Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Consumer Device Hacking Concerns Getting Lost In Translation

samzenpus posted 1 year,22 days | from the tell-him-about-the-twinkie dept.

Security 100

ancientribe writes "Hackers who hack insulin pumps, heart monitors, HVAC systems, home automation systems, and cars are finding some life-threatening security flaws in these newly networked consumer devices, but their work is often dismissed or demonized by those industries and the policymakers who govern their safety. A grass-roots movement is now under way to help bridge this dangerous gap between the researcher community and consumer product policymakers and manufacturers. The security experts driving this effort appealed to the DEF CON 21 hacking conference audience to help them recruit intermediaries who can speak both hacker and consumer product and policy."

cancel ×

100 comments

Sorry! There are no comments related to the filter you selected.

This just in... (4, Funny)

girlintraining (1395911) | 1 year,22 days | (#44517931)

People in positions of power generally don't have a clue how things work... since they never, you know, work. I'm sure if we hopped in the TARDIS and went back to when the Egyptians were building the pyramids, the foreman in charge of positioning the bricks was constantly complaining about the idiot Pharaoh putting down the wrong dimensions in the foundation, and telling them to use unwoven rope because he read in Pharaoh Times (the premier Pharaoh trade stone tablet!) that it would improve efficiency. He probably also randomly decided to outsource 30% of his slaves because "leading experts" said it was universally a great idea.

*cough* People at the top not having a clue is a problem as old as humanity.

Re:This just in... (2)

Opportunist (166417) | 1 year,22 days | (#44518047)

"Let them eat cake"

'nuff said.

Re:This just in... (1)

Anonymous Coward | 1 year,21 days | (#44520725)

Actually, never said.

http://en.wikipedia.org/wiki/Let_them_eat_cake [wikipedia.org]

Re:This just in... (1)

Opportunist (166417) | 1 year,21 days | (#44521927)

Do you want to bet that today someone would?

Executed (0)

Anonymous Coward | 1 year,22 days | (#44518153)

...Today, like in the Pharaohs time, anyone who complains or points out the flaws in the design are also... executed [dailydot.com] .

Re:Executed (0)

Anonymous Coward | 1 year,21 days | (#44520817)

& you sure has hell better not say "I told you so" after your learned proclamation that design decisions made by the clueless boss's clueless pet project lead!

Re:This just in... (4, Insightful)

hairyfeet (841228) | 1 year,22 days | (#44518209)

You made a funny but the truth of the situation? Really isn't. Time and time again we have seen whistleblowers attacked by everyone from the government to the MSM and in the end it all comes down to money. By exposing their bullshit, be it ignoring laws, building defective by design products, or cutting corners on safety it costs the corps money to fix these issues, sometimes billions, and with the government here bought and paid for you can bet your soon to be worthless last dollar they WILL try to destroy those that expose this corporate douchebaggery as it costs the owners of the country money.

If Nader published "Unsafe at any speed" today he would probably be heckled by the press, sued by the corps, and have a dozen charges on him cooked up by the feds. Frankly you couldn't pay me enough to be a security researcher...which is of course the point, the chilling effect in action.

Re:This just in... (2)

Anonymous Coward | 1 year,22 days | (#44518273)

Ok, I have some pointers here.

1) Don't call yourselves "hackers". It's a scary label. Don't do it. Be "security experts", "specialists", "programmers", "investigators", or anything but hackers. It's even better if you can somehow title yourself researcher, CEO, or something that commands respect.
2) Don't expose flaws with your own face and name. You think you will get praise, you won't. ( Yes, you should get praise, but that's not how the world works)
3) Companies reverse engineer & try to find faults from their competitors products all the time. Anonymous contribution to competing company will work wonders. You can also do it in multiple directions. If the competitors product is dangerous or illegal you can be sure they will use it to chase the product out from market.
4) Use the flaw. If it causes damage you can be sure it will be fixed. Just don't do anything really stupid and don't get caught.

Re:This just in... (0)

Anonymous Coward | 1 year,21 days | (#44519041)

Don't call yourselves "hackers". It's a scary label. Don't do it. Be "security experts", "specialists", "programmers", "investigators", or anything but hackers.

So, we should abandon the proper term because some people/the media have corrupted it?

Re:This just in... (3, Insightful)

oag2 (2854559) | 1 year,21 days | (#44520455)

Yes. Just as currency has value because people collectively agree it does, words have meanings because people collectively agree on them. Most people think hacker = bad. So if you want them to see you as working for good, don't use the term to refer to yourself.

Re:This just in... (1)

hairyfeet (841228) | 1 year,21 days | (#44525833)

LOL and you don't think "security experts" won't be made into the next "code word" by the MSM? Ever since Ronnie Raygun dismantled the protections that kept a megacorp from owning all the media in an area the MSM has been the propaganda arm of the megacorps, see how quickly they went from talking about what was in the Wikileaks release to spending days talking about whether Assange is a douchebag or not, why? Because the same corps that own the media corps own defense contractors and you don't bite the hand that feeds.

So you can call 'em ducks for all it'll matter because within 2 years of choosing it duck will be in the same pile as pedo and terrorist, because you are gonna cost billionaires money and they aren't gonna have it. Frankly Stalin and the crazy Austrian would have killed to have a propaganda arm as effective as the western media corps.

Re:This just in... (0)

Anonymous Coward | 1 year,21 days | (#44520459)

Or...you can fight the entire multi-billion dollar media conglomerates over a name. Hint: Guess who's going to win?

Re:This just in... (1)

X0563511 (793323) | 1 year,21 days | (#44520487)

Pretty much, yes. Unless you think you can correct the people/media of course. I think that's an uphill battle, to be honest.

Re:This just in... (2)

SecurityGuy (217807) | 1 year,21 days | (#44521053)

You should accept that language evolves and that you're on the losing side of this one. Decide if you want to be understood, or be "right".

Re:This just in... (2)

X0563511 (793323) | 1 year,21 days | (#44520489)

4) Use the flaw. If it causes damage you can be sure it will be fixed. Just don't do anything really stupid and don't get caught.

Never. Ever. Do. This.

The moment you do this you lose any moral ground you had, which is all you have if the law doesn't support you.

Re:This just in... (1)

marcello_dl (667940) | 1 year,21 days | (#44518695)

Indeed TFA makes the assumption that those in power don't understand, so that they demonize hackers. Which is incredibly naive, because people in power are usually *better* than the average at getting and rating information.

Once they get this information, they reason like: "how is this going to affect my career?" and take the necessary steps to profit from the information, just like parent said.

Re:This just in... (3, Insightful)

BVis (267028) | 1 year,21 days | (#44519089)

Those in power usually *don't* understand. They have people for that. I've worked for a few Fortune 500 companies in IT; at one, the CEO's password was the name of the company and set to never expire. At another, when I tried to educate a user on how to avoid a particular problem (so that the problem wouldn't happen again, and lead to their loss of productivity and an increase in my workload) and was dismissed with a wave of the hand and a "Oh, I don't have to know that."

