Connect with us

Published

on

Krisanapong Detraphiphat | Moment | Getty Images

John Hultquist, vice president of intelligence analysis at Google-owned cybersecurity firm Mandiant, likens his job to studying criminal minds through a soda straw. He monitors cyberthreat groups in real time on the dark web, watching what amounts to a free market of criminal innovation ebb and flow.

Groups buy and sell services, and one hot idea — a business model for a crime — can take off quickly when people realize that it works to do damage or to get people to pay. Last year, it was ransomware, as criminal hacking groups figured out how to shut down servers through what’s called directed denial of service attacks. But 2022, say experts, may have marked an inflection point due to the rapid proliferation of IoT (Internet of Things) devices.

Attacks are evolving from those that shut down computers or stole data, to include those that could more directly wreak havoc on everyday life. IoT devices can be the entry points for attacks on parts of countries’ critical infrastructure, like electrical grids or pipelines, or they can be the specific targets of criminals, as in the case of cars or medical devices that contain software.

“What I wish is that the vulnerabilities of cybersecurity could never negatively affect human life and infrastructure,” says Meredith Schnur, cyber brokerage leader for US & Canada at Marsh & McLennan, which insures large companies against cyberattacks. “Everything else is just business.”

For the past decade, manufacturers, software companies and consumers have been rushing to the promise of Internet of Things devices. Now there are an estimated 17 billion in the world, from printers to garage door openers, each one packed with software (some of it open-source software) that can be easily hacked. In a conversation Dec. 26 with The Financial Times, Mario Greco, the group CEO of giant insurer Zurich Insurance Group, said cyberattacks could pose a larger threat to insurers than pandemics and climate change, if hackers aim to disrupt lives, rather than merely spying or stealing data.

IoT devices are a key entry point for many attacks, according to Microsoft’s Digital Defense Report 2022. “While the security of IT hardware and software has strengthened in recent years, the security of Internet of Things (IoT) … has not kept pace,” according to the report.

A rash of attacks that reached the physical world through the cyber world in the past year show the rising stakes. Last February, Toyota stopped operations at one of its plants because of a cyberattack. In April, Ukraine’s power grid was targeted. In May, the Port of London was hit with a cyberattack. That followed up on a 2021 that included to major attacks on critical infrastructure in the U.S., taking down energy and food supply operations of Colonial Pipeline and the JBS meatpacking conglomerate.

What many experts are anticipating is the day enterprising criminals or hackers affiliated with a nation-state figure out an easy-to-replicate scheme using IoT devices at scale. A group of criminals, perhaps connected to a foreign government, could figure out how to take control of many things at once – like cars, or medical devices. “We have already seen large-scale attacks using IoT, in the form of IoT botnets. In that case, actors leveraging unpatched vulnerabilities in IoT devices used control of those devices to carry out denial of service attacks against many targets. Those vulnerabilities are found regularly in ubiquitous products that are rarely updated.”

In other words, the possibility already exists. It’s only a question of when a criminal or a nation decides to act in a way that targets the physical world at a large scale. “It’s not always the art of the possible. It’s a market-driven thing,” Hultquist said. “Somebody figures out a scheme that is successful at making money.”

Aside from responding rapidly to attacks, the only answer to the “cat-and-mouse game” is constant innovation, says Shlomo Kramer, an early investor in Palo Alto Networks and currently one of the top cyber security investors worldwide.

There are a handful of companies, new regulatory approaches, a growing focus on cars as a particularly important area, and a new movement within the software engineering world to do a better job of incorporating cybersecurity from the beginning.

Internet of Things has a big update problem

The cybersecurity industry is upping its game. Companies including ForeScout and Phosphorus focus on Internet of Things security, which has a heavy emphasis on constant inventory of “endpoints” – where new devices connect to a network.

But one of the key problems in Internet of Things security is that there isn’t a good process for updating devices with patches, as new vulnerabilities, hacks or attacks are discovered, says Greg Clark, former CEO of Symantec, currently the chairman of Forescout. Many users are accustomed to downloading updates and patches to computers and phones; and even in those cases, a significant number of users don’t bother to do the updates.

The problem is much worse in the IoT: For instance, who bothers to update their garage-door opener? “Not many of the IoT devices have a system to update the code,” says Clark. “It becomes a serious problem to remediate the vulnerabilities in the IoT.”

