1. KemKev's Avatar
    From Canada's National Post - August 3, 2015.

    NEW YORK Graham Murphy is tinkering with an infusion pump as if hes adjusting the settings with his fingers. He isnt. Instead, hes using what he calls basic lines of malicious code to hack into the device, which is used to deliver medicine to patients. First it connects his laptop to the pump directly through a cable. Then he logs in remotely via a Wi-Fi connection, breezing by security both times because, well, there isnt any. No ID to guess (it was available online). No firewall to breach. No system, it seems, to detect his presence.

    Once hes virtually inside the pump, which is dispensing a blue liquid into a plastic cup, he can alter the dosage, access private patient data and use it as a bridge to try to gain access into the rest of a hospitals IT network. Less than 10 minutes pass when a word adorns the pumps digital display in blood-red letters. DEAD, it reads.

    Graham, you killed the patient, a concerned David Kleidermacher, chief security officer at BlackBerry Ltd., says to Murphy, one of the companys U.K.-based security specialists. A crowd, watching them in a hotel conference room in midtown New York City, bursts into laughter. Sorry, Dave, Murphy jokingly replies.

    No one, of course, died on that mid-July morning because no patient was being treated. The performance was, instead, a live hacking demonstration that BlackBerry staged at its annual security summit, where its top brass boast about their security offerings and pedigree in keynote speeches and product trials.

    But the message the Waterloo, Ont.-based company sends is clear: A medical infusion pump, or other device, can be easily compromised while its trying to provide life-saving care for your patient, your child or your insuree at any hospital or home, and its time to do something about it with BlackBerrys help, of course.
    Read the rest here -> How BlackBerry Ltd is working to make shoddy IT security illegal | Financial Post
    08-05-15 11:04 AM
  2. DaedalusIcarusHelios's Avatar
    Very interesting. I'm glad to see BlackBerry is really looking to ramp up the security side of their business and hopefully they can make things better and profit from it too.
    08-05-15 11:20 AM
  3. Dunt Dunt Dunt's Avatar
    First it connects his laptop to the pump directly through a cable.
    First can he get direct physical access to hospital equipment?
    Second can he get access to the hospital internal network?

    There is a big difference in pulling off something in a lab and doing it in the real world. But there are other dangers to some of this outdated medical equipment in hospitals..... MEDJACK: Hackers hijacking medical devices to create backdoors in hospital networks | Computerworld

    But I do agree that there should be standards set up and that priority should be given to the security of all sorts of IoT connected equipment (even if it isn't meant to be exposed to anything but an internal network). From medical equipment to the electrical meter on your house... I think the real issue is many of these device a fairly old and the OS used does not meet the security standards of today. These devices have to be designed to receive regular updates.

    That is something BlackBerry wants to do.... but so do a number of other companies.
    08-05-15 11:21 AM
  4. rennardd's Avatar
    An infusion pump. Yes you can very easily get direct access to an infusion pump. Have you walked into a hospital lately, there is virtually no security overseeing who is stepping onto what floor and into who's room. You can easily sit beside with any patient and infusion pump without anyone knowing.

    Posted via CB10
    08-05-15 12:30 PM
  5. KemKev's Avatar
    An infusion pump. Yes you can very easily get direct access to an infusion pump. Have you walked into a hospital lately, there is virtually no security overseeing who is stepping onto what floor and into who's room. You can easily sit beside with any patient and infusion pump without anyone knowing.
    That is scary....very scary.
    08-05-15 02:13 PM
  6. ALToronto's Avatar
    We were looking at insulin pumps for my son, and a couple of manufacturers were promoting remote controls for them - Bluetooth devices with which you (i.e. parents) can adjust the dosage while the kid is playing soccer or whatever. Not a word about security. These are about as secure as remotes for gas fireplaces. It's very scary, and it's what happens when subject matter experts (in this case biomedical engineers) are allowed to work without oversight. And this is after there have been several cases of pacemaker tampering.

    Needless to say, we are looking for a pump that doesn't have Bluetooth connectivity, period, and we may be stuck with old technology as a result. Maybe BlackBerry will come up with something soon!

