What do all of these things have in common: implanted medical devices and critical care devices, factory robots, drones, autonomous vehicles, and Fitbits? All of them are connected through the Internet of Things (IoT), and all can be hacked.
In 2008, a group of researchers, led by Dr. Kevin Fu of the Archimedes Center for Medical Device Security at the University of Michigan, published an article showing it was possible to extract sensitive personal information from a pacemaker or to even threaten the patient's life by turning off/changing the pacing behavior.
The medical device industry got another wake-up call in 2015, when researcher Billy Rios demonstrated that drug infusion pumps had vulnerabilities, allowing unauthorized firmware updates that could administer lethal medication dosages. This led the US Food and Drug Administration (FDA) to issue the first-ever recall of medical devices due to cybersecurity vulnerabilities.
Another team from the University of Michigan, along with collaborators from the University of South Carolina, found that sensors in self-driving cars could be vulnerable to hacking by sound waves, fooling the accelerometers by playing a single tone at their resonant frequency. Fortunately, these attacks required close proximity and could not be carried out remotely.
Each of these hacks highlights a void between advancing technology and the potential for nefarious interventions. If a drone’s accelerometer is hacked, it falls from the sky. If an autonomous vehicle is hacked, the results from a single car could be devastating. Think about the potential impact of dozens or hundreds of cars on a freeway. Autonomous vehicles will need firmware patches across dozens of on-board computers. How will the validity of those updates be confirmed?
One approach is to leverage the distributed, encrypted technology of blockchain. Cars (or medical devices, trucks, delivery drones, etc.) could verify in real time the validity of updates by comparing their on-board encrypted signature to hundreds or thousands of identical computing platform nodes and against the manufacturers’ baseline signature (also distributed to multiple nodes). If there are discrepancies, predefined protocols would kick in. Such protocols would have to consider the potential disastrous results of an overreaction to anomalies—like shutting off medical injection devices or having hundreds of cars suddenly exit a highway—certainly, a cure worse than the illness.
IoT industries will have to overcome the very real issue of cybersecurity. The benefits are potentially so extraordinary that I’m confident they will, but every cybersecurity protocol begets thousands of hackers dead set on defeating it—maybe for self-satisfaction, or maybe as a terrorist plot. I think the core of any successful strategy will be the elimination of a single point of failure. Make it impossible to hack a single IoT device; make it impossible to hack a single control node. Blockchain technologies seem to have a strategy that would work, but the devil is in the details.
Jim Just is a Partner with IMERGE Consulting, Inc., with over 20 years of experience in business process redesign, document management technologies, business process management, and records and information management. Contact him at firstname.lastname@example.org or follow him on Twitter @jamesjust10.