He said one focus for cybersecurity companies has become putting controls around the devices so they can only do a specific set of things. That way, the devices can’t be weaponized to launch attacks on other networks. “There are a lot of hammers swinging,” Clark said, on products that make the IoT more secure).

Medical devices, which are seen as particularly important and particularly vulnerable, are one focus. Last month, Palo Alto Networks announced a new product aimed at medical device makers.

IoT device makers are not regulated enough

Because the challenges are new, and cut across industries, the U.S. guidelines and regulations remain patchwork. That has left a lot of IoT cybersecurity up to consumers and companies across sectors, rather than the many manufacturers making IoT devices.

“I’m hopeful there will be some new standards, and newer regulations that will force the vendors to do more,” says Randy Trzeciak, director of the science information and security policy & management program at Carnegie Mellon University. “There should be a national discussion around insuring device security, and where the manufacturer needs to take some ownership and responsibility.”

Clark said CISA and the National Institutes of Standards and Technology are working together, issuing guidelines for the thousands of manufacturers that make IoT devices covering such things as ensuring that IoT devices identify themselves to networks as they are added to them. In 2020, the U.S. Congress turned the guidelines into a law, but only for companies that supply the U.S. government with IoT devices. A spokesman for the National Institutes of Standards and Technology says this is the only national law the agency knows of. Some state-specific and industry-specific laws also exist: For instance, data in medical devices would be covered by HIPAA, and the National Highway Traffic Safety Administration has some jurisdiction over cars.

Some investors and executives cautiously welcome the increasing involvement of regulators. “It’s simply too complex,” Kramer said. “There’s not enough qualified and experienced security people.”

How cars are being targeted

As more criminal hackers aim attacks at the physical sphere, cars are a target. That includes theft, with attackers exploiting the keyless entry systems, but also attacks on sensitive information now being stored in cars, such as maps and credit card data.

Led by the European Union, countries around the world are rapidly adopting cybersecurity regulations for cars, with the EU’s coming into effect in July of last year.

The transition to electric vehicles has created an opportunity for regulators to get ahead of the criminals. As the new technology lowered the barriers to entry, more car companies entered the market. In turn, that has created an opportunity for regulators to work with industry groups that want to protect their home-grown industries.

The concerns about cars are nothing new. In one landmark experiment in 2015, two hackers attacked a Jeep Cherokee. “They shut down the engine on the highway – the brakes didn’t respond. This is not a pleasant situation,” said David Barzilai, CEO of a six-year-old Israeli company called Karamba Security, which helps car companies make their IoT devices more secure.

Barzilai says that in the past 12 months, there were dozens of attacks, both by serious criminal gangs and teen-agers. “When we started six years ago, the attacks were by states, mostly China,” he says. “Within the last 12 months, there’s a democratization” in car attacks, he said, pointing to the case in January 2022 of the teen who figured out how to access the control systems of a few dozen Teslas at once,  last January — have already done.

Connected cars usually have SIM cards, that hackers can attack via cellular networks, he said. “All cars of the same vehicle model use the same software,” he said. “Once hackers identify a vulnerability, and a way to exploit it remotely, they can replicate the attack on other vehicles.” 

Cybersecurity grew as an industry mostly as an after-the-fact attempt to fix software and hardware that was long since on the market, as criminals and foreign governments discovered vulnerabilities in the systems that they could exploit. One study by IBM‘s System Science’s Institute found it costs six times more to fix a cybersecurity vulnerability while software is being implemented than when it is under development. The IoT is still relatively new as an industry, giving security-minded developers a chance to get ahead of the cat-and-mouse game, says Trzeciak, and there’s a growing movement of researchers and developers working on this, including Carnegie Mellon’s Software Engineering Institute’s DevSecOps initiative, which aims to add security into earlier phases of software development. That process-based innovation could make all kinds of software, including that in cars and medical devices, more secure — and therefore, the devices safer.

Continue Reading

Technology

Whoop says FDA is ‘overstepping its authority’ with warning about blood pressure feature

Published

on

By

Whoop says FDA is 'overstepping its authority' with warning about blood pressure feature

The logo for the Food and Drug Administration is seen ahead of a news conference on removing synthetic dyes from America’s food supply, at the Health and Human Services Headquarters in Washington, DC on April 22, 2025.

Nathan Posner | Anadolu | Getty Images

The U.S. Food and Drug Administration on Tuesday published a warning letter addressed to the wrist wearable company Whoop, alleging it is marketing a new blood pressure feature without proper approvals.