They don't understand. They don't WANT to understand. And when your job title has a "Chief" at the beginning of it, IT goes along with whatever insecure, dangerous, counterproductive nonsense you want.

Re:This just in... (0)

Anonymous Coward | 1 year,21 days | (#44523165)

that is why you hire a Chief Information Officer who heads up the IT/Tech department, they have Chief in their title and are GOD, aka System Admin when it comes to protecting the system. If a company does not go that rout then they open themselves up to whatever vulnerabilities may be on their system. Its survival of the fittest, and if you leave your self open because you are "too busy" or have the attitude of "I dont need to know that" then you deserve what happens. Everyone needs to know about best security practices, but they dont need to know all the details of what it does or why it does this. a good Chief Information Officer will make it so that there is no noticeable flaws and will smooth the problems so that they do not affect the whole company.

Re:This just in... (1)

HiThere (15173) | 1 year,21 days | (#44523357)

You are assuming the CIO knows infromation rather than (or in addition to) management. That is sometimes a correct assumption.

Re:This just in... (1)

tlhIngan (30335) | 1 year,21 days | (#44521337)

Indeed TFA makes the assumption that those in power don't understand, so that they demonize hackers. Which is incredibly naive, because people in power are usually *better* than the average at getting and rating information.

Once they get this information, they reason like: "how is this going to affect my career?" and take the necessary steps to profit from the information, just like parent said.

The problem is communications. I'm not sure if it's just a biased point of view, but it seems the IT industry is full of anti-social types who do these things, but worse yet, cannot communicate worth a crap. Sure they can speak English and string a bunch of words together, but it seems lost on them that it's not just what you say, but how you say it.

It could be the fact that a lot of hackers/programmers/whatever tend to be introverts or never brought up with proper social skills (or never bothered learning). Or it could be the insular nature of the person who discounts such "frilly" topics that don't involve computers in a low level way. (How many people wish universities stopped doing "complementary studies" type requirements where students in science and engineering are forced to take classes in arts (say, philosophy, English literature, history, whatever), or business?). How would you like it if Arts and Business majors stopped being required to take science and engineering courses?).

The end result is poor communications skills. And that leads to people being able to attack the messenger and the message itself. You may be technically correct and your report makes sense to everyone in the technical field. But your report isn't being presented to the technical field, it's being presented to journalists (who need soundbites) and the rest of the world. And technical gobbledegook does NOT work well at all.

You want to know why journalists hate PR people? Because companies (and smart engineers and the like) know never let engineers talk openly with journalists. Unless you're specifically trained on how to deal with the media, stay out of the spotlight, don't open your mouth, and simply pass the journalist on to a representative who can talk to the press.

We groan at how bad journalism is - well, the problem is trying to explain technical details to someone who doesn't care - hence media training, prepared statements and press releases. Of course, journalists hate getting stuff sanitized for their consumption, so they hunt for people behind the scenes, knowing they'd get more information. And knowing said people rarely if ever get media training, they can get "the real scoop". Of course, they don't understand it, twist it around, and now you end up looking like a complete babbling idiot. (Even worse is a journalist with an agenda).

Then there's the general public who have different concerns and priorities from the tech sector. Technology to them is a tool to help them through life, not a means to an end. It's a way to make their life easier so they can concentrate on their woodworking, stamp collecting, metalworking, fixing up cars or other hobbies.

And like people in general, what you say really only counts for 10-30% of the full message - how you say it (body language, exprssions, etc) count for the rest. Come off as a crazy rager and people think you're a lunatic and your message is lost. Come off like a conspiracy theorist and yes, people will think you're one as well. But dress well (in a suit if need be - yes, people look good in suits), facial hair in check, tattoos tasteful or covered up, come off as a calm, collected person who makes relatable arguments, and suddenly people are way more receptive. Even better, show empathy - people relate better to someone who understands them.

You want to know why people cared about SOPA and all that? Because it showed the true effects - that despite all the raging before most of the public just ignored such legislation. Or how people redefined ACTA as an "Anti-iPod" law, not "Copyright reform". The website blackouts, anti-iPod arguments are relatable. Concepts like "blocking websites" and "reform" glaze eyes over.

Take a look at how leaders go about their lives - notice how Obama or other leader goes to some disaster site despite probably having more important things to do? Or how some people, despite saying the technically correct thing, seem to just attract anger (e.g., a recent rail disaster in Quebec had the CEO flying up, but while said CEO said the technically correct things, it wasn't what the crowd wanted to hear and he was vilified for it as being completely out of touch and without remorse).

Finally, look at Steve Jobs. He was an asshole. But why do people like him? Because he did one thing right - he related technology to people. Technical folks called him out for "dumbing down technology", but he knew how technology and the arts intersect.

Re:This just in... (1)

MaskedSlacker (911878) | 1 year,21 days | (#44520677)

If Nader published "Unsafe at any speed" today he would probably be heckled by the press, sued by the corps, and have a dozen charges on him cooked up by the feds.

Most of that has happened to Nader at one time or another.

In early March 1966, several media outlets, including The New Republic and The New York Times, reported that GM had tried to discredit Nader, hiring private detectives to tap his phones and investigate his past, and hiring prostitutes to trap him in compromising situations

source: http://en.wikipedia.org/wiki/Ralph_Nader#Automobile_safety_activism [wikipedia.org]

that and (0)

Anonymous Coward | 1 year,21 days | (#44524323)

the pyramids were not build by jews, or slaves.

I love the fantasy comparison - but people who keep perpetuating this complete myth need to shut their ignorant fucking mouths so these dumbass jew fags can stop using these made up excuses to enslave us, with them being "the chosen people"

Hey, Look what I can do! (0)

metalmaster (1005171) | 1 year,22 days | (#44517945)

Of course you're going to be shamed when you showcase a fatal flaw in a pacemaker to a bunch of people at a convention. It may not be the easiest thing to do, but the most responsible thing to do is to go to the company or governing body and explain things

Re:Hey, Look what I can do! (1)

crutchy (1949900) | 1 year,22 days | (#44517975)

nah just hack millions of pacemakers and blackmail their hosts into your own private army... to go fight the sharks with "lasers"

Re:Hey, Look what I can do! (-1, Troll)

oilpainting2013 (3013775) | 1 year,22 days | (#44518237)

Thomas Kinkade paintings [paintingsframe.com] are great for home or office decoration, or as gift to friends or loved ones. 100% handmade guarantee! Footprints in the Sand Thomas Kinkade [paintingsframe.com] is hand painted with environmental oils on durable canvas by our talented artists. Our online store offers you unbeatable low price, safe payment and free shipping. You can easily place an order online if you want your selected painting to decorate your space. Perseverance Thomas Kinkade [paintingsframe.com] is sure to get tons of compliments from your friends.

