Hackers Made An App That Kills — To Prove A Point; Click Here To Kill Everybody; Is A ‘Dr. No’ In Cyber Space, Or Our First Serial Killer By Computer Hack…..Already Lurking In The Dark Underbelly Of Our Digital Universe? 

Hackers Made An App That Kills — To Prove A Point; Click Here To Kill Everybody; Is A ‘Dr. No’ In Cyber Space, Or Our First Serial Killer By Computer Hack…..Already Lurking In The Dark Underbelly Of Our Digital Universe? 
 
     The title above comes from Lily Hay Newman’s July 16, 2019 article in WIRED.com.  Ms. Newman writes that “two years ago,researchers Billy Rios and Jonathan Butts discovered disturbing vulnerabilities in Medtronic’s popular MiniMed and MiniMed Paradigm insulin pump lines. An attacker could remotely target these pumps to withhold insulin from patients, or trigger a potentially lethal overdose. And yet, months of negotiations with Medtronic and regulators to implement a fix proved fruitless,” she wrote. “So the researchers resorted to drastic measures. They built an Android app that could use the flaws to kill people.” 
 
     “Rios and Butts,who work at the security firm, QED Security Solutions, had first raised awareness about the issue in August 2018, with a widely publicized talk at the Black Hat [cyber] security conference in Las Vegas,” Ms. Newman wrote. “Alongside that presentation, the Food and Drug Administration and the Department of Homeland Security warned affected customers about the vulnerabilities, as did Medtronic itself. But, no one presented a plan to fix, or replace the devices. To spur a full replacement program, which ultimately went into effect at the end of June [2019], Rios and Butts wanted to convey the true extent of the threat.”
       “We essentially just created a universal remote for every one of the insulin pumps in the world,” Rios told WIRED. “I don’t know why Medtronic waits for researchers to create an app that could hurt or kill someone, before they actually start to take this seriously. Nothing has changed between when we gave our Black Hat talk and three weeks ago.”
Killer App
     “Diabetes patients usually manage their own insulin intake,” Ms. Newman reminds us. “In the case of MiniMed pumps — and many others — they use buttons on the insulin device to administer doses, known as boluses. MiniMed pumps also come with remote controls, which basically look like car key fobs, and offer a way for caregivers or medical professionals to control the pumps instead from a short distance.”
     “But, as Rios and Butts discovered, it’s relatively easy to determine the radio frequencies on which the remote and the pump talk to each other,” Ms. Newman wrote. “Worse still, those communications aren’t encrypted. The researchers, who also include Jesse Young and Carl  Schuett, say they found it easy to reverse engineer the simple encoding and validity checks meant to protect the signal, enabling an attacker to capture the fob’s commands. A hacker could then use readily available, open source software to program a radio that masquerades as a legitimate MiniMed remote, and send commands that the pumps will trust and execute. After establishing that initial contact, hackers can then control that radio through a simple smartphone app to launch attacks –similar to apps that can fill in for your television remote,” Ms. Newman wrote.
     “To target a specific insulin pump, an attacker would need to know its serial number to direct commands to the right place, like needing someone’s phone number to call them,” Ms. Newman explained.But, the researchers added functionality to their malicious remote that runs through every possible device serial number again and again, essentially brute-forcing any vulnerable MiniMed pumps in the [immediate] area. The attack is limited to the general range of the remote; it can’t be executed from miles away. But, the researchers note [warned] that with a [commercially available] signal booster, you can cover a larger radius [attack space] perhaps a few yards instead of a few feet.”
     “There is no protection,” currently against this kind of hack, QED Secure Solutions’ Schuett told WIRED. “If you reverse engineer the signal, you can send your own signal clean enough for the pump to receive — you’ve now turned yourself into a key fob for an insulin pump,” he added. “An attacker could then simply press buttons in the app to repeatedly give a patient doses of insulin, or override a patient’s attempts to give themselves [the prescribed dose of] insulin.”
     “By default, the affected MiniMed models beep every time they dispense insulin, which might alert a patient to rouge pump activity,” Ms Newman wrote — though I suspect a significant number of such patients would not catch these malicious alterations soon enough to prevent potentially fatal consequences. And she adds, “this kind of attack could happen relatively quickly, before a patient fully understands what’s going on. And, some patients prefer to disable the beep [feature] anyway.”
     “Medtronic has had similar cyber security issues with remotes and external programmers on other implanted medical devices, including certain models of its pacemakers,” Ms. Newman wrote. “The attack resembles those made against car key fobs — but the stakes are obviously much higher.”
Primed For Disruption
     “Both Medtronic and regulators acknowledge that there is no way to patch the flaws on the affected insulin pump models, or to completely disable the remote feature,” Ms. Newman wrote.  Rios told WIRED that “the research group presented its proof-of-concept app to FDA officials in mid-June of this year; Medtronic announced its voluntary recall program a week later,” Ms. Newman added. Susan Schwartz, the Deputy Director, and Acting Office Director at the FDA’s Office of Strategic Partnerships & Technology Innovation told WIRED “that the eventual recall was the result of extensive risk assessment, and analysis by Medtronic and the FDA.” I refer you to WIRED and Ms. Newman’s article for the full explanation of what Medtronic and the FDA did in determining what the best course of action was, to mitigate the potential for such hacks.
Click Here To Kill Everybody
     But, Ms. Newman’s article reminds me of Bruce Schneier’s 2018 book,“Click Here To Kill Everybody,: Security And Survival In An Inter-Connected World.” Hannah Kuchler wrote a review regarding Mr. Schneier’s book, August 26, 2018, in the Financial Times.  As Ms. Kuchler noted, “the early architects of the Internet did not want to kill anybody.” In describing the philosophy and sentiment in the early days of the Internet, Mr. Schneier, in his new book, quotes David Clark, a professor at the Massachusetts Institute of Technology as saying” “It is not that we didn’t think about security. We knew there were untrustworthy people out there, and we thought we could exclude them.”
      “The clumsily-named, Internet-of-Things (IoT), which Mr. Schneier rechristens ‘the barely more elegant Internet+, is growing fast: between 20B, to 75B devices could be online by 2020, depending on the estimate,” Ms. Kuchler wrote.. Ths [accelerated] mushrooming….hands more power to hackers, while cyber defenders struggle to protect the Internet,” Mr. Schneier warns.  It is indeed — a target-rich environment as they say.  As Kirkus Review noted in its review of Mr. Schneier’s new book, “the author argues that individuals must do their best to harden their own security — even as governments battle against encryption, anonymity, and other security measures by claiming the ‘Four Horsemen Of The Internet Apocalypse — terrorists, drug dealers, pedophiles, and organized crime.’ will be the ultimate beneficiaries of secure systems.”
 
