So of course they will do the reverse
Expect to see a pacemaker using XOR encryption, a hard coded password of PACEMAKER, coded in C++ (coding offshored to India), running with full root access and no security log.
Medical devices shouldn't be hackable, so the IEEE has published the first steps towards laying down decent security practise for the sector. From the late Barnaby Jack's work on insulin pumps through to this month's "hackable infusion pump", this decade has seen growing interest in medical device vulns. Working with the IEEE …
The medical devices market is a very restricted field. Certainly if you're after medical software it's even worse. Basically there's a certain amount of "BT Syndrome" in that these companies don't need to have fantastic products because where else are you going to go? As the title says there's no incentive for these companies to spend time and money aiming for excellence when they just need to be good enough to flog to a captive audience.
My personal worry is that, as more and more devices are connecting wirelessly, the potential for attack grows massively. I can tell you from personal experience that even newer devices have old wireless crypto and authentication standards. Why bother updating it? It's "good enough". *sigh*
Presumably we need the medical device certification authorities to issue some smackdown and require these standards: that will soon provide the incentive. The certification process for medical equipment is pretty tortuous already (and I would be surprised if it ignored the software entirely); it just needs to include security, too.
The current set of standards for Medical Device Software (BS EN 62304) is hopelessly out of date and is so vague as to make it pretty much useless.
Let's hope they take the opportunity to completely re-write the standards when considering this and not just tack it on as an addendum.
Though not the gist of the paper (which rightfully tries to stop the crap from getting in there), there is also the big problem with correcting security woes found post-certification. So many vendors treat their med products as write-once (because patching requires re-certification).
Biting the hand that feeds IT © 1998–2019