Re:Hey, Look what I can do! (2)

cusco (717999) | 1 year,21 days | (#44519329)

I just want the codes to Dick Cheney's implanted defibrillator.

Re:Hey, Look what I can do! (5, Insightful)

Narcocide (102829) | 1 year,22 days | (#44517991)

Since that is an approach almost universally rejected by said "company or governing body" in recent history, I assume the context of the article is "what to do after the most responsible approach fails because said company or governing body is actually completely irresponsible."

Re:Hey, Look what I can do! (4, Interesting)

azalin (67640) | 1 year,22 days | (#44518059)

I have to agree to that. I large companies it is rather hard to find someone to listen to you AND in a position to actually change something. Even if the company knows about the problem, they will probably either ignore it, or find the cheapest way to make it disappear. Probably a new software module in the 2016 model.
If the information gets public though, they can't deny knowledge of the problem and become liable. I do believe companies should get a warning and some time to find a proper solution, not for them, but for those affected by their products, but that warning should include a deadline.
Oh and I consider it completely irresponsible, stupid and dangerous to go after the hackers and charge them with computer crimes.

evidence suggests that's rare, headline grabbing (4, Interesting)

raymorris (2726007) | 1 year,21 days | (#44518515)

Looking at any major CVE list, it seems most significant issues are fixed rather quickly. When a researcher or self-centered asshole doesn't get quite the response they want, those are the cases that get a headline on Slashdot a few times per year. Slashdot doesn't report on the 20 or so per day that go through the standard process and are resolved appropriately.

To me, that sounds a lot like saying "couples facing divorce almost always murder each other" because those that end in murder are the ones you still hear about years later. (Reiser, for example.). That ignores the hundred divorce cases every day that are either amicable or simply not newsworthy because nothing interesting happens.

My own experience with reporting a few issues matches what I see in the CVEs - they've been addressed quickly and professionally. The BIG one I found had replacement Debian packages out within 48 hours. Wikipedia was patched to fix the vulnerability I found within 24 hours.

Re:evidence suggests that's rare, headline grabbin (2)

ebno-10db (1459097) | 1 year,21 days | (#44518777)

The BIG one I found had replacement Debian packages out within 48 hours. Wikipedia was patched to fix the vulnerability I found within 24 hours.

Both non-profit. 'nuf said.

Re:evidence suggests that's rare, headline grabbin (2)

CreatureComfort (741652) | 1 year,21 days | (#44518933)

Not only that, but I'm betting he's never tried reporting a found vulnerability in any embedded product.

It's trivially easy to change a file and upload it to a website. It's significantly tougher and more expensive to roll out embedded firmware running in 1.5 million cars across multiple countries, let alone 200,000 pacemakers that would require major surgery to update or replace.

Microsoft, Adobe have never issued a security upda (1)

raymorris (2726007) | 1 year,21 days | (#44519921)

So Microsoft, Adobe, et al have never issued any security updates, ever?
All of those updates you see every day don't magically appear from nowhere. They come from the standard process of reporting and handling issues that most people follow. Selfish attention whores report maybe 0.5% of the issues. The other 99.5% are reported and fixed with no drama.

Re:Microsoft, Adobe have never issued a security u (1)

ebno-10db (1459097) | 1 year,21 days | (#44520905)

Selfish attention whores report maybe 0.5% of the issues. The other 99.5% are reported and fixed with no drama.

From whence do these statistics come?

So Microsoft, Adobe, et al have never issued any security updates, ever?

No one said anything of the kind, but there are plenty of cases of them being, how do I say this nicely, not as prompt and responsive as they might be. Like sitting on known issues for months, and/or letting the NSA have fun with them first. Furthermore, Adobe and Microsoft make software for general purpose computers. The focus here is on embedded devices, which are harder to update and have a worse track record.

Lastly, the personal experiences you cite are both with non-profits, and Debian in particular is famous for their speed and responsiveness in patching security problems. If everyone was as responsive as them, blackhats would have a real problem.

Re:evidence suggests that's rare, headline grabbin (0)

Anonymous Coward | 1 year,21 days | (#44519447)

Every time slashdot has reported on one of security vunderabilities is after the 'bug' was reported to the manufacturer a couple of times gave them a deadline of 3 months, and then finally published it after 6 months of no response of the manufacturer.

7,567,000 not reported on Slashdot. Newsworthy (1)

raymorris (2726007) | 1 year,21 days | (#44519869)

Yeah, for all 12 reported on Slashdot, that's the claim. (Two sides to every story, and Slashdot sure isn't objective.)
The million or so that aren't reported on Slashdot are the ones handled properly through the standard process. All of those security updates you see every day don't magically appear from nowhere, they are generated through a fairly standardized process.

The newsworthy stories are by definition not the normal case. Take those newsworthy cases and put some propaganda spin on them and you get an impression that bears little to know resemblance to daily reality.

Re:7,567,000 not reported on Slashdot. Newsworthy (1)

ebno-10db (1459097) | 1 year,21 days | (#44520919)

The million or so that aren't reported on Slashdot are the ones handled properly through the standard process.

How do you know that?

my daily work. check any major CVE list (1)

raymorris (2726007) | 1 year,21 days | (#44521783)

I know that because that's my field. That's what I've been doing all day, every day, for seventeen years. If you want to see for yourself, check any major CVE list. Flaws are handled daily, through a well known process, just like bags of garbage are dealt with every day by those professionals. You can watch the process on the lists and in the databases.

A few times per year, a dead body is found in a trash bag. So it's true that "every trash bag covered on the news has a dead body or something in it". It would be an epic fail of intelligence to deduce from that "most trash bags contain dead bodies". Software flaws are the same, and thinking that most are handled very poorly is the same failure to think as assuming that because newsworthy trash contains bodies, most trash contains bodies.

Re: Hey, Look what I can do! (0)

Anonymous Coward | 1 year,21 days | (#44518637)

i think finding the problem in the first place and informing the company qualifies as a warning with a REAL deadline...as it is.

Re:Hey, Look what I can do! (1)

SuricouRaven (1897204) | 1 year,21 days | (#44518407)

Just to both.

Tell the company, and inform them that in six months you will be presenting this dicovery at a conference. That way they have plenty of time to deploy a patch.

That, or they might just say that if you ever go public they'll sue you so hard your grandchildren will still be paying the legal fees.

Re:Hey, Look what I can do! (1)

Anonymous Coward | 1 year,21 days | (#44518421)

You mean "they have plenty of time to take out a gagging order".

It's been done in both the UK and US, so don't go bleating about "freedom of speech" saving you.

If you find an exploit, and want to ensure it's fixed, the only approach is to publish a polished weaponized 0day attack.

Re:Hey, Look what I can do! (0)

Anonymous Coward | 1 year,21 days | (#44519717)

Use a hybrid approach.