    Posted via CB10 from my awesome Passport
    08-05-15 04:58 PM
  7. DenverRalphy's Avatar
    An infusion pump. Yes you can very easily get direct access to an infusion pump. Have you walked into a hospital lately, there is virtually no security overseeing who is stepping onto what floor and into who's room. You can easily sit beside with any patient and infusion pump without anyone knowing.

    Posted via CB10
    To be fair though... The issue is having access to the patient's room. Who'd waste time hacking into the pump? Once you're there, It'd be more efficient to simply dump an extra extreme dose manually or drop poison into it. Get in, get out. Which is what anybody would have to do anyway if the computer access was secured and locked down.


    Penned via Tapatalk
    08-05-15 05:26 PM
  8. paranee2's Avatar
    My understanding,
    If experts sayings there is concerned definitely got to be something. Unlike us, we are not specialized or experts inthat area so better don't under estimate or overconfident

    Posted via CB10
    08-05-15 09:59 PM
  9. Double_J75's Avatar
    To be fair though... The issue is having access to the patient's room. Who'd waste time hacking into the pump? Once you're there, It'd be more efficient to simply dump an extra extreme dose manually or drop poison into it. Get in, get out. Which is what anybody would have to do anyway if the computer access was secured and locked down.


    Penned via Tapatalk
    If you wanted to kill someone there are easier methods than hacking. But would it look as subtle? Would anyone expect the device to be hacked or would you just assume that it was set incorrectly.

    I also think the data is likely more important. The hospital is likely full of information that has value to the right person.


    Posted via CB10
    08-06-15 08:08 AM
  10. Dunt Dunt Dunt's Avatar
    My understanding,
    If experts sayings there is concerned definitely got to be something. Unlike us, we are not specialized or experts inthat area so better don't under estimate or overconfident

    Posted via CB10
    Depends on if the experts get paid more for "sounding a warning".

    Does this need to be looked and possible changes made.... probable so. Never hurts to have standards in place.

    But many times these "experts" leave out some of the facts.

    Many times they are using "unpatched" equipment to archive their goals, equipment that should have long been updated to prevent this.
    They could be leaving out that the equipment is designed to log all access, making tampering traceable.
    The fact that access to the internal network would need to be gained.

    Like in most every legal case.... there are experts on both sides of the fence, and neither wants to tell you the whole truth.

    Right now I'd be more worried about a nurse that has worked two shifts punching in the wrong dosage than some hired tech assassin.
    asherN and mikeo007 like this.
    08-06-15 09:12 AM
  11. ALToronto's Avatar
    The goal of hackers is not to kill people, it's to get money. Why bother with the mess of an actual kidnapping when you can get control of a medical device and hold the patient for ransom?

    But regardless, there are sociopaths who would consider it entertainment to gain control of someone's medical device.

    Posted via CB10 from my awesome Passport
    08-06-15 10:25 AM
  12. lactose's Avatar
    Although medical devices are held to a higher standard than buggy consumer electronics, consider that medical device manufacturers are allowed to do their own verification / validation. Nothing could go wrong here. (Disclaimer: I work in this industry).
    08-06-15 11:08 AM
  13. Dunt Dunt Dunt's Avatar
    Which is why some new standards might be a good idea.

    But that is also why you have to sign a dozen forms when you go to a new doctor, so he can send and receive files between different labs and testing facilities using plan old email. I asked and if then can't use the email.... they can't treat you. So it funny how they get around standards... they just put the burden on the patient and have them sign off.
    08-06-15 12:32 PM
  14. Prem WatsApp's Avatar
    First can he get direct physical access to hospital equipment?
    Second can he get access to the hospital internal network?
    All he needs to do is plug in an ethernet-to-wifi adapter into the RJ45 port and walk away.... *eek* ;-)

    (this one needs some USB power, but easily solved with a small USB power pack: http://www.amazon.com/Wireless-Dream...UvbUpU11851333 )

      BB10 -- Finger flickin' good... in any form factor!  
    08-12-15 05:11 PM
  15. Dunt Dunt Dunt's Avatar
    All he needs to do is plug in an ethernet-to-wifi adapter into the RJ45 port and walk away.... *eek* ;-)

