Here are links to a few interesting news articles I came across recently. They are about first hints of the totally foreseeable disasters resulting from a reckless and short-sighted drive by many corporations to connect everything to the internet aka the “Internet of Things”.
Why do drug infusion pumps, basic and important aspects of automobile control systems or electronic sniper sights require a connection to the internet?
Link 1: FDA tells hospitals to ditch IV pumps that can be hacked remotely
The Food and Drug Administration “strongly encourages” hospitals to stop using Hospira’s Symbiq Infusion System, because it’s vulnerable to cyberattacks that would allow a third-party to remotely control dosages delivered via the computerized pumps. Unauthorized users are able to access the Symbiq system through connected hospital networks, according to the FDA and the Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team. ICS-CERT reported the vulnerability on July 21st and the FDA released its own safety alert on Friday, July 31st. Thankfully, there are no reported incidences of the Symbiq system being hacked. Hospira does not sell the Symbiq system anymore, but it’s still available for purchase from some third-party retailers and the FDA warns against buying it. The network vulnerability would “allow an unauthorized user to control the device and change the dosage the pump delivers, which could lead to over- or under-infusion of critical patient therapies,” the organization says.
Link 2: OnStar hack remotely starts cars, GM working on a fix
Hacker Samy Kamkar unveiled his latest triumph this morning: OwnStar, a tiny box that acts as a Wi-Fi hotspot and intercepts commands sent from a driver’s OnStar RemoteLink app, allowing an unauthorized user to locate, unlock or start the vehicle. Simply place the box somewhere in an OnStar-connected car and wait for the driver to start up the RemoteLink app within range of the vehicle. The driver’s smartphone should automatically connect to OwnStar’s network and, voila, the hacker now has all of the car owner’s information (email, home address, final four digits on a credit card plus expiration date), and control of the car. GM has already issued one patch this morning aimed at securing the RemoteLink app, but it was unsuccessful, according to Kamkar. Kamkar never intended to wreak havok with OwnStar, he said in an interview with Wired. He wanted to expose a vulnerability in the OnStar app and help GM fix it — and it seems as if that’s precisely what’s happening. GM is working to patch the RemoteLink bug now and Kamkar says he’s in contact with the company as they fix it. He plans to reveal more technical details about OwnStar at Defcon 2015, which runs from August 6th to the 9th in Las Vegas.
Link 3: Fiat Chrysler recalls 1.4 million vehicles after remote hack
Fiat Chrysler Automobiles (FCA) will patch 1.4 million US vehicles following the reveal of a hacking method by Wired. The “voluntary safety recall” — which it seems will come in the form of a USB dongle — applies to vehicles equipped with 8.4-inch touchscreen in-car-entertainment systems. Affected cars include Jeep Grand Cherokee and Cherokee SUVs, Dodge Ram pickups and many others. If you’re concerned your vehicle may be affected, you can see the full list here. FCA is obviously acting fast to patch the problem, and it’s clear why. As Wired details, the hack makes it possible to “kill” the engine, remotely activate or disable the brakes, and keep tabs on a vehicle’s location. Full steering control is currently being worked on. The party responsible for the hack revealed it would “publish a portion of their exploit” openly on the web, timed to coincide with the Black Hat security conference in August. Although the company clearly accepts that the issues are serious, it notes that it’s “unaware of any injuries related to software exploitation, nor is it aware of any related complaints, warranty claims or accidents – independent of the media demonstration.” It adds that it’s “conducting this campaign out of an abundance of caution.”
Link 4: Hackers Can Disable a Sniper Rifle—Or Change Its Target
At the Black Hat hacker conference in two weeks, security researchers Runa Sandvik and Michael Auger plan to present the results of a year of work hacking a pair of $13,000 TrackingPoint self-aiming rifles. The married hacker couple have developed a set of techniques that could allow an attacker to compromise the rifle via its Wi-Fi connection and exploit vulnerabilities in its software. Their tricks can change variables in the scope’s calculations that make the rifle inexplicably miss its target, permanently disable the scope’s computer, or even prevent the gun from firing. In a demonstration for WIRED (shown in the video above), the researchers were able to dial in their changes to the scope’s targeting system so precisely that they could cause a bullet to hit a bullseye of the hacker’s choosing rather than the one chosen by the shooter. “You can make it lie constantly to the user so they’ll always miss their shot,” says Sandvik, a former developer for the anonymity software Tor. Or the attacker can just as easily lock out the user or erase the gun’s entire file system. “If the scope is bricked, you have a six to seven thousand dollar computer you can’t use on top of a rifle that you still have to aim yourself.”
What do you think? Comments?