As it becomes clearer that anything can theoretically be hacked, security researchers have set out to warn businesses and individuals of the potential risks. However, views differ on whether security flaws in software or equipment should be widely broadcast, or even whether cybersecurity experts should be tampering with connected devices, planes, cars, or medical equipment to test them.
For example, Chris Roberts, the security researcher who was barred from boarding a plane after Tweeting about the numerous times he had hacked into airplane computer systems. Roberts and his attorneys at the Electronic Frontier Foundation claimed that his efforts had only been to improve airplane security.
“As a member of the security research community, his job is to identify vulnerabilities in networks,” stated EFF on its website in a post on the case. “EFF has long been concerned that knee-jerk responses to legitimate researchers pointing out security flaws can create a chilling effect in the infosec community … However, we’d also like to see companies recognize that researchers who identify problems with their products in order to have them fixed are their allies. It would avoid a whole lot of trouble for researchers and make us all more secure.”
EFF’s Coders Rights Project has been representing security researchers since 2008 in cases where those individuals pointing out vulnerabilities have faced legal consequences. The foundation highlights one of the key factors in what could be termed conscientious hacking – that without some assurance that their research won’t be taken as an attack.
“A computer security researcher who has inadvertently violated the law during the course of her investigation faces a dilemma when thinking about whether to notify a company about a problem she discovered in one of the company’s products,” the foundation noted. “By reporting the security flaw the researcher reveals that she may have committed unlawful activity which might invite a lawsuit or criminal investigation. On the other hand withholding information means a potentially serious security flaw may go unremedied.”
In another case in 2008, the EFF defended a group of Massachusetts Institute of Technology students who planned to present a paper on security flaws in the Massachusetts public transit system. Federal law enforcement officials claimed the students had violated the Computer Fraud and Abuse Act (CFAA) in an effort to defraud the MBTA of fares.
Earlier this year, Google set a deadline for developers at Microsoft and Apple to fix known vulnerabilities or face public exposure of them. For Microsoft, this ultimatum felt like a high-tech shakedown that would end up hurting consumers as cybercriminals took advantage of the flaws, according to Chris Betz, senior director of Microsoft’s Security Response Center. He advocated Coordinated Vulnerability Disclosure in a blog post instead of public demands.
Medical devices such as pacemakers, insulin pumps, telesurgery robots, rank high on the list of potentially hackable and life-threatening cyber risks. A 2014 report from CNA Insurance cited such risks as access to personal health information; denying access to devices or networks, manipulating settings, or remotely disabling a device. Simply put, hacking medical equipment could lead to a life-or-death situation, as well as product liability claims, legal repercussions, class actions, regulatory actions and more.
The Food and Drug Administration has made the threat a priority over the last year, issuing warnings about potential flaws and targeted guidance on improving cybersecurity of medical devices. In addition, a recent research report addressed the potential for hacking telesurgery robots, a medical trend that is gaining popularity.
Researchers wrote, “Teleoperated robots are playing an increasingly important role in military actions and medical services. In the future, remotely operated surgical robots will likely be used in more scenarios such as battlefields and emergency response. But rapidly growing applications of teleoperated surgery raise the question; what if the computer systems for these robots are attacked, taken over and even turned into weapons? A compromised surgical robot in the midst of even a routine operation could potentially be used to inflict considerable internal wounds to a patient. Moreover, any extra procedure time, caused by a compromised system, may have severe consequences on a procedure outcome, as well as a patient’s recovery.”
In investigating the theory that telesurgery robots could be hacked, the group of Cornell University scientists discovered several access points for disrupting a telesurgical procedure “extremely efficiently.” They went on to explain that these concerns could readily be addressed by using encryption and authentication methods, but that could have a negative impact on other aspects of the survey.
The researchers emphasized the reason for attempting to hack a telesurgery robot, saying, “There is currently little understanding of what the actual risks are. This lack of understanding of the actual risks is a function of two factors. At the moment, it is not known: (1) how easy it would be for an attacker to compromise a teleoperated surgery system, and (2) what the applications of such a cyber security attack might be. Not being able to answer these questions makes it hard to understand what the challenges to improving cyber security of telerobotic surgery are, much less to address them.”