The Internet Society is raising awareness around the issues and challenges with Internet of Things (IoT) devices, and the OTA IoT Trust Framework is promoting best practices in protection of user security and privacy. The importance of this was brought home with the keynote talk at the recent TNC18 Conference, which was given by Marie Moe (SINTEF) who related her experiences with her network-connected heart pacemaker.
Marie is a security researcher (who also formerly worked for NorCERT, the Norwegian National Cybersecurity Centre) who has an implanted pacemaker to monitor and control her heart, and has used the opportunity to investigate the firmware and security issues that have had detrimental and potentially fatal consequences. Quite aside from uncovering misconfigurations that required tweaking (e.g. the maximum heartbeat setting turned out to be set too low for a younger person), and an adverse event that required a firmware upgrade, she was even more concerned to discover that little consideration had gone into the authentication and access aspects that might allow an attacker to take control of the device.
These devices allow their recipients to lead normal lives, and of course being network-connectable has many practical advantages in terms of monitoring and non-intrusive configuration and firmware updates. However, the medical companies who develop them do not necessarily consider the security implications of this type of very personal critical infrastructures, and is why initiatives such as the OTA IoT Trust Framework are important for raising awareness of the need for good security practices, whilst encouraging vendors to take user security seriously and put it at the forefront of their development processes.
This interesting and inspiring talk can be found at https://tnc18.geant.org/core/presentation/184, and we thank Marie for giving us permission to amplify the issues raised in her talk.