     Ms. Kuchler wrote that “Mr. Schneier, skillfully guides readers through serious attacks that have happened already — and moves on to those he believes are just beyond the horizon. Unlike many in a cyber security industry that often uses fear to sell, Schneier is not a born fearmonger. Uncomfortable with the provocative title of the book, he calls it ‘hyperbole,’ and ‘clickbait.’ But the choice [title of his book] is justified with examples of “increasingly catastrophic” future attacks, perhaps on all cars, or all insulin pumps from the same brand.”  Or, greater, more devastating attacks on our SCADA, financial, and critical infrastructure.”
Compartmentalized, gated, armored, camouflaged, deceitful, dangerous, wonderful, and resented, they all apply to the IoT’s future.

 Denial And Deception, Artificially Enhanced Stealth Malware, Stealth Clouds, Infected Clouds, Armored Clouds, “Gated,” Online Communities, A Dr. No In Cyber Space, Cyber Militias, A Dedicated Off-Net Movement are all experiencing their own versions of Moore’s Law.

     The growth of the Dark Web, the emergence of a ‘Dr. No,’ in cyber space; and, an off-the-net completely militia movement may all be in the worldwide webs future. The emergence of 3-D printing, and virtual reality will lead to breath-taking advances in across virtually every major domain in our lives: health care and treatment of disease, fighting wars, leisure and transportation, finance, and so on. But, one also has to assume that the Dark Web will also evolve in ways we don’t anticipate and can’t imagine at this time. 

     Will we see the first Internet serial killer — who can stalk his victims from the confines of his home or an Internet café? Will a ‘Dr. No’ emerge in cyber space — threatening global economies and selling his super malware to the highest bidder? Will cyber militias — form and act on their own — without the support of the host nation; and, what do we do about it? Like the anti-tax, survivalist militia-type mentality spawn an Off-The-Net movement, dedicated to having no trace of their existence anywhere in cyber space? The cyber world is also likely to be spikey — and not all ‘animals’ on the digital farm will be equal.    

 And, the creation of a lethal/catastrophic Cyber Weapon Of Mass Destruction may also be lurking in the not too distant future.

     Lots to consider and think about. V/R, RCP

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *