The NSA has new tricks up its sleeve, looking for ways to exploit the Internet of Things and connected biomedical devices like pacemakers in order to monitor targets and collect foreign intelligence.
If that involves hackers from the NSA’s Office of Tailored Access Operations (TAO), then it’s practically a done deal when you consider the wide range of devices previously pwned and listed in the ANT division catalog of exploits. It surely wouldn't be too difficult for the group, since IoT and wireless medical devices are notoriously insecure.
Ledgett, according to The Intercept, claimed surveillance via biomedical devices might be “a niche kind of thing … a tool in the toolbox.” He reminded the audience that there are easier ways for the NSA to spy on targets.
When a person in the audience asked if the billions of IoT devices would be “a security nightmare or a signal intelligence bonanza,” Ledgett answered, “Both.”
As my job is to penetrate other people’s networks, complexity is my friend. The first time you update the software, you introduce vulnerabilities, or variables rather. It’s a good place to be in a penetration point of view.
In case you are curious, Ledgett also answered why the NSA didn’t help the FBI crack the San Bernardino shooter’s iPhone. “We don’t do every phone, every variation of phone. If we don’t have a bad guy who’s using it, we don’t do that.”
If you look at the medical devices from the same point of view, you might only need to worry about remotely having your pacemaker, insulin pump or other wirelessly-enabled medical device hacked or monitored if you happen to have the same model as some NSA target.
The flipside of that would be the agency zeroing in on popular smart devices and wearable tech that a plethora of people might have; perhaps something along the lines of Fitbit. More people will continue to adopt such wearable tech; it’s already getting smaller and faster. University of Wisconsin engineers recently created “the world’s fastest stretchable, wearable integrated circuits” that can be used for smart wearable electronics, biomedical devices, and even to remotely monitor health care patients. The stretchy circuits will supposedly “drive the Internet of Things and [a] much more connected, high-speed wireless world.”
While it shouldn’t come as a surprise that the NSA would want to exploit IoT and biomedical devices, and thereby gobble up even more data for spying purposes, the agency allegedly has no clue how many Americans it is spying on now. At least, that’s what U.S. Director of National Intelligence James Clapper claimed.
He was supposed to give a “rough estimate” of how many Americans were caught up in dragnet surveillance. FISA (Foreign Intelligence Surveillance Act) Section 702 is set to expire at the end of 2017; before renewing it, Congress asked Clapper to reply with an approximate number no later than May 6 (pdf). Clapper has a long history of not answering that question. The EFF, along with other digital rights movement groups, called on Congress to let Section 702 expire as scheduled.
Ledgett’s remarks were not the first time an intelligence agency admitted the government may tap into IoT devices to spy on people.
Earlier this year, for the “Worldwide Threat Assessment of the U.S. Intelligence Community” report, Clapper testified (pdf):
“Smart” devices incorporated into the electric grid, vehicles—including autonomous vehicles—and household appliances are improving efficiency, energy conservation, and convenience. However, security industry analysts have demonstrated that many of these new systems can threaten data privacy, data integrity, or continuity of services. In the future, intelligence services might use the IoT for identification, surveillance, monitoring, location tracking, and targeting for recruitment, or to gain access to networks or user credentials.
Back in 2012 when David Petraeus was the director of the CIA, he admitted the CIA could not wait to exploit IoT and spy on people via their IoT devices.
When you think of it like that, the NSA is late to the game. Or more likely, it is just now publicly admitting that it would like to monitor IoT and smart medical devices.