Do the responsible thing first. Go to the company and tell them that:
1) Here is the flaw. Fix it.
2) You have 6 months until I present the details to the public.
3) If you get a gag order, an acquaintance of mine already has an exploit package to release to various black-hat communities, set to trigger on a dead-man's switch arrangement. If he doesn't get a certain message from me each $X days, the package is released. This agreement is in place until either the fix is in place or the public presentation takes place.

Then, all responsibility is on their shoulders. They're responsible for the fix. They're responsible for PR when you present your findings. They're responsible for the fallout of trying to gag you.

It's not blackmail any more than their faulty product is fraud.

Re:Hey, Look what I can do! (3, Insightful)

mwvdlee (775178) | 1 year,22 days | (#44518065)

And what do you do if the companies and governing bodies (at best) ignore you?

The most responsible thing to do is try to get it fixed as safely as possible.
If that doesn't work, the most responsible thing to do is try method with as little risk as possible.
Continue trying to get it fixed and you may have to end up publishing it at a security conference.

yay,lawyers (2)

gbjbaanb (229885) | 1 year,22 days | (#44518003)

Nothing will really change - the people in charge of these things will simply fall back on their marketing departments to say "all is well" to their customers.

Its not until someone sues one of them for billions of dollars that that company's board will sit down and actually decide that spending some money on security, and more on marketing of course, is a good thing to do.

In the meantime, I'd say that a letter directly addressed to the CEO explaining how easy his devices are to compromise, and pointing out the massive financial implications to his company (and therefore his bonus and possibly even job) will be the only realistic way of getting through to these people. Remember most of them don't really care about what the company does, they only care about running that company. They're businessmen who "do business", and so you have to appeal to that aspect.

I guess the other problem is that your average CEO doesn't even know defcon exists.

Re:yay,lawyers (4, Insightful)

Opportunist (166417) | 1 year,22 days | (#44518037)

Just point out "You make medical devices. Medical devices that sick people need. Most sick people are old. Congressmen and other people that have influence on laws being passed tend to be in the upper age bracket of the population. Do you think it's a good idea to build devices that are insecure and mostly used by rich, influential people?"

Re:yay,lawyers (0)

Anonymous Coward | 1 year,22 days | (#44518223)

Just point out "You make medical devices. Medical devices that sick people need. Most sick people are old. Congressmen and other people that have influence on laws being passed tend to be in the upper age bracket of the population. Do you think it's a good idea to build devices that are insecure and mostly used by rich, influential people?"

Well, if You can come up to a high ranking politician and say "hey, nice pacemaker you have got there. I know, because it uses wi-fi, and thanks to that I can hack it and give You a heart attack, remotely, and nobody will ever suspect a thing. And You can give up on changing models, all of them are hackable. Now dance for me, mr. puppet-politician." then it might be a profitable business. Especially if spies are concerned.

Re:yay,lawyers (1)

Opportunist (166417) | 1 year,22 days | (#44518253)

If YOU or I do it, we'll probably just vanish from the earth.

Re:yay,lawyers (1)

Anonymous Coward | 1 year,21 days | (#44518811)

oh, just like the guy who was going to report on medical hackable devices. Tell us which ones are hackable now and in the future. because the corollary of what you said happened. This defcon, a researcher was to present a paper on hackable devices, a follow-up of a paper from, if I remember correctly Oregon state. About hackable med devices from about 2002. Part of his paper was on induced heart attacks, with no medical devices. He died prior to the conference from a heart attack. Huh? I wish the paper were published. but his files and computer are where?

Re:yay,lawyers (0)

Anonymous Coward | 1 year,21 days | (#44524579)

No we wouldn't, that is not enough for the Party. We'd get unperson'd.

Just because we can, should we... (1)

Anonymous Coward | 1 year,22 days | (#44518017)

network everything?

The bad guys out there are having a field day with all sorts of devices. Eventually (if not already) people are gonna die.
Then the lawsuits will start to flow.
The ISP
The Doctor(in the case of an insulin pump)
The hospital
The kit maker
Every company that makes something that goes into the device, even something as innocent as a screw.
Uncle tom cobbly and all
and not forgetting the cleaner at the hospital.

Why don't we stop networking everything in sight until it is properly hardened against attack. These devices must be able to detect attack and disconnect them from the internet before any damage is done.
Why do they have to be connected all the time? Why not open a link for 5 secs every so often and send some data and close it again?
Etc etc etc

The engineer in me fails to really see why everything needs to be connected 24/7. If you do, you are just asking for trouble.

Re:Just because we can, should we... (4, Insightful)

Anonymous Coward | 1 year,22 days | (#44518061)

Problem is some things *need* networking.

Pacemakers usually require tuning, both when first installed and later on. And since you can't take it out and plug it into a diagnostic machine you need to be able to connect to it to run tests too.

That doesn't mean connecting it to the Internet, Wi-fi etc is a good idea... but you do need to connect to it somehow and even if it's an obscure type of network that means that someone nearby with the correct networking hardware could try to access it.

Re:Just because we can, should we... (1)

HiThere (15173) | 1 year,21 days | (#44523759)

While the need to be "remotely" accessible, there's no good reason for "remotely" to be any further away than 6 inches. Probably less.

Re:Just because we can, should we... (2)

BVis (267028) | 1 year,21 days | (#44519143)

Everything is networked because doctors want it that way. 'Networked' has an 'ooh shiny' factor that doctors love. That's bad enough, but when you combine it with the fact that nobody is stingier or dumber with IT resources than hospitals, you get a recipe for disaster.

Quality and Safety (1)

betterprimate (2679747) | 1 year,22 days | (#44518025)

Is there a governing body testing the safety and quality of electronic medical devices? According to this BBC documentary http://www.youtube.com/watch?v=H3BBjzVQhe0 [youtube.com] , there isn't for medical utensils. Is it the same for electronic devices?

Re:Quality and Safety (1)

jbmartin6 (1232050) | 1 year,21 days | (#44518671)

In the USA, the FDA does this. In a way this is one contributor to the problem, the effort and time to recertify a device after substantive changes is considerable. It depends on the scope of a change though, certain types of maintenance don't require recertification.

Fine. Let them. (1)

Opportunist (166417) | 1 year,22 days | (#44518031)

And let them deal with the fallout when (not if) the first people is being killed by such a hack. This will CERTAINLY make headline news and people will CERTAINLY listen for maybe the first time something "computerish" is unsafe, because now it is their life that's hanging on it. And watch how people will DEMAND rigid standards, far more rigid than you could possibly want to implement. And no donations to Washington will drive that white elephant out of the room because people will keep watching it, and they will keep suing if they lose their loved ones to your shoddy designs.

