Saturday, 5 December 2015

This is troubling.  A woman is rightly worried about the security of her pacemaker.  Doctors blither on about how they are totes safe, honest.  Manufacturers refuse to release source code.  It's a nightmare.

There's no good reason for manufacturers to not publish their code.  There's no commercial advantage I can see in keeping it secret unless they, too, are concerned about security.  By which I mean they are incompetent.
While nations spend hundreds of millions defending critical infrastructure from cyber-attacks, Marie wonders if the computer inside her is secure and bug-free - she still hasn't been able to find the answer.
It's not as though she has a choice about whether to have that device in her.  It's not as though she can easily pick and choose the manufacturer of the machine that keeps her alive.  You'd think she'd have a right to inspect the hardware and software of the device she has no choice but to wear under her skin.  It's not even as though the thing is doing anything secret or obscure (I hope).

We know that open sourcing is an excellent way to find bugs and security flaws.  If I had a pacemaker and access to it's source code, damn fucking right I'd inspect it in minute detail.  If the companies that make these things aren't confident enough to publish their code and wiring diagrams, we should be very frightened indeed.
When Marie first had her pacemaker fitted she downloaded the manuals. She discovered it had not one, but two wireless interfaces.
One enables doctors to adjust the pacemaker's settings via a near-field link. Another, slightly longer-range, connection lets the device share data logs via the internet.
That last sentence is... unsettling.  What networks is this damn thing connecting to?  It shares data logs with whom? What data?  Why?
Hearts are now part of the Internet of Things, she realised.
This is an important point.  It's reasonable to ask what the pacemaker manufacturers are really selling.  Or the hospitals, for that matter.  Who gets this data and what do they do with it?  Nobody seems to know.
He believes hacking is a purely theoretical risk: "The only significant effort I've seen took a team of people two days, being within 20cm of the device, and cost around $30,000."
Yeah, that's bullshit.  Want to bet that I couldn't do it with a soldering iron and a few weeks of my time?  Want to bet that almost all of that money wasn't salary for the researchers?  What the fuck is a "theoretical risk" anyway?  It's a risk or it's not.  If someone can hack a pacemaker, they will.

"The good news is that this model is no longer sold and the risks have been addressed," he told the BBC's PM programme.
Oh, that's good news, is it?  The hackable device has been replaced by ones that might also be hackable?  The fact that we don't know whether pacemakers are hackable or not is somehow good news?
In general security is better. It's not a completely solved problem but businesses have "learned quite a bit over the last seven or eight years in improving security engineering", he said.
Um.  Yeah, that's weird.  The guy is talking about security in general but talking about a product that could not possibly be more specific.  The 'fact' that businesses in general have a better handle on security these days (and the scare quotes should tell you that I don't believe they have) says exactly nothing about the security of any particular device.
Marie Moe is careful not to overstate the risk of hacking - she fears programming mistakes more. 
Not long after having her pacemaker fitted, she was climbing the stairs of a London Underground station when she started to feel extremely tired. After lengthy investigations, Marie says, a problem was found with the machine used to alter the settings of her device.
 I hope it wasn't Covent Garden. I once had to walk up those stairs and there are a lot. Marie is right.  She has no idea whether the device keeping her alive is any good and there's not much she can do about it if it turns out it's shit.  And apparently it's not just the device itself but the others that talk to it that might have a problem.  And that's assuming zero human error for overworked and underpaid doctors....
"It's a computer running my heart so I really have to trust this computer and it's a little bit hard for me because I don't have any way of looking into the software of this device."
Marie would like to see more third-party testing. She's a member of I Am the Cavalry, a grassroots organisation that works on cybersecurity issues affecting public safety.
Worryingly, I wasn't previously aware of this organisation.  It sounds like something I should know more about.
The challenge, according to Kevin Fu, is to find a compromise between the commercial interests of manufacturers anxious to protect their intellectual property and the needs of researchers.
But that isn't the problem at all, is it? The problem is that devices people need to keep them alive might be hackable.  There's no intellectual property here and who in all of fuck are these "researchers"?  The 'compromise' Kevin Fu suggests doesn't even involve the patient, who you'd think might have some sort of interest in the whole business.  

And it's not a challenge.  Write good code, make good hardware, publish the details, learn from your mistakes.  Cheap knockoff pacemakers are not your competition and your intellectual property is worth exactly fuck all.
Andrew Grace says the devices are "transformative"; if you need one, he and Marie agree, you shouldn't be put off by colourful cyber-assassination tales in TV dramas. But that doesn't mean security isn't important.
Unbelievable. Yeah, you shouldn't be put off installing a device that makes you not dead because of security concerns, but dismissing legitimate security concerns as fancy is horrifying. 
Andrew's colleague, cardiologist Simon Hansom believes security has to be a priority.
I'm glad that someone vaguely involved gives at least some lip service to security but I'm unimpressed.  The BBC can do better than this and I'll be contacting the journalist, Chris Vallance, in the hope that he'll follow the story up by interviewing some people who are a little more informed.

No comments:

Post a Comment