This IoT Hack Could Kill You Literally
Researchers at Ben Gurion University in Israel created malware that could infect a CT scanner and cause it to provide either false positive or false negative readings.
The researchers took real CT lung scans and let their malware modify the scans. In the cases where the researchers created fake cancerous nodes, the radiologists who read the scan diagnosed cancer 99% of the time, even though the scan were actually clean.
After the radiologists were told that the scans were modified by malware, they still got it wrong 60% of the time.
In addition to lung scans, the malware would work on brain tumors, heart disease, blood clots, spinal injuries and other situations.
This concept could also mask cancer, causing the doctors to not diagnose cancer when cancer was present,
The researchers said that this technique could also be used to fake clinical trials one way or the other.
This particular hack works because the CT scans are not digitally signed by the scanner to stop them from being modified in transit and they are not encrypted in the back-end image store called the picture archiving and communications system (PACS).
These poor security practices of the IoT device manufacturers could lead to people dying due to compromised diagnostic tests.
Granted it seems like a hard attack to execute, but if it is a high value target for some reason, such as a clinical trial, for example, well, then, all bets are off. Is it the vendor conducting the trials that wants the results to look better or is it a competitor that wants to derail the trial? After all, if a competitor can get a trial derailed, it could mean a lot of money in the pocket of the competitor either for a new competing drug or an old drug that has extra life.
This, of course, is just one example of how an IoT device could be hacked. In this case, getting a second opinion from a different facility probably reduces the risk to near-zero, but if your CT scan comes back clear are you really going to get a second opinion?
Source: the Washington Post.