Vulnerabilities in devices that are not typical hardware or software are often not fixed.
Speaking to IT Security Guru, Cris Thomas who was SpaceRogue in the hacker space L0pht and was appointed as technical manager of Tenable in January, said that the race to find vulnerabilities and earn money has led to security issues being found in technologies where they didn’t exist previously, or where no-one thought to look for them before.
He said: “So you have people looking for security issues in things such as security cameras, cars or medical devices where people’s lives are at stake, and these sort of devices either didn’t have the technology in them that they did ten years ago that would enable them to be broken into, while now you have people putting Bluetooth in heart pumps for no good reason and it creates an avenue of attack.
“Consumers want a feature set but they do not go and do the rigorous testing that is needed to get those devices secure enough out there in the public.”
In particular, if a company is building an insulin pump or a blood pressure monitor or other devices used in the hospital or in the home that affects your life and that your life depends on, then there is no pressure to fix issues in them.
“There are examples where a vulnerability has been found in a medical device and it is reported and the vendor doesn’t feel like they need to fix it, and there is nobody to force them to do so,” he said.
“You can threaten to report them to the press, but if it is a small device the press is not going to care and the vendor gets off, the customer never knows. So they are still shipping vulnerable products with multiple vulnerabilities that will never get fixed, that the customer doesn’t know about and doesn’t care. Lives are at stake as it is some kind of medical device.”
Thomas said that this highlights an issue in the “Internet of Things” as everything is connected to the internet and the technology can be circumvented or compromised. He also said that everything needs to be tested at least before it is shipped, if not after, and vendors need to be held accountable for things that they ship.
Commenting, Peter Wood, ISACA member and CEO of penetration testers First Base Technologies said: “It will only take imaginative attackers to use them to screw things up.
“Business and manufacturer doesn’t think about security and the user doesn’t care until there is an issue. It is just happening and creeps up on us. When we see people hacking cars, ATMs and the like, there will be opportunity for that sort of behaviour.”
