Surgery
Even pacemakers and insulin pumps are now connected meaning failure to adequately test them could leave them vulnerable to cyber-attack. Reuters

Security vulnerabilities in devices which we do not typically thing of as connected are often not fixed in some cases leaving users's lives at risk.

Speaking to IT Security Guru, Cris Thomas who was SpaceRogue in the hacker space L0pht, and was appointed as technical manager of network security firm Tenable in January, said that the race to find vulnerabilities and earn money has led to security issues being found in areas where they didn't exist, or they didn't think to look for them before.

He said:

"So you have people looking for security issues in things such as security cameras, or cars or medical devices where people's lives are at stake, and these sort of devices either didn't have the technology in them that they did 10 years ago that would enable them to be broken into, while now you have people putting Bluetooth in heart pumps for no good reason and it creates an avenue of attack.

"Consumers want a feature set but they do not go and do the rigorous testing that is needed to get those devices secure enough out there in the public."

Held accountable

Thomas said that this highlights an issue in the "Internet of Things" as everything we have is connected to the internet and the technology can be circumvented or compromised, and everything needs to be tested at least before they ship, if not after, and vendors need to be held accountable for things that they ship.

When it comes to medical devices, Thomas said that if a company is building an insulin pump or a blood pressure monitor or other devices used in the hospital or in the home that affects your life and that your life depends on, then there is no pressure to fix issues in them.

"There are examples where a vulnerability has been found in a medical device and it is reported and the vendor doesn't feel like they need to fix it, and there is nobody to force them to do so," he said.

"You can threaten to report them to the press, but if it is a small device the press is not going to care and the vendor gets off, the customer never knows, so they are still shipping vulnerable products with multiple vulnerabilities that will never get fixed, that the customer doesn't know about and doesn't care. And lives are at stake as it is some kind of medical device."

Dan Raywood is editor of IT Security Guru.

IT Security Guru