BlackBerry trying to make shoddy IT security illegal
Graham Murphy is tinkering with an infusion pump as if he’s adjusting the settings with his fingers. He isn’t. Instead, he’s using what he calls basic lines of malicious code to hack into the device, which is used to deliver medicine to patients. First it connects his laptop to the pump directly through a cable. Then he logs in remotely via a Wi-Fi connection, breezing by security both times because, well, there isn’t any. No ID to guess (it was available online). No firewall to breach. No system, it seems, to detect his presence.
Once he’s virtually inside the pump, which is dispensing a blue liquid into a plastic cup, he can alter the dosage, access private patient data and use it as a bridge to try to gain access into the rest of a hospital’s IT network. Less than 10 minutes pass when a word adorns the pump’s digital display in bloodred letters. “DEAD,” it reads.
“Graham, you killed the patient,” a concerned David Kleidermacher, chief security officer at BlackBerry Ltd., says to Murphy, one of the company’s U.K.-based security specialists. A crowd, watching them in a hotel conference room in midtown New York City, bursts into laughter. “Sorry, Dave,” Murphy jokingly replies.
No one, of course, died on that mid-July morning because no patient was being treated. The performance was, instead, a live hacking demonstration that BlackBerry staged at its annual security summit, where its top brass boast about their security offerings and pedigree in keynote speeches and product trials.
But the message the Waterloo, Ont.-based company sends is clear: A medical infusion pump, or other device, can be easily compromised while it’s trying to provide life-saving care for your patient, your child or your insuree at any hospital or home, and it’s time to do something about it — with BlackBerry’s help, of course.
BlackBerry is not exactly being altruistic. It has turned to its nascent software business to stabilize a corporate revenue figure that won’t stop falling and it has said it plans to secure everything, not just mobile phones or tablets, but connected cars, fridges, infusion pumps and the like.
In the auto industry, for example, the company wants to station security researchers like Murphy, known in the industry as whitehat or ethical hackers, to test for vulnerabilities before a new car model ever hits the street.
Kleidermacher, who joined BlackBerry in February and has rarely spoken publicly, said it’s not illegal for device manufacturers to claim their product’s security is “the best thing ever” when it isn’t.
“Can you imagine if it was legal for them to say that about safety? You can’t do that,” he said during an interview after the summit. “But in the security world, they could say that and it would be absolutely legal. That infusion pump manufacturer can make that claim. This is a problem.”
It’s a problem that should worry patients, doctors and insurers alike, but getting them to care is a hurdle BlackBerry must clear to monetize the products it has spent years building.
If another company whose security platform has holes like Swiss cheese that intruders can exploit can make unsubstantiated claims without penalty, it creates distrust in all offerings since quality cannot be gauged. The lack of standard is among the reasons why most executives — excluding some of those in regulated industries — still perceive IT security as an avoidable expense rather than a prized asset.
“It’s almost like the world doesn’t believe that we can make things secure,” Kleidermacher said in a keynote speech at the summit. “That the only thing we can do is patch, patch, patch. I reject that notion.”
Among his tactics for selling BlackBerry’s security solutions distribution is persuading countries, starting with the U.S., to make it illegal to produce shoddy IT security systems. “If it’s a law that you have to use it, then they’ll use it, they’ll have to buy it,” he said.