How the 'Internet of Things' could be fatal

Researcher Marie Moe woke up after emergency surgery in 2011 with a new pacemaker to correct a heart condition. What she didn't realize at the time was that the lifesaving device in her chest exposed her to a completely different kind of threat.

The pacemaker keeping her alive has wireless connectivity capabilities — a detail her doctors didn't tell her — meaning it could be hacked.

Moe was understandably disturbed that it never occurred to her doctors to tell her that her device had wireless capability, and they had not considered the security implications.

"They really had not thought about the pacemaker security at all," she said.

Vulnerabilities like Moe's are moving quickly from the rare to the extremely common. The FBI recently warned consumers that the proliferation of connected devices — from medical devices to security systems — means even more potential targets for malicious cybercriminals. That opportunity will be huge, as there will be more connected devices than humans by 2017, according to Gartner.

Security experts believe the tech industry needs to figure out how to secure the "Internet of Things" now, while the architecture is still being developed. That means building in features such as encryption, authentication and the ability to remotely update devices now, said experts.

"Software bugs could actually kill me," said Moe."That's something developers should have in mind when they write the code for these devices."

Moe is a hacker and Ph.D. research scientist at SINTEF in Norway, which carries out research in information and communication technology. She presented some of her findings at the RSA Conference in San Francisco on Friday.

After the surgery in 2011, Moe found a technical manual for her pacemaker online and discovered it had two different wireless communication interfaces (wireless connectivity can be very useful for patients in need of frequent follow-ups). Even though that capability was not active in her pacemaker, the potential — and the fact that she wasn't told — disturbed her.

"For me that was not the case, the functionality was not switched on and I was not informed," said Moe.

X-ray with pace maker.
Peter Dazeley | Getty Images
X-ray with pace maker.
"They really hadn't thought about the pacemaker security at all." -Marie Moe, SINTEF ICT research scientist

Frustrated with her doctors and the manufacturer of her pacemaker, Moe has turned her life's work into finding out more on behalf of all patients.

She has testified in front of the FDA and worked with grassroots organization I Am The Cavalry to develop a Hippocratic Oath for Connected Devices. Her goal is to force transparency into an industry where doctors are uninformed, code is proprietary and third-party access limited.

Moe would like an independent investigator to be able to access her pacemaker and its data, "in the case that I drop dead and it is because of my pacemaker," she said.


So far, there are no known cases in which malicious hackers have attacked a pacemaker, but researchers have proved it's possible. In addition, research firm Forrester has predicted that 2016 will be the year we see ransomware for a medical device or wearable.

The systems those devices connect to in hospitals often have a lot of legacy equipment — like MRI's and X-ray machines — running outdated operating systems and software that cannot be updated.

"It's about time hospitals started worrying about computer viruses, not just ordinary germs," said Moe.

"That's what we have to look at today, to invest in the area to make sure we are solving those problems today, not four years from now when the problem is too heavy to be solved," said Google vice president, security and privacy Gerhard Eschelbeck at the RSA Conference on Tuesday.

"It's about time hospitals started working about computer viruses, not just ordinary germs." -Marie Moe, SINTEF ICT research scientist

Of course, it's not just medical devices that pose a threat. Well-publicized car hacks by researchers have shown just how easy it is for hackers to take remote control of certain car models. Automakers are acutely aware of the liability issues surrounding connected vehicles and are working to build security into their systems.

It's the task of General Motors chief product cybersecurity officer Jeff Massimilla and his team of 70 cryptologists, mathematicians and certified ethical hackers, to look for vulnerabilities in their vehicles.

"With the addition of connectivity to the vehicle and potential automated driving systems, there's a responsibility to ensure that there's a cybersecurity posture that's appropriate for those systems, he said. "We take this very seriously."

The average GM car has 30 computers, all built by different partners and suppliers. (For example, a car stereo system may be integrated with Apple CarPlay or Android Auto.)

The General Motors logo on the world headquarters building in Detroit.
Getty Images
The General Motors logo on the world headquarters building in Detroit.

In January, GM launched a new bug bounty program and also has a partnership with start-up HackerOne. The goal is to encourage researchers to reveal bugs in the company's computing infrastructure and vehicles so it can patch problems and prevent hackers from exploiting those vulnerabilities.

Massimilla is also vice chairman of the Auto Information Sharing and Analysis Center (Auto-ISAC), a group of automakers that share vulnerability and threat intelligence across the industry and is developing a set of industry best practices. Legislation has also been passed to enable the industry to share threat intelligence to help car companies act more quickly on any new vulnerability or intelligence.

"We are, with many other industries, at a tipping point of cybersecurity posture of products and connected services," said Massimilla.

Of course, when weighing the adoption of connected devices, it's important to take into account the risks and potential rewards, said John Stewart, senior vice president, chief security and trust officer at Cisco.

"For the most part, all of this is going to be beneficial more than it's going to be endangering and risky," said Stewart. "This security conference has a tendency to think the whole world's going to melt down by tomorrow. [But] We're still here 20 years after we thought it was going to meltdown 20 years ago."

CORRECTION: This version corrects the name of the group of automakers sharing threat information from the Alliance of Automobile Manufacturers to the Auto Information Sharing and Analysis Center (Auto-ISAC) and Massimilla's position on that council from member to vice chairman.