As I was surfing the news on my wifi-enabled airline flight this morning, I saw an article describing how hackers have now figured out ways to hijack mobile phones by getting control of Find My iPhone accounts and holding hostage those account owners who want control of their phones back. For all of us who have set up this feature to remotely identify where we left our iPhones, we may now realize the unintended consequences of remote tracking: tech hijackers can steal password data, remotely lock iPhones and iPads and then send messages to users saying their iPhones and iPads will be unlocked — after they send $100 to a PayPal account.
In some ways this is really different from accessing and using someone’s credit card information—the old-fashioned way of hacking and stealing that our friends at Target and eBay have recently experienced. In the iPhone instance, the bad guy is actually making contact with you to induce you to undertake certain behaviors and make your life miserable. Moreover, they can use the ability to access the Find My iPhone App to know where you are, assuming your phone is glued to your hand, like it is for most people. This is no big deal if all you are doing is stalking your kid who forgot to show up at curfew, but is a really big deal if you are stalking someone in the bad sense of the word. And it is a particularly bad unintended consequence of remote tracking that highlights the risks we are likely to face with respect to implantable/ingestible wired devices.
There is a massive amount of development going on to bring “passive” sensors to medicine. Passive sensors are great because patients don’t need to interact with them while the sensors collect and distribute information and thus they do not rely on unreliable human behavior to activate the sensor. But passive sensors are also potentially insidious, because unseen and sometimes even untouchable or unstoppable, they could be manipulated and turned into the next form of ransomware, as the Find My iPhone drama has been dubbed.
We are seeing passive sensors now in numerous wearables, both for fitness and for medical applications. We are seeing wearable and implantable/ingestible sensors proliferate in cardiology and diabetes, and even in pharmaceutical development, such in the case of Proteus’ ingestible pill sensor. We are also seeing adoption of passive in-the-home sensors that enable us, with good intentions, to monitor the behaviors of older people who want to live at home but who need some extra attention to be sure they are safe. Such sensors can passively let us know that grandma got out of bed, opened the refrigerator, etc., and thus is likely doing just fine.
And yet “safe” may turn out to be a highly elusive concept. If you can hack an iPhone and hold someone hostage to return control of it to the owner, there is no reason you can’t hack a home or implantable sensor and use it to “lock” other things in the home, say the refrigerator, unless you pay a ransom. OK, it would be merciful if someone did that for me on the refrigerator front, but if you are a senior citizen and potentially more prone to being scammed, this is a real problem.
Now take it one step further and imagine that someone can use data from an ingestible pill sensor to track, monitor and blackmail you. An article in The Washington Post hypothesized that the government could use these little sensors to, theoretically, figure out who is taking illegal drugs or to compel people to ingest things they don’t want to, but I am more worried about the intentional bad guys whose mission statement is Do Harm. Could someone hack into a pill sensor and know you are taking certain meds that you might not like others to know about? Could they re-program it to do something harmful to the body if you don’t pay up? Could they put those pill sensors in other things you eat or drink without your knowing (finally, a way to be sure no one drinks my top shelf bourbons!) Could they hack into your glucose monitor and change the readings if you don’t buy them a trip to Barbados? Could they hack into your implantable defibrillator and program it to kill you if you don’t turn over your first-born? How do we protect patients from hackers while we use technology to improve medicine?
This is corollary but really different issue from privacy. When people steal our private data they can use it against us in some way to be sure. I am just waiting to hear that someone hacked into the iPhone Breathometer app and published a daily report online about what people were too drunk to drive last night. There is no doubt that unauthorized use of credit card and health data is a bad thing. But worse yet is this idea of ransomware, where you could literally threaten someone with remotely delivered bodily harm by repurposing the technology meant to heal them to hurt them.
I hate to sound like one of those crazy Black Helicopter people or worse, Mel Gibson, but I think this is one of those issues that needs significant attention before ingestible and implantable sensors get too far afield. We have seen a plethora of the nation’s most sophisticated retailers and electronics manufacturers get hacked lately so it is only a matter of time before we see this elsewhere. Where there is data, there are hackers and, apparently, where there is value to be extracted, there are extortionists.
It is worth noting that senior citizens are the primary target of many of these sensor-driven devices because they are the ones with high cost, monitoring-worthy medical conditions. As such, the risk of financial hostage-taking is particularly acute since seniors are all to often the favorite prey of financial scammers. MetLife has found that Americans over the age of 60 lost about $2.9 billion to financial abuse in 2010 — up 12% from the $2.6 billion lost in 2008, and that half of that comes as the result of efforts by complete strangers (the balance from their charming friends and relatives).
This area poses some real challenges, as efforts to create multi-faceted authentication or multiple steps to activate sensors will literally kill the whole value of making them passive in the first place. Thus, figuring out how to make them really, truly safe before they are really, truly everywhere must be a priority.
Postscript: After publishing this post, I read this article about how sensor-packed pigs are becoming part of the Internet of Things. God help them if the big bad wolf gets wind of it, as we already know he has it in for the pigs. I can see the wolf now saying, “turn over your ATM code or I’ll huff and I’ll puff until your implantable nerve stimulator explodes. Beware!”