[andkenneth]

I feel like every time this device shows up I need to yell from the rooftops how dangerous(and illegal) some of the wifi and Bluetooth attacks can be. Even if it's totally baffling WHY any safety critical devices including industrial cranes and pacemakers have consumer radios in them, that doesn't make you less responsible when you crash tons of metal into someones skull or stop someone's heart.

Cool device, and I'm not saying it should be illegal or anything, but I've met people who have zero clue with these devices and it's a bit scary.

[crest]

"… or stop someone's heart." Please give an example of a pacemaker that is known to (potentially) kill the patient if the WiFi/Bluetooth is unavailable for a few minutes. I know that some modern medical devices use 2.4GHz radios for uploading telemetry, self service interfaces, etc. If such a device really exists the manufacturer should be held liable for putting a dangerous, defective product on the market.

[wpm]

Which pacemakers rely on ISM band communications to work?

Not doubting you (M in ISM stands for Medical, after all), just curious how it works to get from messing around on 2.4GHz to someone's ticker stopping.

Given how much of a soup ISM is already I don't know if I'd want someone's ancient cordless phone, stupid "hacker" toy, or my microwave stopping my heart.

[idunnoman1222]

What is a consumer radio? Radios follow the laws of physics.

[aftbit]

Yeah but less scary than a teenager driving a car.

[aftbit]

Hmm I wonder why the downvotes? Maybe people felt this did not add enough to the discussion. Let me try again with more words.

I am pointing out that the world is full of risk. Under-prepared kids with half-developed prefrontal cortexes driving cars is a risk that we accept in exchange for the societal good that comes from reliable access to fast transportation. Poorly considered knock-knock attacks on pacemakers is a risk that we can choose to accept in exchange for the societal good that comes from the freedom to create and market security testing devices to the masses.

In other words, as I've said before, don't blame the tools, blame the humans, and expect some eggs to get broken along the way. The goal should not be zero risk, as that's unobtainable and leads to warped priorities and dangerous decisions.

[thorwaway48583]

The responsibility remains squarely with the people who developed these devices and the people who give it FCC approval.

Devices shouldn’t malfunction and handle interference gracefully. It is an FCC certification requirement and that requirement includes any interference.

[CJefferson]

I don’t think that is either legally, or morally, true.

Sure, it would be better if devices weren’t broken by attack attempts, but if you are purposefully trying to attack something, you are to blame for your attack succeeding?

[crest]

There is a difference between tinkering with WiFi/Bluetooth and accidentally offing your neighbour with the faulty pacemaker and knowingly exploiting a 0day the Insulin pump of a politician to deliver the whole reservoir at once while short selling the manufacturer stock.

[omeid2]

> you are to blame for your attack succeeding?

Morally? A bit grey, but often when you dig into the details for the cases of businesses unlike individuals, it is a resounding "Yes".

Legally? Depends on the jurisdiction I suppose.

https://www.theguardian.com/australia-news/2022/oct/22/austr...

https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-re...

This is for data breaches, but similar laws exists for all sort of conduct related to negligence in securing and adequately protecting privacy, safety, health, and so on.

[wpm]

>if you are purposefully trying to attack something, you are to blame for your attack succeeding?

Yes?

It is by definition an attack, a hostile action, something that should not be done.

Is it wise to harden systems to withstand attacks? Of course.

But when an attack works you don't victim blame. You use knowledge of how it worked to harden your systems better.

[k_roy]

Except this isn't anything special.

Literally anyone can do this with an MCU of some type and a 50 cent device. Bluetooth, RF, NFC, etc. This just makes is a nice little convenient package.

There is victim blaming and there is practicality.

A pacemaker that can't withstand random radio bursts is useless, as the first time you walk down the street you are dead.

So unless you are going to ban any sort of microcontroller, and very well documented and simple circuit designs, this is still not victim blaming.

[CJefferson]

Almost every residential building ever built can be broken into by throwing a brick through a window. We could use reinforced glass, but most people don’t. We still convict people for throwing bricks through people’s windows.

Generally speaking pacemakers aren’t failing from random radio signals, but if they fail if you specifically attack them, it’s your fault.

[k_roy]

And much like a brick, for every nefarious use, there are 10 valid uses.

Just like anything else, it's just a tool, and because a tool can do bad things doesn't mean the tool should be illegal.

[jsheard]

A device may be required to not malfunction due to interference, but it can't be required to function in the presence of interference because that's a technical impossibility if the interference is strong enough to overpower the intended signal. That's why there are laws which say that if you use something like the Flipper as an RF jammer (which is possible with custom firmware) then angry feds might show up at your house.

[wezdog1]

For medical devices, lack of function would be malfunction

[crest]

For any sane medical device radio interference should at most degrade non-essential functions e.g. uploading of medical data, inspecting the battery status from your phone. If such functions are important and unavailable for extended periods the device should give audible/visual alarms.

[wpm]

These devices do have FCC approval. It is why I can't send a garage door opener signal from my Flipper on the 315MHz band, because in the US, that isn't spectrum allocated to my fucking-about. I get a little message when I click send that says so.

All devices can be modified after the fact. Whether a manufacturer makes it easy, in the case of Flipper Zero, or hard, in the case of many other devices, to modify and install custom firmware that breaks FCC approvals, that lets it broadcast in frequencies it was not approved for, and allow the user to attack certain systems, is not really the manufacturers problem, anymore than Apple selling me a laptop I write malicious code on is Apple's fault, or the manufacturer of an IR blaster being responsible for me using it to mess with the TVs at the sports bar, or the Raspberry Pi Foundation for creating a device with a WiFi chipset that can be used to run deauth attacks, or the generic FM transmitter I could hardware hack to interfere with all sorts of stuff, or the RTL-SDR...or the ad infinitum

[Mountain_Skies]

Yes, in the early days of cell phones, it was easy to purchase a scanner from Radio Shack, cut a few resistors and then be able to listen in on phone calls. Radio Shack, the FCC, cell phone companies, and pretty much everyone else involved knew about this but it was allowed to continue because the scanners as sold were unable to eavesdrop, which was good enough for them to be legal.