The letter centers around Whoop’s Blood Pressure Insights (BPI) feature, which the company introduced alongside its latest hardware launch in May.

Whoop said its BPI feature uses blood pressure information to offer performance and wellness insights that inform consumers and improve athletic performance.

But the FDA said Tuesday that Whoop’s BPI feature is intended to diagnose, cure, treat or prevent disease — a key distinction that would reclassify the wellness tracker as a “medical device” that has to undergo a rigorous testing and approval processes.

“Providing blood pressure estimation is not a low-risk function,” the FDA said in the letter. “An erroneously low or high blood pressure reading can have significant consequences for the user.”

A Whoop spokesperson said the company’s system offers only a single daily estimated range and midpoint, which distinguishes it from medical blood pressure devices used for diagnosis or management of high blood pressure.

Whoop users who purchase the $359 “Whoop Life” subscription tier can use the BPI feature to get daily insights about their blood pressure, including estimated systolic and diastolic ranges, according to the company.

Whoop also requires users to log three traditional cuff-readings to act as a baseline in order to unlock the BPI feature.

Additionally, the spokesperson said the BPI data is not unlike other wellness metrics that the company deals with. Just as heart rate variability and respiratory rate can have medical uses, the spokesperson said, they are permitted in a wellness context too.

“We believe the agency is overstepping its authority in this case by attempting to regulate a non-medical wellness feature as a medical device,” the Whoop spokesperson said.

Read more CNBC tech news

High blood pressure, also called hypertension, is the number one risk factor for heart attacks, strokes and other types of cardiovascular disease, according to Dr. Ian Kronish, an internist and co-director of Columbia University’s Hypertension Center.

Kronish told CNBC that wearables like Whoop are a big emerging topic of conversation among hypertension experts, in part because there’s “concern that these devices are not yet proven to be accurate.”

If patients don’t get accurate blood pressure readings, they can’t make informed decisions about the care they need.

At the same time, Kronish said wearables like Whoop present a “big opportunity” for patients to take more control over their health, and that many professionals are excited to work with these tools.

Understandably, it can be confusing for consumers to navigate. Kronish encouraged patients to talk with their doctor about how they should use wearables like Whoop.

“It’s really great to hear that the FDA is getting more involved around informing consumers,” Kronish said.

FILE PHOTO: The headquarters of the U.S. Food and Drug Administration (FDA) is seen in Silver Spring, Maryland November 4, 2009. 

Jason Reed | Reuters

Whoop is not the only wearable manufacturer that’s exploring blood pressure monitoring.

Omron and Garmin both offer medical blood pressure monitoring with on-demand readings that fall under FDA regulation. Samsung also offers blood-pressure-reading technology, but it is not available in the U.S. market.

Apple has also been teasing a blood pressure sensor for its watches, but has not been able to deliver. In 2024, the tech giant received FDA approval for its sleep apnea detection feature.

Whoop has previously received FDA clearance for its ECG feature, which is used to record and analyze a heart’s electrical activity to detect potential irregularities in rhythm. But when it comes to blood pressure, Whoop believes the FDA’s perspective is antiquated.

“We do not believe blood pressure should be considered any more or less sensitive than other physiological metrics like heart rate and respiratory rate,” a spokesperson said. “It appears that the FDA’s concerns may stem from outdated assumptions about blood pressure being strictly a clinical domain and inherently associated with a medical diagnosis.”

The FDA said Whoop could be subject to regulatory actions like seizure, injunction, and civil money penalties if it fails to address the violations that the agency identified in its letter.

Whoop has 15 business days to respond with steps the company has taken to address the violations, as well as how it will prevent similar issues from happening again.

“Even accounting for BPI’s disclaimers, they do not change this conclusion, because they are insufficient to outweigh the fact that the product is, by design, intended to provide a blood pressure estimation that is inherently associated with the diagnosis of a disease or condition,” the FDA said.

WATCH: Watch CNBC’s full interview with FDA commissioner Dr. Marty Makary

Watch CNBC's full interview with FDA commissioner Dr. Marty Makary

Continue Reading

Technology

Amazon turns to rival SpaceX to launch next batch of Kuiper internet satellites

Published

on

By

Amazon turns to rival SpaceX to launch next batch of Kuiper internet satellites

United Launch Alliance Atlas V rocket carrying the first two demonstration satellites for Amazon’s Project Kuiper broadband internet constellation stands ready for launch on pad 41 at Cape Canaveral Space Force Station on October 5, 2023 in Cape Canaveral, Florida, United States.

