with attacks that have long ago been patched on your average computer. I’ve never not had that strategy work. Something here has to give. When it comes to medical devices, too much is at stake to be this easy to hack.

