Internet of Things (IoT) security – or lack thereof – is going to be front and center in 2017. One of the first reported IoT security concerns comes from the medical industry. The Food and Drug Administration announced that St. Jude Medical cardiac devices are at risk. According to PC Magazine:https://o1.qnsr.com/log/p.gif?;n=203;c=204663295;s=11915;x=7936;f=201904081034270;u=j;z=TIMESTAMP;a=20410779;e=iThe agency on Monday confirmed flaws in the Merlin@home Transmitter, leaving embedded pacemakers and defibrillators open to attack. According to the FDA, an unauthorized user could remotely access a patient's radio frequency-enabled implant, then modify programming commands to quickly deplete the battery or administer inappropriate pacing or shocks.
The good news here is that St. Jude has released a patch for the software, even though they claimed the risks from the vulnerability were low. The bad news is that this is just the tip of the iceberg. As Moshe Ben Simon, co-founder and vice president at TrapX Security, stated in an email comment, challenges are similar to those faced by IoT medical devices made by the more than 6,500 medical device manufacturers in the United States. This is going to be difficult to control, Simon continued:
The large install base of medical devices has a long planned system life, and it will take several years and a combination of activities to improve their overall cyber resiliency and resistance to MEDJACK and other forms of attack. This is a function of budgets, both for the medical device manufacturer and the hospitals and will include necessary upgrades to existing devices as well as a redesign for new equipment yet to reach the market. In the interim, this still presents potential attackers with a large opportunity to exploit health care data, and one which will not diminish anytime soon.
Medical devices present unique situations because attacking them is literally a matter of life and death. But they are still IoT devices, and that opens them to other types of cybersecurity attacks. Is it far-fetched to consider medical devices subject to ransomware attacks? Javvad Malik, security advocate at AlienVault, told me in an email that we should expect an uptick in ransomware attacks against IoT in the coming months, adding:
… with IoT, in addition to impacting the data within the devices, ransomware can render physical functions inaccessible. For example, ransomware that infects a smart thermostat can turn up the heat to full unless a ransom is paid. Looking forward, smart cars and even smart cities may be targeted – and while real-life attacks have not yet been seen, the impact of ransomware on such utilities can be truly life-threatening.
I think it is a good sign that the FDA stepped in to monitor the IoT vulnerability situation. Going forward, there have to be watchdog groups that are looking out for the best interests of companies and consumers when it comes to IoT security.
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba