The US Federal Bureau of Investigation (FBI) has issued a public service announcement warning that an increasing reliance on web-based technologies is creating new opportunities for cyber attacks from hackers. According to the FBI, these threats apply to a range of devices that fall under the category of the Internet of Things (IoT)—essentially any device, component or system that “connects to the Internet to automatically send and/or receive data.”
Examples of devices or systems vulnerable to cyber threats include “smart” appliances such as fitness wearables that track a user’s activity level, and healthcare-related technology such as wireless heart monitors, infusion pumps, and other medication-dispensing equipment.
A video caused a stir earlier this summer when it claimed to demonstrate that Hospira’s LifeCare PCA smart infusion pump was vulnerable to remote hacking, as reported by 24×7 in a May 18, 2015 article. According to the claim, once in remote control of the pump, a hacker could ostensibly alter the dose delivered to a patient. This particular example of a potential cyber attack turned out to be a hoax, wherein the hacker later admitted that it was necessary to first connect physically to the device in order to alter the pump’s firmware, thereby opening a false back door to the pump’s programming.
In response to that video hoax, Hospira had issued a news statement in which it said “these demonstrated hacks were done in nonclinical environments without the security protections and protocols typical of real patient care settings” and that “for a hacker to successfully attack an infusion pump, [he or she] would likely need to remove the device from the clinical environment, modify the pump, and return the device to a clinical setting.”
Although the hackers were shown in that instance to not have remote access to the devices, the FBI states that with more medical devices moving outside strict clinical settings, healthcare facilities and others are advised to take steps to safeguard medical devices. In its alert about mitigating the risks of potential cyber attacks, the FBI makes a point of addressing all consumers in its recommendations, which include:
- Isolate Internet-connected devices on their own protected networks;
- Disable UPnP [Universal Plug and Play protocol] on routers;
- Consider whether Internet-connected devices are ideal for their intended purpose;
- Purchase Internet-connected devices from manufacturers with a track record of providing secure devices and, when available, update those devices with security patches;
- Be aware of the capabilities of the devices and appliances installed in homes and businesses. If a device comes with a default password or an open Wi-Fi connection, consumers should change the password and only allow it to operate on a home network with a secured Wi-Fi router;
- Use current best practices when connecting Internet devices to wireless networks, and when connecting remotely to a device;
- Be informed about the capabilities of any medical devices prescribed for at-home use. If the device is capable of remote operation or transmission of data, it could be a target for a malicious actor, and
- Ensure all default passwords are changed to strong passwords. Do not use the default password determined by the device manufacturer.
For more information, see the announcement on security and the Internet of Things (IoT) on the FBI website.