Like many of us, I have taken a keen interest in the evolution of the Internet of Things which will undoubtedly change everyone’s life in more ways than we can even imagine at this time. Besides the well-known Internet enablement of cars, household appliances, and other devices, bio-devices are also included in this trend.
One of the early bio devices, certainly pre-dating the Internet, is the humble hearing aid. Through technology and amplification, these devices help the deaf and hard of hearing to hear and function more effectively in the everyday world. Recently, I just updated my own hearing aid and am amazed at how the simple device has changed in just the few short years since I purchased the previous one. The advances in sound processing technology are nothing short of amazing.
However, there is a darker side as the device uses Wi-Fi technology and can actually be discovered when scanning for wireless networks. Through special software installed on either an Android or an iPhone, the device can be configured and controlled as well as function as a wireless headset.
The very first thing I noticed after turning the hearing aid on was the all too familiar chime that I used to hear whenever I logged into Windows XP. This was a bit unsettling as here I had a wireless device in my ear, which could be found by scanning for wireless networks, and was it really running a firmware version of Windows XP? If so, how secure is this device and what vulnerabilities should I be concerned about. Unfortunately, neither the audiologist nor Starkey, the manufacturer, have clarified my questions regarding the OS on these hearing aids.
I would suppose the risk in my own case would be limited to some rouge prankster intent on destroying what little hearing I have left by orchestrating a sudden blast of amplified sound directly into my ear. But what about other appliances on the Internet of Things, and more critically, other bio devices which may become embedded into our bodies? Do we fully understand the risks so that appropriate controls can be put in place?
To understand the risk, we need to understand both the threats and the vulnerabilities. In the case of the wireless hearing aid, I can of course speculate on the threats. But, while I suspect the OS is running some version of Windows XP, I can only speculate as to the vulnerabilities.
My view here is that manufacturers need to be much more transparent about the firmware running on devices destined for the Internet of Things, and particularly so with regards to bio devices. Else, consumers and businesses will be unable properly assess risk or implement effective controls. Some may argue that such transparency may expose the Internet of Things to hackers, although I would argue that they will find their way there anyway. Security by obscurity is in fact no security.