The Terrorist Hack that Shocked America – and Why it Matters
—TWO SPOILER ALERTS: First, if you're one of the millions hooked on Showtime's Homeland series read this after you have seen season 2 episode 10. And second, your faith in our wireless digital infrastructure is about to be shaken.
The scene in the recent Homeland episode could hardly be more frightening; the Vice President of the United States grabbing his chest and crumpling in his home office, located inside the secret service-fortified Naval Observatory in Washington D.C.
His death was the terrifying result of a pacemaker sent into super-fibrillation by a 20-something terrorist located continents away using his laptop and a stolen serial number to hack the wirelessly controlled medical device and instruct it to kill its host.
Literally assaulted from within by a giant slug of voltage, Homeland's super-bad-guy terrorist, Abu Nazir, had orchestrated the death of a senior American official without falsifying one passport or wiring up one suicide bomber.
The plot twist was shocking enough. And the method? More shocking still – because it's quite possible, even plausible. How do we know?
Recently, one of our own "house hackers," at McAfee identified a similar flaw in wireless controls for belt-mounted insulin pumps in which he could gain control of the pump, bypass built-in safeguards and cause fatal results. Our demonstration of this hack at last year's RSA security conference could easily have inspired the writer's room at Homeland.
While these scenarios are extreme exceptions and designed for drama they do bring into sharp focus a much larger societal issue now front and center in our new digital lifestyles.
The same wireless, mobile technology that is liberating almost every aspect of our daily lives brings risks that few may have anticipated even as we marvel at our ability to organize our work, health, finances, travel and even home refrigerator temperatures from anywhere at anytime.
Indeed, while cyber security companies, such as my own, have devoted vast resources to protecting highly structured, often hard-wired corporate networks, our growing profusion of wireless systems draws much less attention. Homeland's writers didn't know it but they just sent a national wake-up call.
Pacemakers, pumps, defibrillators, operating room equipment, monitors, and some surgical instruments today can transmit data from a patient's body to medical professionals. But some of the wireless infrastructure they leverage will need to be accompanied by digital security safeguards.
Clearly we are not there yet. And the implications go way beyond the medical field. Financial systems, transport and power networks, and an increasing number of humble consumer retail transactions all are processed wirelessly today.
We have literally been down this road before. Recall the mid-century era known as the golden age of automobiles – when everyone had hulking, powerful, exciting cars.
As exciting as those cars were, they lacked virtually all the lifesaving "security" devices we take for granted today, including seat belts, airbags, third brake lights and crumple zones. Driving was a lot riskier.
Look at the state of wireless computing today as the digital equivalent of those glory days – exciting, but lacking the level of risk mitigation that will be needed, and soon.
One problem is that wireless networks are so dynamic and fast evolving, cyber security measures have trouble keeping up.
Another is the rise of cloud computing; data in motion among devices is at higher risk.
Another challenge is the sheer profusion and diversity of wireless devices – one industry estimate predicts 20 billion worldwide by 2020. Each presents a potential toehold for a hacker. Add to this the fact that manufacturers of these wireless devices are not security experts but experts in the technology the device provides.
So it's time to stop thinking about protecting individual pieces of hardware, as we used to do in the PC era when good cyber security meant updating your desktop's virus definitions every month or so. It's time to start baking advanced security measures into the entire computing continuum, or as it's called in the industry "end to end" security.
I'm actually quite optimistic, as I believe this realization is spreading quickly from recent conversations I've had with government officials, academics, think-tank scholars and journalists all engaged in this national conversation on cyber security.
In the meantime, and not to disappoint the plotmeisters at Homeland who no doubt have plenty more surprises to satisfy their legions of viewers, let's not let unprotected and unsecured computer code cause the loss of any more fictional vice presidents.