No, you don’t have to check your calendar, it is not April Fools Day and Yes, they really do want to do that. Along with the rest of your medical devices.
Some of you may remember that when Dick Cheney was Veep, they modified his pacemaker so that the bad guys couldn’t take him out by manipulating it.
Pacemakers and other medical devices are really just a specialized version of Internet of Things (IoT) devices and, like them, their manufacturers are more concerned about FDA approval (or sales) than hackers.
Richard Ledgett, the NSA’s Deputy Director and chief operating officer spoke at the Defense One Tech Summit last month in Washington. He said that they are looking at it from a theoretical point of view right now. I think that means that they have not figured out how to exploit them yet. He said that it would not be one of their core intelligence tools; rather it would be a niche kind of thing.
As I said, a pacemaker is just a specific instance of an IoT device and Ledgett said that they are looking at information from any Internet connected device.
James Clapper, the Director of National Intelligence, said in a Senate hearing in February that devices connected to the Internet could be useful “for identification, surveillance, monitoring, location tracking and targeting for recruitment, or to gain access to networks or user credentials.”
That seems like a pretty good list of uses to me. They are going to need to figure out exactly how to exploit them, but it sounds like they are already working on the problem.
To be clear, that is their job and as long as they don’t break the law, it certainly is a legitimate way to gain intelligence.
As long as IoT device manufacturers don’t improve the security of their devices, it may not be a very difficult task to hack them.
Unfortunately, that means, not only the NSA, but the Chinese and North Koreans can hack them, not to mention commercial hackers who might, as they did in Ukraine last December, when they took over the electric delivery system and turned off the power and heat in the middle of the Ukraine winter. Those hackers were only interested in damaging the infrastructure. What if, instead, they decided turn off the electricity or water in a city until a ransom is paid or some other demand is met? While I am less concerned about the NSA doing that – at least in the US – I am less confident that the North Koreans or other commercial hackers will play by the rules, whatever the rules are these days.
Information for this post came from The Verge.