    (this one needs some USB power, but easily solved with a small USB power pack: Amazon.com: Wireless Wifi Bridge Dongle Wireless Access Points AP for Dreambox Xbox PS3 Network Printer Router ADSL IP Camera (Support Microsoft Windows Linux MAC OS ): Computers & Accessories )

    •   BB10 -- Finger flickin' good... in any form factor!   •
    And what happens if IT gets a notification of a unknown mac address being plugged in?
    What happens when they start checking all the CCTV surveillance?
    Are you sure which network to connect to? Best place would be some back office... but that probable isn't the same network medical equipment is connected to. You'd have to go to a nurses station or into a room to set this up.... and it would be hard to hide it when most of those jacks are up in plain view.

    It would be possible, but there are just easier ways to "hurt" someone without exposing yourself.
    08-13-15 10:39 AM
  16. BBPandy's Avatar
    First can he get direct physical access to hospital equipment?
    Second can he get access to the hospital internal network?
    Actually during the hack they pointed out that the pump also had wifi & could be done remotely. I suspect that the reason they did it via the cable is that wireless signals are notoriously unreliable in. Crowded rooms with a couple hundred / thousand people with all their wireless equipment.


    Posted via CB10
    08-13-15 11:24 AM
  17. Prem WatsApp's Avatar
    And what happens if IT gets a notification of a unknown mac address being plugged in?
    What happens when they start checking all the CCTV surveillance?
    Are you sure which network to connect to? Best place would be some back office... but that probable isn't the same network medical equipment is connected to. You'd have to go to a nurses station or into a room to set this up.... and it would be hard to hide it when most of those jacks are up in plain view.

    It would be possible, but there are just easier ways to "hurt" someone without exposing yourself.
    The pump is dumb, as far as I understand, and does not send any notifications. :-)

    If you've watched the video, they only use the ethernet to get connected once, then they disconnect - once they are on the pump's wifi.
    So that dongle I suggested is only needed for less than five minutes. If using a really small one nobody would notice.

    As far as I understand, the pump is on no network, the ethernet port is just an open service port with its own IP, just the same way you connect to 192.168.0.1via ethernet to access and configure your home router the first time. After that, you can pull the cord once your wifi is up.




      BB10 -- Finger flickin' good... in any form factor!  
    08-15-15 04:02 AM
  18. Prem WatsApp's Avatar
    To be fair though... The issue is having access to the patient's room. Who'd waste time hacking into the pump? Once you're there, It'd be more efficient to simply dump an extra extreme dose manually or drop poison into it. Get in, get out. Which is what anybody would have to do anyway if the computer access was secured and locked down.


    Penned via Tapatalk
    Quite a few companies get hacked by social engineering, someone shows up as plumber, tech, electrician, etc., plugs in his spiked USB dongle, walks out again.

    Doing / catching that is usually part of a penetration testing routine. These services are available and can be booked on demand. :-)

    Sure, this demo was about device security, not physical security.


      BB10 -- Finger flickin' good... in any form factor!  
    08-15-15 04:13 AM

Similar Threads

  1. WTB: White or Red Passport - to help someone afford Silver Edition!
    By kyleheney in forum The Marketplace - Buy, Sell & Trade
    Replies: 18
    Last Post: 09-13-15, 10:38 PM
  2. Find my BlackBerry app?
    By JaredP_CGY in forum Ask a Question
    Replies: 8
    Last Post: 08-08-15, 12:14 PM
  3. Print to go...
    By Leo Wong1 in forum Ask a Question
    Replies: 4
    Last Post: 08-06-15, 12:44 AM
  4. Have leaks stopped been made its been a while
    By shakur_steve1 in forum BB10 Leaked/Beta OS
    Replies: 6
    Last Post: 08-05-15, 09:08 PM
  5. Why doesn't my Fiat 500 2012 allow me to play music from my BB with Bluetooth?
    By CrackBerry Question in forum General BlackBerry Discussion
    Replies: 3
    Last Post: 08-05-15, 12:34 PM
LINK TO POST COPIED TO CLIPBOARD