Security News Update for April 7th, 2023

FDA Will No Longer Approve Digital Medical Devices That Are Vulnerable

Starting last month, the FDA will REJECT all new applications for any cyber medical device that does not include a cyberattack protection plan. Of course this won’t be perfect, but at least manufacturers will have to make an effort at it. Given that the FBI says that each of the medical devices currently on the market has an average of 6.2 vulnerabilities, we definitely need this. The vendor’s plan needs to include how they will monitor, identify and address any vulnerabilities and threats. For the next 6 months, devices in the approval queue that don’t meet this requirement will be shepherded to get the needed information. Credit: Quartz

Dish Hit by Multiple Lawsuits After Ransomware Attacks

As a follow-on to previous blog posts, Dish has been hit by multiple proposed class-action lawsuits – not claiming that people lost money or incurred costs as a result of the attack, but rather stating that DISH “overstated” its operational efficiency while having a deficient cybersecurity and IT infrastructure, i.e. committing securities fraud. The stock price is down about 20% and investors have until May 22, 2023 to join the class. I think this is the new attack vector for lawyers – claim fraud and negligence, causing harm. This is probably easier to prove. Credit: Bleeping Computer

Tesla Model 3 Hacked in Less Than 2 Minutes at Pwn2Own Hacking Contest

Given that a Tesla is basically a computer with wheels, it is not surprising that it can be hacked. What is surprising is that it has not been hacked more. This hack, done by the good guys and sold back to Tesla, gave the researchers deep access into parts of the car including it’s safety system. They got a $100,000 prize and a free Tesla Model 3 (hopefully after it was fixed). Credit: Dark Reading

Social Media Account of Porn Star Hacked; Now Posting Extreme Racist Content

Just because you are famous, does not mean Twitter will talk to you. Riley Reid, a supposedly famous porn star, says her phone and Twitter account were hacked two days ago. The attack seems like a SIM swap attack. The hacker is using her Twitter account’s 2+ million followers to call for death to porographers, Nazi propaganda and other explicit content. It is unknown why Twitter has not removed the posts that call for violence and recruitment to hate groups. Since Twitter no longer has a press team, there is no way to find out. While Twitter can get away with that in the U.S., it may be subject to large fines in Europe. Stay tuned. Update: It looks like some of these posts have been taken down while others are still active. Credit: Motherboard by Vice

Tesla Employees Caught Sharing Embarrassing Photos Recorded on Customer Car Cameras

Hopefully, these are rogue employees, but the risk is real – which is why China banned Tesla vehicles from around sensitive locations. The whistleblower employees claim that hundreds if not thousands of video clips from customer cars were circulated. This includes videos of naked car owners, people tripping and falling, crashes, collisions and even someone who appeared to be dragged into a car against their will. The videos were commonly made into screenshots and memes. This includes capturing people who walked by the car and were recorded unknowingly. This likely violates GDPR and the Dutch Data Protection Authority completed an investigation of this in February. While car owners may have technically agreed to this, bypassers likely did not agree. Credit: Cybernews

by