Today I stumbled an extremely disturbing article that hit the mainstream. At least the “Wired” mainstream.
In early August, the enterprise security firm Armis got a confusing call from a hospital that uses the company’s security monitoring platform. One of its infusion pumps contained a type of networking vulnerability that the researchers had discovered in a few weeks prior. But that vulnerability had been found in an operating system called VxWorks—which the infusion pump didn’t run.
Today Armis, the Department of Homeland Security, the Food and Drug Administration, and a broad swath of so-called real-time operating system and device companies disclosed that Urgent/11, a suite of network protocol bugs, exist in far more platforms than originally believed. The RTO systems are used in the always-on devices common to the industrial control or health care industries. And while they’re distinct platforms, many of them incorporate the same decades-old networking code that leaves them vulnerable to denial of service attacks or even full takeovers. There are at least seven affected operating systems that run in countless IoT devices across the industry.
“It’s a mess and it illustrates the problem of unmanaged embedded devices,” says Ben Seri, vice president of research at Armis. “The amount of code changes that have happened in these 15 years are enormous, but the vulnerabilities are the only thing that has remained the same. That’s the challenge.”
Translation. This means that most systems that are used for your medical care are being hacked as I write this. If not now, soon.
Further, this is not a manageable problem. It gets scarier. If hospitals and ICR units were to throw out their existing hackable systems and replace the with BRAND NEW product. They would still be hackable. While there has been enormous change in the usability and the functionality of these devices in short periods of time, security is ALWAYS and after-thought. Nobody wants to pay for security. It should be included.
It’s not. It will never be.
It’s called Biohacking. Adding security to BioTech to prevent Biohacking ( and everything else) is an Identity Problem. We need and Identity Metasystem (as Phil Windley so articulately outlines.)
Here is the disconnect. Identity is complicated and highly political. All the big boys (Google, Microsoft, Apple, Facebook [I would add IBM but the don’t matter anymore]) want to “own” your identity. Silliness. It will never happen.
In the meantime, we are all at high risk.
You think Biotech is the only problem? Think again.
It goes on forever.
Try cell phone systems. Not cell phones. But cell phonetech. The towers. The system that your phone uses for seamless connectivity. It will be hacked. Not if. But when.
In a recent series of blog posts by Phil Windley, the concept of a self-soveriegn identity system is introduced.
SIS purpose is just like it sounds. An independent identity system managed by users.
The series leads up to the announcement last week of Sovrin.org. (But I will get to that later.) Since these are in a series of blog posts, they are in reverse chronological order. So here they are in order.
- Service Integration Via a Distributed Ledger
- Governance for Distributed Ledgers
- An Internet for Identity
- Self-Sovereign Identity and the Legitamacy of Permissioned Ledgers
Some of these are lengthy. The topic is complicated, but fundamental to the future. Take your time. Dont let TL;DR syndrome sidetrack you.