This is not your average security flaw that eventually blows over when people forget it. People cannot forget that their LIFE depends on it, and they will not go quiet until you can somehow PROVE that it's safe to use. Yes, they will still buy your crap, duh, they have to. But rest assured that they will sue, most likely with the backing of various consumer rights groups (malpractice protection groups tend to have DEEP pockets, and considering that it is a medical device they most certainly will be interested).

Those things ain't some stolen credit cards or similar tidbits of passing interest. It's nothing people brush off with a "aw heck, if something happens, I got insurance". People care about money only until their life is at stake.

I'd fix that fast. The very LAST thing you want is that the law gets involved. Remember: Congressmen tend to be old geezers. And now guess who is highly dependent on your shoddy goods...

Re:Fine. Let them. (2)

jbmartin6 (1232050) | 1 year,21 days | (#44518693)

There are plenty of easier ways to kill someone. The threat of someone going out of their way to hack the insulin pump is so near zero that any cost to fix it is not justified. If the flaw were something that could be triggered accidentally or by a simple fumbling around they would be more likely to act on it. As it is, we can't patch for a person's vulnerability to poison, gunshot, bludgeoning, air bubble injections, etc. so the existence of one more extremely improbable attack isn't worrying people who have more dangerous things to worry about.

Re:Fine. Let them. (3, Insightful)

Opportunist (166417) | 1 year,21 days | (#44518881)

Are you kidding? If I was to kill someone, this would be THE way to go. The perfect crime. No visible traces, the autopsy would just conclude that the device malfunctioned and I'm off the hook.

It's not that it wasn't easier to kill someone in different ways, of course there are far easier ways to kill someone, that's a given. But they are invariably more "visible". A bullet hole or one a knife cuts is a dead giveaway to foul play. There is almost no way to hide poison in this time and age if there is at least a hint of reason to test for it. Air bubbles are harder to find but also far from impossible.

But this is just a medical device that malfunctioned. The manufacturer will blame it on the patient's error or try to weasel out any other way, the relative who actually offed the geezer will easily agree to get the case closed quickly and everyone's happy. Well, at least everyone still alive.

Re:Fine. Let them. (1)

jbmartin6 (1232050) | 1 year,21 days | (#44520973)

Let's make two broad categories of threats.

First, if you wanted to kill Gary specifically. You have some grudge or vendetta. Would you give up because he didn't have an insulin pump of the particular model vulnerable to this attack? No, you would use some other method from my list. So Gary isn't saved here by having a password on his insulin pump.

Second, you just want to kill someone for the thrill of it. There's so many ways to do this. If you were this sort of person, would you do the work to learn about insulin pump vulnerabilities, then go find someone who has that pump? Maybe, but if you are that sick you'd kill someone by some other means. So the random victim here isn't saved by having a password on everyone's insulin pump.

I guess you could say that in case one, you might not be angry enough to kill Gary unless he happened to have an insulin pump that you could use to hide your tracks. Does this seem likely to you to ever happen? I am sure the manufacturer would argue no. Your life insurance company might argue differently. I think we'd all just be guessing unless there was some research on similar circumstances.

In case two, you might say that the psycho MIGHT want to use the pump method, find that there was a password on it, and then move on to kill someone else by some other method. In that case the diabetic was saved by having a password on the pump. Again, does this seem very likely?

I can see the argument that even if it is possible it might happen once in a century, they should put safeguards on the pump just in case. Especially if you assume that is zero cost. The counter was made elsewhere in the thread that putting harsher security on the device is far more likely to cause harm to the patient than the random psycho threat, when there is a medical emergency and the doctor cannot access the device due to the security.

Re:Fine. Let them. (1)

kermidge (2221646) | 1 year,21 days | (#44527869)

I thought the subject was vulnerabilities of medical devices and other things and that the bulk of the discussion concerned disclosing and getting fixed those vulnerabilities. I don't understand how papering something over with a password would fix anything, and that wasn't even something discussed until you brought it up.

I certainly agree, though, that if you have an implanted device that needs monitoring or adjusting remotely there has to be a way to authenticate the identities and verify the authority to do the monitoring or make a change. In an emergency not having a password may be irrelevant since the EMTs likely don't have the equipment to talk to, in this example, a pacemaker anyway. So either they can stabilize you or you're toast, regardless. I suppose a more adventurous responder might try to nullify the pacemaker in some way, hoping that he'd be covered by Good Samaritan law. The current situation is a mess all around, not only with the various vulns, some of which I suspect are more than statistically improbable, but with the lack of ability or machinery by the ambulance techs to deal with the implants. I'm guessing on this latter bit, but the times I've been in an ambulance of late the most technical stuff I saw were a pulse-ox and a defibrillator, along with the EEG box and radio.

Re:Fine. Let them. (1)

jbmartin6 (1232050) | 1 year,21 days | (#44528051)

The "password" was really just a shorthand for any sort of access control or other cost paid in trying to make the device immune to malicious tampering. Time spent hardening device software is not free, this needs to be taken into account when deciding whether a control is appropriate. You make a fair point though, the 'might need emergency access' argument is perhaps not that strong. I would bet that part of that argument is simply doctor's hatred for anything that costs them extra time that they view as superfluous.

Re:Fine. Let them. (1)

kermidge (2221646) | 1 year,21 days | (#44529065)

Thanks; I'm a bit dense and didn't know where you were coming from with that. This stuff is well above my pay grade - and I'm retired. (Below, a poster notes that pacemakers apparently can be over-ridden/stopped by powerful magnet - I have to wonder if that's part of EM techs' kit.

My stupid idea would be that the security holes would be closed by the makers (better, they should not exist at all) - and I don't think it all that likely until someone important dies, as others have said. As you point out, passwords and such may easily create more problems than they're worth. So a totally innocent bystander has to ask: what to do?

Yeah, docs aren't well-known with being all that free with their time. Too many of us, too few of them, for starts. So, another problem.

Re:Fine. Let them. (1)

HiThere (15173) | 1 year,21 days | (#44523825)

Who will know why they died? I don't consider fallout very likely, unless there are failed attacks against rather paranoid people who are also powerful. Even then I'd rate it as low probability.

(OT) Terminology?? (1)

Anonymous Coward | 1 year,22 days | (#44518067)

True, "hack insulin pumps, heart monitors, HVAC systems, home automation systems, and cars" are consumer devices. But so are WiFi routers, mobile phones, etc.
My point: TFT(itle) would have sounded better as "Life threatening hacking concerns [etc]"

The problem with some of these devices is ... (3, Interesting)

Ihlosi (895663) | 1 year,22 days | (#44518117)

... that making them hack-proof is equivalent to locking a fire extinguisher in a secure cabinet. Sure it's secured against misuse, but it's also no longer easily available when it's needed in an emergency.

You can "hack" any pacemaker with a strong enough magnet, for example. It's the standard method for putting the things in their emergency mode. "Securing" this mode would make it more complicated to activate in case of a real emergency and kill people this way.

