We’re slowly learning that while appliances connected to the internet, aka the internet of things, might be convenient, they’re also a hacker’s paradise, because in our haste to make them easy to use, we’ve made them woefully insecure. But it’s not just smart TVs that are the problem: medical devices are being infected, too. Medjack is a piece of malware that has already infested hospital computer systems via insecure medical devices. Once inside, it runs free in the system, collecting information on patients, for instance, to be used for identity theft, or tax fraud.
While modern computers and smartphones are hardened against hacking attacks–viruses, trojans, and other malware–internet-connected appliances like Wi-Fi light bulbs, smart fridges, and printers, often lack proper security. The manufacturers don’t care, and the buyers don’t care, so nobody bothers to secure them. Add to this the fact that these devices rarely receive software updates to improve their security, and you have a massive back door into any computer network. That’s how something like Medjack works: It targets the weak devices, and because they are connected to the rest of the Wi-Fi network, the attackers gain access to everything therein.
Medjack is a terrifying example of this, an attack which seems to come straight from the pages of a science-fi novel. Medjack is designed to deliberately use old, outdated malware in its attacks, which means that it only targets old, vulnerable, non-updated systems. This helps it to avoid detection by any newer computers on the network. Once it has compromised a machine, it can run free, collecting medical information on anyone who has used that particular hospital or medical facility.
And it’s already everywhere. “Every time we’ve gone into a health care facility to demonstrate our product, we unfortunately find that they’re also a victim of this Medjack attack,” Anthony James, vice-president of marketing at security company TrapX, told Wired. “Most of these facilities have no clue, because no one is monitoring their health care devices for the presence of an attacker. No one is thinking about a CT scanner or an MRI machine and seeing a launchpad for a broader attack.”
A common next step is to hold the target hospital to ransom. Medical records can be encrypted, for example, only to be unlocked in return for a payout. But a hack could also disable systems in the hospital. One well-known example of this happened last year when hackers took the computers of the Hollywood Presbyterian Medical Center, in Los Angeles, offline for a week. The hospital ended up paying $17,000 to get them switched back on.
These attacks aren’t limited to big institutions either. Hackers can attack an individual’s medical implants or devices. This is called brainjacking, and is considered such a big danger that both the FDA and the U.S. Department of Homeland Security have issued warnings on the matter. Brainjackers can take control of brain implants, Wi-Fi-connected pacemakers, or insulin pumps, for example, and hold the host human to ransom. So far, these attacks usually require the attacker to be physically near the victim, but as more and more devices are connected to the internet, that requirement will vanish.
The answer is, of course, better security, but that won’t happen until the users demand it. But who are the users in this case? Doctors probably don’t want to add IT admin to their list of duties, and patients usually just trust their doctors to prescribe the right thing. The problem, then, is likely to get a lot worse before it gets any better.