From Skateboards to Drug Pumps, Welcome to Our Hackable Future

Sony’s emails, Target shoppers, drug pumps—the range of unlikely hacking targets is growing ever more expansive, with the list recently gaining a new addition: skateboards. Battery-powered boards, which can usually travel up to around 25 mph, have been found to be at risk of software violations that could result in riders being tossed into oncoming traffic.

The hack has been labeled “FacePlant” by its creators Richo Healey and Mike Ryan, an Australian duo who work in online payment security for Stripe and eBay respectively. The idea came about after Healey’s board malfunctioned at a busy intersection, he told Wired, tossing him into the street as a result of radio frequency interference. Upon realizing the cause of the issue, he began looking into whether outside parties could tamper with a board’s movements, creating what he calls a “synthetic version” of the radio noise that initially derailed him.

FacePlant uncovered that a board could either be stopped dead, sent in reverse, or have its brakes disabled—a dangerous prospect for anyone using them to get around. “For people who are buying these boards and commuting on them every day...there is risk obviously associated with that…We explicitly did this research in order to make the devices safer,” he explains.

The pair looked at three boards: one by U.S. company Boosted, which retails around $1,500, and an offering apiece from Australia’s Revo and China’s Yuneec, both of which sell for around $700. The issues with each device were born out of the same thing: a lack of communication encryption between the boards and their remote controls. The technology used for app-controlled Boosted, which can run for around six miles on one battery charge, was found to be highly vulnerable to nearby hackers, who can connect their laptops to the boards themselves.

FacePlant also found that when a board’s motor is suddenly put in reverse, it moves at full speed and then may continue to bounce off objects it hits—something that could cause major damage to fellow pedestrians, riders, and drivers when flying out of control at more than 20 mph. “If you’re not expecting it, and you’re going fast enough, it could go pretty bad,” Ryan said. “This thing can cause some serious damage.”

This isn’t the first hack to expose a safety hazard: drug infusion pumps, which are used to regulate and administer life-saving medication, have recently seen a crackdown from the Food and Drug Administration (FDA) more than a year after security flaws were first revealed. Researcher Billy Rios alerted the FDA to Hospira’s hackability in May of 2014, after he found a number of its products posed risks such as the ability to alter dosages remotely.

“The FDA is alerting users of the Hospira Symbiq Infusion System to cybersecurity vulnerabilities with this infusion pump. We strongly encourage that health care facilities transition to alternative infusion systems, and discontinue use of these pumps,” the organization said of Hospira’s Symbiq model.

The FDA also warned that third parties might still be selling the device, calling for vigilance over at-risk products. While it is, of course, positive news that some action has been taken, concerns remain: When Rios contacted the company to let them know their pumps were dangerous, and that their product lines employing the same technology should be assessed, he was told “[Hospira was] not interested in verifying that other pumps are vulnerable.”

As an increasing number of everyday objects from skateboards to fridges get digitized, the need for robust software has never been more important. While we’ve become (perhaps worryingly) accustomed to data hacks, such as the $10m Target breach that saw the financial details of 40 million customers published online, the 56 million Home Depot shoppers who had their card details exposed, or the now-infamous leaked Sony salary records and email exchanges, concerns about the information we’re typing into those seemingly secure online forms are widely felt. But that same sense of precaution hasn’t yet filtered through to our expectations of digital products—a newer, but just as potent—security blind spot for so many.

It’s easy to dismiss these eventualities as the perils of the digital age, but it’s imperative that regulatory bodies both insist on and assess the highest possible levels of security for new products. Nobody riding a skateboard or receiving medical treatment should have to worry about cyber intruders putting their lives at risk, and if companies are serious about people embracing their technology, these concerns can no longer go ignored.