Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: InfoSec Handlers Diary Blog - Pen Testing - Dangerous side effects? InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Pen Testing - Dangerous side effects?

Published: 2007-09-20
Last Updated: 2007-09-20 20:11:25 UTC
by Adrien de Beaupre (Version: 1)
0 comment(s)

Submitted by a reader.

Its seems to be a common place that when we deploy nessus or other tools on a network to detect vulnerable systems and patch them, that we crash a system or two in the process due as an unintended side effect.  And some organizations have started using bluesweep to map bluetooth devices being used in an enviroment to check for unauthorized deployment of bluetooth access points. (

   Due to my personal experience dealing with the declining health of my father I have found that there is a growing trend in the medical industry of wirelessly enabling medical devices such as pacemakers.   This has taken the form of bluetooth enabled devices, as well as proprietary radios and protocols.   While I am sure the government has good regulation for these types of devices from the medical side, it makes me wonder how well they have regulated these devices from a "cyber" perspective.   My primary concern would not be whether your pacemaker could be hacked by a terrorist, or if someone could listen in our your current health and well being.    But my concern would be on what kind of unintentional side effects could we potentially have on a person's well being by running wireless security penetration tools as part of securing our own networks and facilities.   I know that many of bluetooth pen testing tools have crashed numerous cell phones and PDA's, just as effectively as nessus has done so as part of standard lan testing.    But what would happen if that "device" we end up crashing is someones pacemaker?   I am used to receiving calls from people to ask me to stop my pen testing because I have crashed an exchange server, but would hate to see the day when I receive a call that I crashed "John Smith" down the hall.   I have a feeling we will start seeing may more Bluetooth and Zigbee enabled medical devices implanted in our coworkers, and I know for one that I have never seen much discussion on the topics in the cyber forums.

Submitted by Craig Goranson



Adrien de Beaupré

0 comment(s)
Diary Archives