Paul Hennessey | Anadolu Agency | Getty Images

As Amazon chases SpaceX in the internet satellite market, the e-commerce and computing giant is now counting on Elon Musk’s rival company to get its next batch of devices into space.

On Wednesday, weather permitting, 24 Kuiper satellites will hitch a ride on one of SpaceX’s Falcon 9 rockets from a launchpad on Florida’s Space Coast. A 27-minute launch window for the mission, dubbed “KF-01,” opens at 2:18 a.m. ET.

The launch will be livestreamed on X, the social media platform also owned by Musk.

The mission marks an unusual alliance. SpaceX’s Starlink is currently the dominant provider of low earth orbit satellite internet, with a constellation of roughly 8,000 satellites and about 5 million customers worldwide.

Amazon launched Project Kuiper in 2019 with an aim to provide broadband internet from a constellation of more than 3,000 satellites. The company is working under a tight deadline imposed by the Federal Communications Commission that requires it to have about 1,600 satellites in orbit by the end of July 2026.

Amazon’s first two Kuiper launches came in April and June, sending 27 satellites each time aboard rockets supplied by United Launch Alliance.

Assuming Wednesday’s launch is a success, Amazon will have a total of 78 satellites in orbit. In order to meet the FCC’s tight deadline, Amazon needs to rapidly manufacture and deploy satellites, securing a hefty amount of capacity from rocket providers. Kuiper has booked up to 83 launches, including three rides with SpaceX.

Space has emerged as a battleground between Musk and Amazon founder Jeff Bezos, two of the world’s richest men. Aside from Kuiper, Bezos also competes with Musk via his rocket company Blue Origin.

Blue Origin in January sent up its massive New Glenn rocket for the first time, which is intended to rival SpaceX’s reusable Falcon 9 rockets. While Blue Origin currently trails SpaceX, Bezos last year predicted his latest venture will one day be bigger than Amazon, which he started in 1994.

Kuiper has become one of Amazon’s biggest bets, with more than $10 billion earmarked for the project. The company may need to spend as much as $23 billion to build its full constellation, analysts at Bank of America wrote in a note to clients last week. That figure doesn’t include the cost of building terminals, which consumers will use to connect to the service.

The analysts estimate Amazon is spending $150 million per launch this year, while satellite production costs are projected to total $1.1 billion by the fourth quarter.

Amazon is going after a market that’s expected to grow to at least $40 billion by 2030, the analysts wrote, citing estimates by Boston Consulting Group. The firm estimated that Amazon could generate $7.1 billion in sales from Kuiper by 2032 if it claims 30% of the market.

“With Starlink’s solid early growth, our estimates could be conservative,” the analysts wrote.

WATCH: Amazon launches first Kuiper internet satellites into space

Amazon launches first Kuiper internet satellites into space

Continue Reading

Technology

Bitcoin falls below $117,000 after Trump crypto bills are blocked before vote

Published

on

By

Bitcoin falls below 7,000 after Trump crypto bills are blocked before vote

Bitcoin falls as lawmakers grapple with crypto regulation bills: CNBC Crypto World

Bitcoin fell below the $117,000 level on Tuesday after cryptocurrency-related bills were blocked in the House of Representatives.

The price of bitcoin was last down 2.8% at $116,516.00, according to Coin Metrics. That marks a pullback from the day’s high of $120,481.86.

Stock Chart IconStock chart icon

hide content

Bitcoin/USD Coin Metrics, 1-day

The drop comes on the heels of multiple crypto-related bills failing to overcome a procedural hurdle in the House, with 13 Republicans voting with Democrats to block the motion in a 196-223 vote.

In recent days, bitcoin has been trading at all-time highs, spurred by institutional buying of bitcoin exchange-traded funds (ETFs) amid rising optimism that Congress would soon pass crypto legislation.

Stocks linked to crypto also came under pressure in late afternoon trading. Shares of bitcoin miners Riot Platforms and Mara Holdings closed down 3.3% and 2.3%, respectively. Others like crypto trading platforms Coinbase slid 1.5%. All were under pressure in extended trading.

Continue Reading

Trending