Ransomware coming to medical devices?
This is, unfortunately, plausible. I don’t know if it will happen in 2016, but it’s pretty reasonable. Indeed, I can see threats.. even if we can’t be sure that the ransomware is even installed.
After all, Dick Cheney had his pacemaker’s Wifi disabled because of this concern (see also here). People have already noted that terrorists might use this, since medical devices are often poorly secured. The additional observation is that may be a better way to (criminally) make money. We already have ransomware, including organizations who are getting better at extorting with it. Traditional ransomware is foiled by good backups; in this case backups won’t help, and victims will (understandably) be willing to pay much, much more. And I think that medical devices are actually a softer target.
With luck, this won’t come true in 2016. The question is, is that because it doesn’t show up until 2017 or 2018… or because the first ones were in 2015? DHS is funding work in this area, and that’s good… but while research can help, the real problem is that we have too many software developers who do not have a clue how to develop secure software… and too many people (software developers or not) who think that’s acceptable.
In short, we still have way too many people building safety-critical devices who don’t understand that security is necessary for safety. I hope that this changes - and quickly.
path: /security | Current Weblog | permanent link to this entry