Extreme hack No. 2: Shocking pacemakers
Barnaby Jack's ATM exploits caught the attention of ATM manufacturers, inspiring them to set about defeating his easiest attacks. Jack then turned his skills toward medical devices. His most extreme demonstrations included being able to send unauthorized, lethal shocks to pacemaker patients from a remote location and lethal doses of insulin to diabetic patients.
Most medical devices undergo five to 10 years of development, testing, and certification approval before they can be used on human patients. Unfortunately, this means that any software used in the devices has five or more years of unpatched vulnerabilities by the time they ship. Worse, developers of medical devices often rely on the relative obscurity of their devices as a means of providing some sort of artificial protection — aka "security by obscurity."
The situation isn't getting better. As recently as April 2014, Wired ran an article on how easy it is to hack hospital equipment, largely due to hard-coded, default passwords that cannot be changed.
Of course, medical devices must be easy to use, and they must "fail open" — that is, they must continue to operate even when security has been breached. This makes securing them very challenging. Long, complex, and changing custom passwords work against the device's ease of use, so they are not often employed. Plus, nearly all communication between devices is unauthenticated and unencrypted.
Because of this, any hacker who finds the right ports can read the data and change it, without causing an operational interruption to the device, its management software, or other interfacing systems, such as electronic medical records. In fact, most medical device communications lack basic integrity checksumming, which would easily catch most malicious changes.
Medical device hacking has been around for at least a decade. White-hat hackers often demonstrate on medical devices at popular hacking conferences, and the FDA has issued a warning about the vulnerabilities. Medical device developers are working hard to close the easy-to-exploit holes, but their lengthy development cycles still make it hard to fix known problems in a timely manner.
The fact that it wouldn't take significant effort for a malicious, motivated hacker to kill people shows how important it is for us to shore up the defense of our medical devices — quickly.
Extreme hack No. 3: Card skimming
Less morbid are card skimmers, which can, however, mess up your financial life. The hack is relatively simple: The hacker places a device called a skimmer on another device, such as an ATM, gas pump, or payment terminal, to capture your debit or credit card information and your PIN number, if typed in.
Sign up for CIO Asia eNewsletters.