The problem with security. (2)

Arker (91948) | 1 year,21 days | (#44518529)

"The problem with some of these devices is that making them hack-proof is equivalent to locking a fire extinguisher in a secure cabinet. Sure it's secured against misuse, but it's also no longer easily available when it's needed in an emergency.

You can "hack" any pacemaker with a strong enough magnet, for example. It's the standard method for putting the things in their emergency mode. "Securing" this mode would make it more complicated to activate in case of a real emergency and kill people this way."

I think it's more general than that - the same thing is true of security across the board. Every security feature also makes it harder for people that are entitle to access to do their work. When you have someone that isnt specially tuned to security issues designing a system, they quite naturally tend to do the opposite of the secure choice at every instance. Like leaving a root account with a blank password open - to an honest person that isnt specifically tuned to security issues, this seems like a very good idea, likely to save a lot of time and effort the first time the password gets lost. To the security-tuned, however, this is a very bad idea, a hole big enough to drive trains through just begging to be hit.

The damnation of it is, they are both right.

We've known this for a while (1)

Anonymous Coward | 1 year,22 days | (#44518147)

It has taken the computer industry years to stop prosecuting every "security researcher" ("hacker"? not applicable, not even with hats and "ethical" attached), the SCADA bunch haven't learned even after stuxnet, and now the medicos...?

Of course not. Worse yet, these "security researchers" haven't learned either. They're still using their bogeyman moniker for everything, lawful or not, and make it a habit to regularly blog or issue press releases with juicy tidbits to stay in the spotlights and spread some more FUD. Fundamental improvements? Structural security strenghtening? All absent.

What is also absent is effective outreach. You know, getting companies to cooperate instead of getting them to sue you for daring to suggest their software, firmware, or hardware isn't the bestest evar.

Since it is the security industry that seeks to profit from the problems, they're as much responsible for acting in ways that get them sued and neglecting to create a constructive environment where security can be usefully addressed and improved, as are the suers and producers of products with security holes. Not because they're victims of getting sued, but because they put themselves on the spot in ways that got them sued. The industry as a whole hasn't managed to create a constructive security-concious mindset.

Instead, it has revelled in coopting a term that used to indicate technological creativity and now only means "dodgy stuff with computers involved". To the point that they first needed hats to sort out who was good and who was bad, and these days that distinction is becoming stale, for still indiscernable. It's as if they like that sheen of criminality so much they will go out of their way to create it if it doesn't come naturally.

So in a nutshell, it is really the security industry that has dropped the ball... again. Congratulations.

What are you afraid of? (-1, Troll)

gnasher719 (869701) | 1 year,22 days | (#44518189)

So there is this guy whom I hate. And he has a pacemaker. So what am I going to do: Find out how to build a device that stops his pacemaker and kill him, or just take a knife or a gun to do the job? Gun ownership is a much much bigger vulnerability. There are millions and millions in the USA who have the capability to kill anyone with a pacemaker. And anyone without a pacemaker as well.

So the only fear is that some shithead who has shit where other people have brains might think it is funny to kill people. Someone who thinks it is a game. Anyone who thinks that has ceased to be a human being, and should be shot like any dangerous animal. And since publishing vulnerabilities serves no purpose other than giving tools to such dangerous animals, publication should be punishable as well.

Every hour that some developer spends on fixing vulnerabilities that give opportunities to shitheads, that developer isn't working to help patients. Therefore, publishing vulnerabilities is detrimental to society.

Re:What are you afraid of? (1)

Anonymous Coward | 1 year,22 days | (#44518283)

Because You can threaten them remotely and kill them practically without leaving any traces? Because it will not be construed as a murder, but just a problem of faulty apparatus? Because in the event of a war, somebody could just kill a few generals (like Collin Powell, who's so dependant on such an apparatus, that he doesn't have any pulse), without even any bullets, with a nondescript piece of machinery?
Everybody knows how a gun looks. How does a machine that kills people with pacemakers look? Could it be a phone?

>And since publishing vulnerabilities serves no purpose other than giving tools to such dangerous animals, publication should be punishable as well.
Yeah, that's why publications about viruses, and virology in general is punishable by law. Because it can give shitheads ideas about making dangerous viruses that are difficult to cure. Oh, and while You're at it, criminals use cement to kill people, so le'ts ban it as well with electricity, lasers and poisonous plants.
Censorship is banning steaks because a child can't chew them.

>Every hour that some developer spends on fixing vulnerabilities that give opportunities to shitheads, that developer isn't working to help patients.
That is why the software for thsese pacemakers must be open source if not free software -- Linus' Law, etc. And that developer is working to help patients -- that's like arguing that You should not alert people that live in a house that is liable to collapse any second because they might get upset, and the builder that could fix their house should use his time to build more buildings that have the same vulnerabilities instead of fixing them. In short, an extremely stuipd opinion. I hope You get a pacemaker vulnerable to some of these bugs some time in Your life.

Re:What are you afraid of? (4, Interesting)

SuricouRaven (1897204) | 1 year,21 days | (#44518411)

Murder is easy. Getting away with it is hard. If the old guy with a heart condition drops dead from apparent heart failure, who is going to even suspect murder?

Re:What are you afraid of? (1)

gnasher719 (869701) | 1 year,21 days | (#44518539)

I suppose my post was against the prevailing slashdot meme. The slashdot meme of the elite hackers with the power over life and death that are just sooo important. I would just say that those people who voted me down as "troll" just don't have the slightest clue about security.

When you care about security, you start by looking at the possible targets (a persons life), then you look at the possible attacks and identify those that are most likely. You don't look at a possible attack and go OMG and lose your brain over it, as happened here. Attacking a persons life is done with guns, knifes, baseball bats, poison, karate moves, and very very very far at the end of a very very long list are hacker attacks against pacemakers.

It's not just about security by obscurity (2)

NaiveBayes (2008210) | 1 year,22 days | (#44518203)

Some of the exploits for these vital machines were only discovered by researchers spending months working on it, using multiple labs, and using their researcher status to gain access to information that wouldn't be available to the general public. Should we not at least address the question of whether some of this exploit research is actually creating exploits that otherwise wouldn't have cropped up for years or even decades afterwards? Jaron Lanier pointed out one such developed exploit for pacemakers where the only way to "patch" the lab-uncovered exploit would be invasive and possibly life-threatening surgery on everyone who had implanted one.

Re:It's not just about security by obscurity (4, Insightful)

SuricouRaven (1897204) | 1 year,21 days | (#44518429)

You assume that the attackers would be basement hackers. Not a good assumption. There have been plenty of government assassinations in even recent history. Do you think Russia or China would be above killing, say, a US senator who keeps voting against their interests? Because I'm sure they would be willing, if they could be absolutly sure of not being caught. I wouldn't even trust the US with it - they already use drone strikes against suspected terrorists without trial, but drones are messy and lead to bad PR. And if Iran gets hold of the hack... they'd probably set up a virus that transmits the 'drop dead' command from any device with a bluetooth interface and US-English language setting.

