A feature by Monte Reel and Jordan Robertson for Bloomberg Business looks at the world of security vulnerabilities in medical devices. The authors look at the findings of a research carried out for the Mayo Clinic on the security of devices used on its premises. The results are sobering:
“For a full week, the group spent their days looking for backdoors into magnetic resonance imaging scanners, ultrasound equipment, ventilators, electroconvulsive therapy machines, and dozens of other contraptions. The teams gathered each evening inside the hospital to trade casualty reports.
‘Every day, it was like every device on the menu got crushed,’ Rios says. ‘It was all bad. Really, really bad.’ The teams didn’t have time to dive deeply into the vulnerabilities they found, partly because they found so many—defenseless operating systems, generic passwords that couldn’t be changed, and so on.
The Mayo Clinic emerged from those sessions with a fresh set of security requirements for its medical device suppliers, requiring that each device be tested to meet standards before purchasing contracts were signed. Rios applauded the clinic, but he knew that only a few hospitals in the world had the resources and influence to pull that off, and he walked away from the job with an unshakable conviction: Sooner or later, hospitals would be hacked, and patients would be hurt. He’d gotten privileged glimpses into all sorts of sensitive industries, but hospitals seemed at least a decade behind the standard security curve.’
Link: Full article on Bloomberg Business
PenTestPartners has revealed security vulnerabilities in the Smarter iKettle 2.0 which could allow a hacker to steal the owner’s wi-fi network key, potentially compromising all information on the owner’s home network.
Link: New Wi-Fi kettle, same old security issues? Meh.
The FBI has issued a warning in relation to the security risks that Internet of Things devices pose to consumers.
According to the FBI, the main security risks associated with Internet of Things devices are:
- an exploitation of the Universal Plug and Play protocol (UPnP) – the process when a device remotely connects and communicates on a network automatically without authentication – to gain access to Internet of Things devices,
- an exploitation of default passwords to send malicious and spam e-mails, or steal personally identifiable or credit card information,
- overloading the devices to render the Internet of Things devices inoperable, and
- interfering with business transactions.
The FBI offers tips on how consumers and businesses can protect themselves, for example:
- isolate Internet of Things devices on their own protected networks,
- disable UPnP on routers,
- purchase Internet of Things devices from manufacturers with a track record of providing secure devices,
- regularly updating Internet of Things devices with security patches,
- if a device comes with a default password or an open Wi-Fi connection, users should change the password and only allow it operate on a home network with a secured Wi-Fi router, and
- ensure all default passwords are changed to strong passwords. Do not use the default password determined by the device manufacturer. Many default passwords can be easily located on the internet.
Link: FBI announcement