Up until now, hacking and cybercrime have mainly involved either stealing money or stealing data. Hackers working independently tend to be interested in financial rewards. Nation-states tend to be more interested in corporate and political espionage (though North Korea has allegedly been hacking banks). Now, however, worrying signs are emerging that hacking could take a turn for the worse - with experts warning that terrorists or rogue states could begin to use cyber-warfare to kill people.
Early in November, reports emerged that cybercriminals can hack pacemakers in order to make them behave erratically - or even stop altogether. The problem is being highlighted currently, though it has been understood for some time within the cybersecurity industry.
In 2013, the former US Vice President, Dick Cheney, had the WiFi functions on his pacemaker disabled. His doctor had warned him that the feature could possibly be exploited to carry out an assassination attempt. Meanwhile, in August, the US Food and Drugs Administration suddenly ordered a voluntary recall of six different kinds of cardiac pacemakers.
Those devices are implanted in 465,000 citizens, meaning that cybercriminals could, in theory, kill half a million people by orchestrating an attack on their owners. It is not yet known how many people are heeding the FDA’s recommendation and going to have their devices fixed.
Thankfully, the devices don't need removing; they simply need to be flashed with updated firmware. As such, anybody who has (or knows anybody who has) an Abbot pacemaker (sold under the St Jude Medical brand) is strongly advised to go to their doctor for the security patch.
It is not just pacemakers, either. Late in October, Barnaby Jack, a security researcher at McAfee, made a speech at a hacking conference in Miami. In his presentation, Jack explained that he had discovered a method for hacking insulin pumps. Using the attack, hackers could deliver lethal doses of the peptide hormone to diabetic patients:
"With this device I created and the software I created, I could actually instruct the pump to perform all manner of commands. I could make it dispense its entire reservoir of insulin, which is about 300 units. I just scan for any devices in the vicinity and they will respond with the serial number of the device."
Fortunately, the attack discovered by the McAfee researcher can only be carried out from within a 300-foot range, meaning that a hacker wouldn't be able to remotely attack a large number of people. However, these medical device hacks all help to highlight the problems emerging within the developing implant industry.
As implant technology improves further, manufacturers and policymakers will need to think hard about the possible downsides of remote connectivity. This point is often raised by Liz McIntyre at CAMCAT, who feels strongly that policymakers must stay one step ahead of the implications attached to implant technologies.
Much Larger Death Toll
Hacking medical devices, or medical institutions, is an obvious way that cybercriminals could cause a loss of life. However, cybersecurity researchers are warning that there are other methods that could result in much larger numbers of citizens being killed.
The latest warning comes from a security researcher at New York University. Justin Cappos believes that any car designed since 2005 could theoretically be attacked by cybercriminals.
The attack, which the researcher believes isn’t currently ever investigated by the authorities, could cause a life-threatening crash. In fact, Cappos says that the vulnerability could already have been exploited in the wild without anyone even realizing. Cappos claims that the cyberattack should be treated as a severe threat to national security:
“If there was a war or escalation with a country with strong cybercapability, I would be very afraid of hacking of vehicles.
“Many of our enemies are nuclear powers but any nation with the ability to launch a cyberstrike could kill millions of civilians by hacking cars. It's daunting.”
The attack works by allowing cybercriminals to remotely stop brakes from working and turn off power steering. Cappos has an issued a strong warning to senators and government ministers around the world, explaining that security updates need to be issued and taken by drivers in order to fix the issue. If this advice isn’t taken, Cappos fears that we might see the emergence of these kinds of attacks.
According to his research, it's even possible that a coordinated attack on multiple cars, in many locations, all at one time could result in the death of millions of drivers:
"Once you are in the network you are able to communicate with any device so you could send a message to engage the brakes."
This isn’t the first time that this sort of research has emerged. In 2015, cybersecurity researchers Chris Valasek and Charlie Miller discovered that they could hack a 2014 Jeep Cherokee via its Uconnect infotainment system.
The hackers managed to remotely disable the brakes, turn up the radio’s volume, turn on the windshield wipers, tamper with the transmission, and even perform surveillance on the car. The research led Fiat Chrysler Automobiles to recall 1.4 million vehicles (11 models were affected in total).
Furthermore, Wikileaks documents leaked in March revealed that the CIA has known how to cause crashes by hacking cars for some time. According to those damning leaks, the cyberattack is almost undetectable and could have already been used to carry out “nearly undetectable assassinations.”
Title image credit: Akhenaton Images/Shutterstock.com
Image credits: Picsfive/Shutterstock.com, Gubin Yury/Shutterstock.com, IB Photography/Shutterstock.com