Pacemakers need replacement every seven years or so anyway as the batteries go flat. You can just install one without the vulnerability then. It's a routine procedure.

Re:It's not just about security by obscurity (1)

jimbrooking (1909170) | 1 year,21 days | (#44518549)

Forgot something:

"...Russia or China" or Big PhaRMA or AHIP (America's Health Insurance Plans) or the NRA or...

Re:It's not just about security by obscurity (2)

SuricouRaven (1897204) | 1 year,21 days | (#44519181)

Russia is a good example because we know they still assassinate. Alexander Litveninko. That one wasn't even a cover-up: He was poisoned with polonium, an isotope that would be impossible for all but a few governments to obtain - it has no uses in medicine and scant few in industry, and those uses require only the tiniest amount. Presumably the Russian government used a method so obviously pointing back to them in order to intimidate anyone else who might think to leave the country and leak intelligence information to another government.

Snowden is lucky the US still at least pretends to play by the rules. If he was fleeing from Russia, he'd have turned up dead in a river by now.

Re:It's not just about security by obscurity (1)

gnasher719 (869701) | 1 year,21 days | (#44518571)

You assume that the attackers would be basement hackers. Not a good assumption. There have been plenty of government assassinations in even recent history. Do you think Russia or China would be above killing, say, a US senator who keeps voting against their interests?

That's supposed to be insightful? So you are saying that the most important thing for the manufacturers of pacemakers is to prevent one of the thousand possible ways to kill a US senator?

Re: It's not just about security by obscurity (0)

Anonymous Coward | 1 year,21 days | (#44518611)

Your critical thinking skills are lacking so badly I can't form a coherent response.

Re: It's not just about security by obscurity (1)

drinkypoo (153816) | 1 year,21 days | (#44518741)

Your critical thinking skills are lacking so badly I can't form a coherent response.

If you can't explain something to a five year old (or equivalent) you don't really understand it.

Re:It's not just about security by obscurity (1)

SuricouRaven (1897204) | 1 year,21 days | (#44519201)

One of the possible ways to kill and get away with it. The killing part isn't too hard - the getting away without starting a war is.

Re:It's not just about security by obscurity (0)

Anonymous Coward | 1 year,21 days | (#44519049)

You have gotten the point very well. The real issue of all of these "back door" security flaws that allow the NSA and others to hack our data or our devices leaves us at risk of assassination at will without evidence. Even hacking "OnStar" could allow assassination and it has been demonstrated. If there was any greater reason for security and privacy than saving your own life, I cannot imagine what it would be.

Re:It's not just about security by obscurity (0)

Anonymous Coward | 1 year,21 days | (#44519065)

...Pacemakers need replacement every seven years or so anyway as the batteries go flat. You can just install one without the vulnerability then. It's a routine procedure.

Did you just actually suggest that waiting years to fix a problem so severe that it is literally life-threatening, is somehow a fucking viable option?

Go ahead and try and make that recommendation in damn near any other industry and you will be laughed at and blackballed at the same time.

"Your brake pads on your new car are defective, and could fail at any time, but hey, let's just wait a few years until they wear out to replace them."

Fucking seriously...

Sign me up. (1)

mitcheli (894743) | 1 year,21 days | (#44518423)

I could fill that role. If they're seriously looking for someone in that role, I can pass on credentials to boot.

The manufacturers are correct... (4, Interesting)

evilviper (135110) | 1 year,21 days | (#44518453)

How did Ford and Toyota react? They publicly dismissed the research and thus far haven't committed to fixing any of the weaknesses that Miller and Valasek found. Ford described the hacks as "highly aggressive direct physical manipulation of one vehicle ... which would not be a risk to customers," while Toyota said in its statement that their work wasn't hacking. Miller, who is a security engineer at Twitter, says he isn't confident the car-makers will do anything about the flaws. Percoco says the car-hacking research was a good example of finding important security flaws in consumer products.

If that's "a good example" I'd hate to see all the other ones. Ford and Toyota representatives were the only rational and reasonable voices, and absolutely correct that the "hacking" in this case, involved SITTING IN THE BACK SEAT AND PLUGGING IN TO THE CAR. What do we say around here about having physical access to someone else's computer?

Some idiot reporters like the NYTimes article threw-in the word "remote" to describe the attacks, when it clearly didn't belong. Though to be fair, later mentioned that, "The researchers said they did not address the question of the defenses the cars might have against remote access."

So this being the only actual referenced example in TFA, is a lot of baseless BS fear-mongering, and we are left without any reason to believe a problem actually exists.

Re:The manufacturers are correct... (3, Funny)

Ihlosi (895663) | 1 year,21 days | (#44518491)

SITTING IN THE BACK SEAT AND PLUGGING IN TO THE CAR

In the next horror film, the hidden psycho on the back seat won't have an axe or a knife, but a laptop ...

Re:The manufacturers are correct... (0)

Anonymous Coward | 1 year,21 days | (#44518505)

Mam, get out of the car, the fapping is coming from INSIDE your vehicle!

Re:The manufacturers are correct... (0)

Anonymous Coward | 1 year,21 days | (#44518807)

... and he will kill himself in the process. Problem solved.

YMMV

Re:The manufacturers are correct... (1)

Ihlosi (895663) | 1 year,21 days | (#44523085)

... and he will kill himself in the process.

Of course not. Psychos don't die that easily. He'll run the car into just the right obstacle that it'll decapitate the person sitting in the driver's seat, and then walk away. Or drive away. In a car with a decapitated corpse in the driver's seat.

Re:The manufacturers are correct... (2)

drinkypoo (153816) | 1 year,21 days | (#44518711)

If that's "a good example" I'd hate to see all the other ones. Ford and Toyota representatives were the only rational and reasonable voices, and absolutely correct that the "hacking" in this case, involved SITTING IN THE BACK SEAT AND PLUGGING IN TO THE CAR. What do we say around here about having physical access to someone else's computer?

We say that you didn't read the fucking article, and are for some reason leaving comments about it anyway. I don't even mean this article, I mean the former article where we discussed the hack. Because in that article, they discussed that all you need is access to the bus, and there are already remote holes in automotive infotainment gear that could permit an attacker to compromise that equipment, and then through that vector compromise the vehicle itself. This is in turn because automakers are lazy cheap fucks and they use a single bus throughout the car for infotainment and vehicle management, which is fucking bullshit. It lets them save a few nickels per car on connectors and wire at the expense of harming security and reliability.

Some idiot reporters like the NYTimes article threw-in the word "remote" to describe the attacks, when it clearly didn't belong. Though to be fair, later mentioned that, "The researchers said they did not address the question of the defenses the cars might have against remote access."

