How Safe is the IoT?

We look at the recent situation at Abbott, and get a comment from new kids on the block, Tridentify AB ( –  Sweden.

At a time when Abbott Laboratories have been the subject of a stinging criticism from the US FDA, for  failing to properly investigate and resolve risks related to its implanted heart devices, including cybersecurity threats and a battery malfunction linked to two patient deaths – it’s important to take a measured view, and ask; are all devices that contain a battery, and can send info  – likely to run into these same problems.

Not according to new Tracer developers,  Tridentify. Based in Stockholm and Gothenburg, their CIO Leif Sandvik.  It all depends on whether you have actual patient data. Simple tracking of info and pure functionality, should not be an issue. This is what he says and how Tridentify solve these aspects:

“It is correct that we use AES-128 for all communication in QTA Tracer System, but the most important is that we do not use any patient data in the system for the moment. This mean that we actually do “not have any” data to protect even if we do it.😬

If a battery should fail, the tracer will reset and the red LED will flash. If the battery is drained no LED will flash and according to the manual the product should be handled as expired.”

But Johan Snis,  former Abbott Marketing Manager and new Commercial Director at Tridentify – goes further:he says there will always be some element of risk – but this is manageable;

“I would say that secure data is an important topic when entering IoT or IoMT as med tech has their own abbrevation.
Hospitals was one of the last “industries” to internetify themselfes and still they are a bit behind in knowledge and technology, including security. But patientdata is now, in most countries, in digital format on databases accesible from interhospital networks. So if healthcare already has accepted that evolution they cannot void themselfs against IoT. And they shouldn’t, since this is the most prominent way to personalize healthcare and keeping patient at home or specialist clinichans on remote locations.

However, data security is important. All data transfered to and from QTA is done using AES-128, Advanced Encryption Standard. The encryption uses a 128 bit key and it gives 3,4×10^18 possible key combinations.
If we would use the fastest supercomputer in the world it would take it approx 1 billion billion years to crack the encryption. The universe is 13.75 billion years old as we speak.
If we assumes that every person on the earth has 10 computer each and all of them would be used to crack the encryption it would take 77,000,000,000,000,000,000,000,000 years.

So data transfer can be secure. The above argument doesn’t say that it cannot be broken but that it will be tough. On the other hand it is possible to break into a hospital, it is possible to disguise as a doctor and give poison to a patient. Paper journals are possible to steal and forge…and so on.

For me the discussion has to be open minded. Yes it is very important to have secure future system! On the otherhand, the system used today are not foolproof or “pentagon” secure.”



Focus on the Internet of Things

How IoT may be the worst of all options.

The idea that we can boil our kettle at home while flooring it down the motorway prior to arrival – has long been the stuff of geek dreams. It’s beauty is in its simple and home craft image, how nice and unthreatening is this. If IoT is all about kettles and making cups of tea, well, what’s wrong with that.
And it goes on, at a much deeper level, into how whole “cities” are now becoming Smart Cities. This is an energy conserved Utopia, at a corporate level, if you will, as opposed to a personal level. Whole new divisions are being created at some of the world’s leading IT Consulting houses, as to how they can deliver, using our love and total dependence on mobile and internet connectivity, a world where we are In Control – from anywhere.
In the UK and other parts of Europe, we can moderate our central heating using our mobile phone, and thus goes the argument, we can modify, ie, reduce, our heating bills, to cope with sudden sunny days and so forth.
My friend has a new car where, in the frozen climes she inhabits, – she can switch on the heated seats in her car some twenty minutes before she gets in. And whilst i am jealous and actually impressed, the question is however – do we actually want all this? Or just how useful and time and money saving, will all these facilities give us, or much as extra competences will be gained?
I ask this because for a start, I rarely change my central heating settings from one year to the next, let alone day by day. And judging from the number of times I receive rogue emails in one day, do I really want some central wifi being involved in my domestic life, however useful this might appear for the greater good? Because, if current life is anything to go by, if the Internet is involved, then our lives can be hacked.
We are not alone in voicing these shortcomings. Oren Dvoskin at Sasa Software says it like this:
“The IoT is definitely creating a buzz as a perceived weakness when relating to cyber security.  Attackers constantly look for the easiest way into organizations, and unprotected devices are a potential point of entry. The most common scenario is scanning the internet for devices with default (or no) security credentials.

This was the case with the massive DDoS attack on Dyn’s servers in October – millions of devices were hijacked, then controlled remotely.

Another concern is attacking equipment with outdated security measures, or legacy operating systems.  Sophisticated equipment, such as medical devices, often cannot be properly secured, due to manufacturer warranties.  It could potentially be a nightmare, with hackers demanding ransom when they’ve sabotaged a hospital’s ventilation system (or a patient’s pacemaker).

What can be done?

As always, it’s the basics.   Ensure that devices have updated security credentials, and when possible, that they receive ongoing updates.  Sensitive equipment, and equipment in sensitive organizations should never have unrestricted access to the internet. ”

And this includes you and I at home. The kettle controlled wifi to make our cup of tea, will also let intruders in by the front door. And that, is what I would call a nightmare.