Implanted medical device.
Hospital critical care devices.
What do they have in common? All are part of the Internet of Things (IoT). All can be hacked.
In 2008 a group of researchers, led by Dr. Kevin Fu of Archimedes Center for Medical Device Security at University of Michigan, published an article showing that it is possible to extract sensitive personal information from a pacemaker or even to threaten the patient's life by turning off or changing the pacing behavior.
The medical device industry got another wake-up call in 2015 when researcher Billy Rios demonstrated that drug infusion pumps had vulnerabilities that would allow unauthorized firmware updates that could give patients lethal medication dosages. This led to the FDA (US Food and Drug Administration) issuing the first-ever recall of medical devices due to cyber security vulnerabilities.
Another team from the University of Michigan with collaborators from the University of South Carolina found that sensors in self-driving cars could be vulnerable to hacking by sound waves. The research team figured out that they could fool accelerometers using sound waves—in particular, a single tone played at an accelerometer’s resonant frequency. Fortunately, these attacks required close proximity and could not be carried out remotely.
Each of these hacks highlights a void between advancing technology and the potential for nefarious interventions. If a drone’s accelerometer is hacked, it falls from the sky; if an autonomous car is hacked? The results from a single car invasion could be devastating; what about dozens or hundreds of cars on a freeway? Autonomous vehicles will need firmware patches across dozens of on-board computers – how will the validity of those updates be confirmed?
One approach would be to leverage the distributed, encrypted technology of blockchain. Cars (or medical devices, trucks, delivery drones, etc.) could verify in real‑time the validity of on-board code and update it by comparing their on-board encrypted signature to hundreds or thousands of identical computing platform's nodes and against the manufacturers’ baseline signature (also distributed to multiple nodes). If there are discrepancies, predefined protocols would kick-in. The protocols would have to consider potential disastrous results of an overreaction to anomalies – such as shutting off medical injection devices or having hundreds of cars suddenly exit a highway – the cure worse than the illness.
IoT industries will have to overcome the very real issue of cybersecurity; the benefits are potentially so extraordinary I’m confident they will be successful but every cyber security protocol begets 1000 hackers dead set on defeating it – maybe for self- satisfaction, maybe as a terrorist plot. I think the core of any successful strategy will be elimination of a single point of failure; make it impossible to hack a single IoT device; make it impossible to hack a single control node. Blockchain technologies seem to have a strategy that would work but the devil is in the details.
Next post I’ll look at Information Governance and Blockchain.