But they did, as we discussed last time.

Re:The manufacturers are correct... (1)

evilviper (135110) | 1 year,21 days | (#44519751)

Good. Talk about the remote vulnerabilities all you want. Get THOSE fixed. Those would be the problem. This article however, is worthless, baseless nonsense.

And no, I don't feel obliged to go back and check every dupe for the past 4 years to try and find a link to some less awful information.

Re:The manufacturers are correct... (1)

wbr1 (2538558) | 1 year,21 days | (#44518849)

It requires sitting in the car for now. What about when you build the hack in to an APK and put it on a $30 used android device hiding under the seat?

Breaking into most cars is relatively easy, and could be done in a couple of ways.. the diversionary snatch and grab where you steal a radio and hide the device well somewhere, or a more complex break-in that is unnoticed.

Either way, you now have physical access to the vehicle, without having to be seated in it. You could control over 3g/4g, or for the really paranoid, simply be nearby in another vehicle with bluetooth or wifi.

The leap to make it a remote exploit is not difficult.

Re:The manufacturers are correct... (1)

evilviper (135110) | 1 year,21 days | (#44519815)

Or you could do a MINISCULE FRACTION as much work, and just cut the brake lines. Or replace your theoretical $30 Android trojan device with a stick of TNT.

You're not helping your case by coming up with ridiculous, irrational, paranoid fantasies, and making IT security folks look like nutjobs.

Re:The manufacturers are correct... (1)

wbr1 (2538558) | 1 year,21 days | (#44519949)

Explosives are monitored. Brake line failure is easily survivable, especially since a driver is likely to notice the brakes when first applying them in a low speed parking lot type situation. In addition a trained driver (often employed by those with power and privilege), know how to use parking brakes and engine braking to stop a vehicle, hell I do.

So, it is not paranoid fantasy, it is a viable attack method.

In addition, my method could be installed during routine maintenance/service of the vehicle (no pesky getting caught tampering with the vehicle), for use later.

Also, in a forensic investigation, who is going to notice the cell phone in the wreckage and think it was the cause? Especially if you sent it a remote wipe/reset signal.

I personally do not think this is long out for use. maybe not in america, but among drug cartels, and rival warlords in poorer countries, certainly. It is unique, new, and unexpected.

And nowhere in my post did I make IT security folks look like nutjobs, I simply pointed out a blind spot they were not seeing. Is it going to be likely or common, probably not, but then again neither is dynamite or cut brake lines. It does however have the advantage of being less likely to be noticed or caught. But, since you want to make personal attacks against my intelligence and sanity, and your original post sides against TFA, I can guess where you you get your bread buttered.

Re:The manufacturers are correct... (1)

evilviper (135110) | 1 year,21 days | (#44521203)

Cutting brake lines actually involves slicing them just deeply enough that they're intact until high speed hard braking ruptures it. This is easier to disguise as "maintenance" than any electronic method, and much more deadly than anything described here... Their disabling of the brakes only worked at low speed and makes a tell-tale god awful noise.

Engine braking is not an option on a large number of vehicles, particularly the Prius in the demonstration... That just leaves the parking brake you'll also need to disable (would be true with any electronic tricks as well).

Stop me if I'm going too fast... All you've got to promote this obscene amount of work is: well, maybe they won't notice the out of place cell phone under the seat, tethered to the car's computer. That's a long-shot. I'd go for brake lines...

Re:The manufacturers are correct... (0)

Anonymous Coward | 1 year,21 days | (#44522409)

I keep wondering about this...it stands to reason that hackers would "sit in the back seat" or whatever in a simulated hacking situation - after all it's more comfortable there. But in the real world...aren't CAN buses etc. potentially accessible from outside a locked/alarmed vehicle? In addition, there must be attack vectors older than I am (leave USB stick with promo music/malware combo on vehicle window, malware CDs, etc.). What constitutes physical access?

Re:The manufacturers are correct... (0)

Anonymous Coward | 1 year,19 days | (#44536747)

If that's "a good example" I'd hate to see all the other ones. Ford and Toyota representatives were the only rational and reasonable voices, and absolutely correct that the "hacking" in this case, involved SITTING IN THE BACK SEAT AND PLUGGING IN TO THE CAR. What do we say around here about having physical access to someone else's computer?

Right. Until someone gets the bright idea of, say, hooking the car to tablets and phones via Bluetooth [ford.com] .

And brought to you by Ford ("not be a risk to customers"), in partnership with Microsoft (do I even need to find a quote?).

T-Mobile using Symantec to replay phone web access (0)

Anonymous Coward | 1 year,21 days | (#44518631)

T-Mobile using Symantec to replay phone web access?

I accessed a file on 7 Aug. three times using t-mobile cell, as this well-abridged log shows:

  20130807 080258  1.2.3.4  200  3205  GET /x/a.php?i=5767450
  20130807 080309  1.2.3.4  200  3205  GET /x/a.php?i=5778500
  20130807 080521  1.2.3.4  200  3205  GET /x/a.php?i=5911843

1.2.3.4 is the stand-in for the t-mobile IP space 206.29...

The next day, through a symantec server (rulespace.com) the first of those was replayed,
and when it did not get access, it tried the default page.

  20130808 063332  207.189.121.1  b4hsbo.rulespace.com  403  563  GET /x/a.php?i=5767450  -  Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.8) Gecko/20100721 Firefox/3.6.8
  20130808 063333  207.189.121.1  b4hsbo.rulespace.com  403  563  GET /x/a.php?i=5767450  -  Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.8) Gecko/20100721 Firefox/3.6.8
  20130808 063336  207.189.121.2  b5hsbo.rulespace.com  403  563  GET /                   -  Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.8) Gecko/20100721 Firefox/3.6.8

Ideas on what is up with t-mobile replaying my web access?  NSA?  FBI?  OMG?

I can speak consumer (1)

vawarayer (1035638) | 1 year,21 days | (#44518739)

Here: $$$

The rug (1)

J05H (5625) | 1 year,21 days | (#44519463)

Stop sweeping problems under it.

If these devices are vulnerable then they will be exploited. The best solution is transparency and working consortia for both testing/verification and patching these problems before that vehicle, pacemaker or other device is used against consumers.

The Assassin of the Future (1)

david_thornley (598059) | 1 year,21 days | (#44520575)

The crack assassin will be a fat, greasy, male basement-dweller covered in Cheetos dust. This will doubtless be distorted by Hollywood, to the point where the assassin in movies actually has dealings with beautiful women.

LINKS! FFS (1)

Gallomimia (1415613) | 1 year,21 days | (#44523517)

Link to the alluded-to grassroots community doing the work mentioned in the OP or it's not a story and you can GTFO.

Olde Tyme Hacking (1)

cockpitcomp (1575439) | 1 year,21 days | (#44525585)

Seems like a lot of work when you could just hack Lizzie Borden style.
Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>